Stories
Slash Boxes
Comments

SoylentNews is people

Lennart Poettering Has Merged “su” Command Replacement into systemd

posted by martyb on Monday August 31 2015, @04:29PM   Printer-friendly
from the so-su-me dept.

CoolHand writes:

The Linux Homefront Project reports on Lennart Poettering looking to do away with the good old "su" command. From the article, "With this pull request systemd now support a su command functional and can create privileged sessions, that are fully isolated from the original session. Su is a classic UNIX command and used more than 30 years. Why su is bad? Lennart Poettering says:"

Well, there have been long discussions about this, but the problem is that what su is supposed to do is very unclear. On one hand it’s supposed to open a new session and change a number of execution context parameters (uid, gid, env, …), and on the other it’s supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, …). Since this is so weakly defined it’s a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.

Long story short: su is really a broken concept. It will given you kind of a shell, and it’s fine to use it for that, but it’s not a full login, and shouldn’t be mistaken for one.

I'm guessing that Devuan won't be getting rid of "su."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Lennart Poettering Has Merged “su” Command Replacement into systemd | Log In/Create an Account | Top | 194 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday September 03 2015, @03:44PM

    by Anonymous Coward on Thursday September 03 2015, @03:44PM (#231805)

    1. logind enables nothing. polkit is the active part in the whole shebang. That is the part sitting suid root and doing all the delegation of resource access.

    2. wayland at its core is a svgalib for the GPU era. It is basically there to paint pretty stuff in the GPU buffer and thats it. On its own wayland does nothing, unlike X11. With wayland the WM is the party that does all the device access etc. Thus it is Gnome, KDE and the rest that needs some way to get root grade access to /dev entries. Hence logind (because the forerunner consokekit, that didn't need a specific init sitting as pid1, was depreciated by Poettering) acting as the go between for the WM and polkit.

    3. The reason for X11 being run as root was that it needed access to a bunch of /dev entries. By default those are root exclusive. So running it as root was the quicker way.