Re: [systemd-devel] start user-service only with UID greater than 1000

2017-07-25 Thread Simon McVittie 
On Wed, 26 Jul 2017 at 00:02:06 +0200, Jakob Schürz wrote:
> I have no idea, why this users get a PAM-Session.
> Now i can see there is also a systemd --user process for
> debian-security-support:
> 
> Jul 25 23:54:49 aldebaran systemd[1]: Starting User Manager for UID 137...
> Jul 25 23:54:49 aldebaran systemd[6366]: pam_unix(systemd-user:session):
> session opened for user debian-security-support by (uid=0)

From 
https://sources.debian.net/src/debian-security-support/2017.06.02/debian/debian-security-support.postinst/
it looks as though that package is using su. It should probably be using

runuser -u "$USERNAME" /bin/bash -c "..."

instead, because whatever the question is, su is usually the wrong answer.

Presumably the other daemons you mentioned are also using su in a cron job
or maintainer script or something.

On my Debian system, /etc/pam.d/su pulls in /etc/pam.d/common-session,
which uses pam_systemd; but /etc/pam.d/runuser does not. So anything that
calls su will get a login session, with the side effect of a `systemd --user`,
but anything that calls runuser will not get a login session and a
`systemd --user`.

S
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] start user-service only with UID greater than 1000

2017-07-25 Thread Jakob Schürz 
Am 2017-05-09 um 20:35 schrieb Lennart Poettering:
> On Tue, 09.05.17 17:06, Jakob Schürz (wertsto...@nurfuerspam.de) wrote:
> 
>> Hi There!
>>
>> I have two services running in systemd --user, which should only be
>> startet for login-users.
>> If i put the service-file by a deb-package in /usr/lib/systemd/user, the
>> service will also be started for Debian-exim, Debian-gdm and other users
>> with a UID below 1000. And this is not "good"...
> 
> These users should not have a PAM session normally, and hence no
> logind session either, and hence no systemd --user instance
> either. There's something really strange if you actually do get PAM
> sessions for these... Any idea why you get them?

I have no idea, why this users get a PAM-Session.
Now i can see there is also a systemd --user process for
debian-security-support:


Jul 25 23:54:49 aldebaran systemd[1]: Starting User Manager for UID 137...
Jul 25 23:54:49 aldebaran systemd[6366]: pam_unix(systemd-user:session):
session opened for user debian-security-support by (uid=0)
Jul 25 23:54:49 aldebaran systemd[6366]: Listening on Sound System.
Jul 25 23:54:49 aldebaran systemd[6366]: Listening on GnuPG network
certificate management daemon.
Jul 25 23:54:49 aldebaran systemd[6366]: Started mkbackup-userdir.path.
Jul 25 23:54:49 aldebaran systemd[6366]: Listening on GnuPG
cryptographic agent (ssh-agent emulation).
Jul 25 23:54:49 aldebaran systemd[6366]: Listening on GnuPG
cryptographic agent and passphrase cache (restricted).
Jul 25 23:54:49 aldebaran systemd[6366]: Listening on GnuPG
cryptographic agent (access for web browsers).
[...]

I don't know, why this session ist startet for the user with UID 137

I get this session every time on "dpkg-reconfigure debian-security-support"

Jakob

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] sd-bus example code for SetLinkDNS()

2017-07-25 Thread Tilman Baumann 
Little follow-up question. What would you say is best practice for a vpn
client?

- Add commandline option --update-systemd-resolved or so
- Autodetect existence of the interface and just do it? (How?)
- Always try to do the update but silently ignore if it fails and fall
back to updating resolve.conf instead?

I was going with the commandline option. But I'm beginning to hate it.
Do the right thing if you know what's right rings better with me.

I will have to introduce a option for domain filter (and search domain)
anyway, that stuff will never work out of the box.
The VPN protocol is one of those nasty ppp over ssl jobs. And the only
fields passed down to the client are the nameservers.

Cheers
 Tilman

On 21.07.2017 14:35, Lennart Poettering wrote:
> On Wed, 19.07.17 11:20, Tilman Baumann (til...@baumann.name) wrote:
> 
>> Hi folks,
>>
>> I'm trying to teach a vpn software (openfortivpn) how to properly set up
>> DNS in a systemd-resolve environment.
>>
>> I'm trying to set up a equivalent to this in C.
>> busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1
>> org.freedesktop.resolve1.Manager SetLinkDNS 'ia(iay)' 16 2 2 4 10 10 10
>> 10 2 4 10 10 10 11
>> [https://gist.github.com/tbaumann/d484efb2e27613654a52dbe11cfe53b8]
>>
>> I came up with this quick proof of concept code based on the example
>> code in the sd-bus docu.
>> Of course it segfaults. No surprise, I have done nothing to hint at the
>> length of the inner byte array. (ay)
>>
>> I was unable to find any example code that would give me a hint on how
>> to pass such more complex data structures into sd_bus_call_method()
>>
>> int SetLinkDNSv4(sd_bus *bus, int if_index, struct in_addr ns1, struct
>> in_addr ns2) {
>>   sd_bus_error error = SD_BUS_ERROR_NULL;
>>   sd_bus_message *m = NULL;
>>   int r;
>>   struct dns_address {
>> int sin_family;
>> struct in_addr ip_addr;
>>   };
>>   struct dns_address addresses[2];
>>
>>
>>   addresses[0].sin_family = AF_INET;
>>   addresses[0].ip_addr = ns1;
>>   addresses[1].sin_family = AF_INET;
>>   addresses[1].ip_addr = ns2;
>>
>>   r = sd_bus_call_method(bus,
>>  "org.freedesktop.resolve1",   /*
>> service to contact */
>>  "/org/freedesktop/resolve1",  /* object
>> path */
>>  "org.freedesktop.resolve1.Manager",   /*
>> interface name */
>>  "SetLinkDNS", /* method
>> name */
>>  ,   /* object
>> to return error in */
>>  ,   /* return
>> message on success */
>>  "ia(iay)",/* input
>> signature */
>>  if_index,
>>  2,/* Array
>> size */
>>  addresses);
>> }
>>
>> [Full code:
>> https://gist.github.com/tbaumann/0f466c984c858767c966458d53483697]
>>
>> My guess is that I can have it easier if I somehow use
>> sd_bus_message_append() to assemble the message. But I don't see a clear
>> path either.
> 
> You have to do something like this:
> 
> sd_bus_message_new_method(..., );
> sd_bus_message_append(m, "i", ifindex);
> sd_bus_message_open_container(m, 'a', '(iay)');
> for (i = 0; i < n_addresses; i++) {
> sd_bus_message_open_container(m, '(', "iay"));
> sd_bus_message_append(m, "i", addresses[i].sin_family);
> sd_bus_message_append_array(m, 'y', [i].ip_addr, 
> sizeof(addresses[i].ip_addr));
> sd_bus_message_close_container(m);
> }
> sd_bus_message_close_container(m);
> sd_bus_message_send(..., m);
> sd_bus_message_unref(m);
> 
> (not tested, just written down from the top of my head, and of course,
> don't forget to add proper error checking)
> 
> Lennart
> 
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel