Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 2016-06-02 at 11:01 -0400, Ray Strode wrote: > Hi, > > On Wed, Jun 1, 2016 at 10:58 AM, Matthias Clasen > wrote: > > Leaking session processes have been a perennial problem that > > we have been battling forever (gconf, ibus, pulseaudio, the list > goes > > on...).

Re: systemd 230 change - KillUserProcesses defaults to yes

On Mon, 2016-06-06 at 16:34 +, Jóhann B. Guðmundsson wrote: > > On 06/06/2016 03:56 PM, Benjamin Kreuter wrote: > > > >   It took me three days to find the problem the last time systemd > > caused > > unexpected behavior on my system. > What was this hard to find unexpected behaviour you

Re: systemd 230 change - KillUserProcesses defaults to yes

On Mon, Jun 6, 2016 at 9:56 AM, Benjamin Kreuter wrote: > On Sat, 2016-06-04 at 19:36 +0200, Roberto Ragusa wrote: >> On 06/02/2016 01:04 PM, Lennart Poettering wrote: >> >> > >> > Well. Let's say you are responsible for the Linux desktops of a >> > large >> >

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/06/2016 03:56 PM, Benjamin Kreuter wrote: It took me three days to find the problem the last time systemd caused unexpected behavior on my system. What was this hard to find unexpected behaviour you encountered? JBG -- devel mailing list devel@lists.fedoraproject.org

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, 2016-06-01 at 12:28 +0100, Tom Hughes wrote: > On 01/06/16 12:19, Howard Chu wrote: > > > > > This is still looking at the problem back-asswards. The problem > > isn't > > that screen and tmux are special cases. The problem is that some > > handful > > of programs that got spawned in a

Re: systemd 230 change - KillUserProcesses defaults to yes

On Mon, 2016-05-30 at 12:05 +0200, Lennart Poettering wrote: > The changed default here is really about defining the lifecycle of > unprivileged code by privileged code, and thus about security. Security against what?  Who is the attacker?  What is the threat model? Bandying about the word

Re: systemd 230 change - KillUserProcesses defaults to yes

On Sat, 2016-06-04 at 19:36 +0200, Roberto Ragusa wrote: > On 06/02/2016 01:04 PM, Lennart Poettering wrote: > > > > > Well. Let's say you are responsible for the Linux desktops of a > > large > > security-senstive company (let's say bank, whatever), and the > > desktops > > are installed as

Re: systemd 230 change - KillUserProcesses defaults to yes

On Sun, Jun 5, 2016 at 2:20 PM, Paul Wouters wrote: > On Fri, 3 Jun 2016, Lennart Poettering wrote: > >>> You are redefining the meaning of (a graphical) logout. It simply >>> means another user can use the mouse, keyboard and screen of this >>> device. It makes no statement on

Re: systemd 230 change - KillUserProcesses defaults to yes

On Fri, 3 Jun 2016, Lennart Poettering wrote: You are redefining the meaning of (a graphical) logout. It simply means another user can use the mouse, keyboard and screen of this device. It makes no statement on whether the machines resources are shared or not. Actually, with logind, current

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 1, 2016 at 9:48 AM, Lennart Poettering wrote: > On Wed, 01.06.16 12:19, Howard Chu (h...@symas.com) wrote: > >> This is still looking at the problem back-asswards. The problem isn't that >> screen and tmux are special cases. The problem is that some handful of >>

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 1, 2016 at 7:43 AM, Howard Chu wrote: > Tom Hughes wrote: >> >> On 01/06/16 12:19, Howard Chu wrote: >> >>> This is still looking at the problem back-asswards. The problem isn't >>> that screen and tmux are special cases. The problem is that some handful >>> of

Re: systemd 230 change - KillUserProcesses defaults to yes

On Sat, Jun 4, 2016 at 7:53 AM, Sam Varshavchik wrote: > Chris Murphy writes: > >> On Fri, Jun 3, 2016 at 9:37 PM, Chris Murphy >> wrote: >> >> > 4. >> > [chris@f24m ~]$ sudo btrfs scrub status / >> > [sudo] password for chris: >> > scrub status

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/02/2016 01:04 PM, Lennart Poettering wrote: > Well. Let's say you are responsible for the Linux desktops of a large > security-senstive company (let's say bank, whatever), and the desktops > are installed as fixed workstations, which different employees using > them at different times. They

Re: systemd 230 change - KillUserProcesses defaults to yes

On Sat, Jun 4, 2016 at 5:53 AM, Sam Varshavchik wrote: > Chris Murphy writes: > >> On Fri, Jun 3, 2016 at 9:37 PM, Chris Murphy >> wrote: >> >> > 4. >> > [chris@f24m ~]$ sudo btrfs scrub status / >> > [sudo] password for chris: >> > scrub status

Re: systemd 230 change - KillUserProcesses defaults to yes

Chris Murphy writes: On Fri, Jun 3, 2016 at 9:37 PM, Chris Murphy wrote: > 4. > [chris@f24m ~]$ sudo btrfs scrub status / > [sudo] password for chris: > scrub status for dbf2e938-1f28-4e93-aa6c-1e193004931b > scrub started at Fri Jun 3 20:38:15 2016, interrupted

Re: systemd 230 change - KillUserProcesses defaults to yes

On Fri, Jun 3, 2016 at 9:37 PM, Chris Murphy wrote: > 4. > [chris@f24m ~]$ sudo btrfs scrub status / > [sudo] password for chris: > scrub status for dbf2e938-1f28-4e93-aa6c-1e193004931b > scrub started at Fri Jun 3 20:38:15 2016, interrupted after > 00:00:05, not

Re: systemd 230 change - KillUserProcesses defaults to yes

On Fri, Jun 3, 2016 at 11:24 AM, Chris Murphy wrote: > Is it/should it be true that any 'sudo' process is privileged and > automatically is put into a session that would not be killed by the > user logging out? So if they user starts some background process with > sudo,

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, Jun 2, 2016 at 7:04 AM, Lennart Poettering wrote: > In all of these cases you really want to make sure that whatever the > user did ends – really ends – by the time he logs out. So that the > employee can't do stuff there except when logged in, and that he can't >

Re: systemd 230 change - KillUserProcesses defaults to yes

Björn Persson writes: If that's the case, then can we please stop talking about security and instead debate the usability aspects of this change? Agreed. But if someone still wishes to argue that this is some kind of a security feature, I'll be delighted to continue this discussion.

Re: systemd 230 change - KillUserProcesses defaults to yes

Lennart Poettering writes: On Thu, 02.06.16 18:00, Sam Varshavchik (mr...@courier-mta.com) wrote: > If an unprivileged program, like tmux, or screen, or nohup, can do whatever > dbus/ibus thingy it needs to do in order to elevate itself to a new > "session", and make arrangements to prevent

Re: systemd 230 change - KillUserProcesses defaults to yes

On Fri, Jun 03, 2016 at 01:44:46AM +, Zbigniew Jędrzejewski-Szmek wrote: > Set DefaultTimeoutStartSec= in /etc/systemd/systemd.conf. (Note typo: /etc/systemd/system.conf, with no d in the filename.) FWIW, the default is 90s -- Matthew Miller Fedora Project Leader

Re: systemd 230 change - KillUserProcesses defaults to yes

Is it/should it be true that any 'sudo' process is privileged and automatically is put into a session that would not be killed by the user logging out? So if they user starts some background process with sudo, they can log out of their DE session and that process continues to run? Chris Murphy

Re: systemd 230 change - KillUserProcesses defaults to yes

On Fri, Jun 03, 2016 at 11:30:06AM -0400, Przemek Klosowski wrote: > I use my computer for lots of automation like collecting weather and > Pepco powerline data, getting the book of the day, ebay sniping, etc. > They all run as either persistent processes or user cron jobs. I am > normally

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/03/2016 01:33 AM, Andrew Lutomirski wrote: ISTM there are two things that might be reasonably configured: 1. Is a given user permitted to create processes that persist beyond logout? 2. If a user may create processes that persist beyond logout, *which* processes persist beyond logout?

Re: systemd 230 change - KillUserProcesses defaults to yes

On Fri, Jun 03, 2016 at 03:30:33PM +0200, Björn Persson wrote: > Lennart Poettering wrote: > > On Thu, 02.06.16 18:00, Sam Varshavchik (mr...@courier-mta.com) wrote: > > > The rogue spambout in question can simply talk to systemd itself, and > > > arrange for it not to be

Re: systemd 230 change - KillUserProcesses defaults to yes

Lennart Poettering wrote: > On Thu, 02.06.16 18:00, Sam Varshavchik (mr...@courier-mta.com) wrote: > > The rogue spambout in question can simply talk to systemd itself, and > > arrange for it not to be killed when the user logs out. > > Yes, the default policy we ship is

Re: systemd 230 change - KillUserProcesses defaults to yes

On Fri, Jun 03, 2016 at 11:28:42AM +0300, Oron Peled wrote: > On Thursday 02 June 2016 14:38:38 Matthias Clasen wrote: > > I think the discussion is starting to go in circles. It is pretty clear > > that we have different opinions about the desired behavior of logout. > > I'll take this as an

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 02.06.16 18:00, Sam Varshavchik (mr...@courier-mta.com) wrote: > If an unprivileged program, like tmux, or screen, or nohup, can do whatever > dbus/ibus thingy it needs to do in order to elevate itself to a new > "session", and make arrangements to prevent itself from getting nuked from >

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 02.06.16 14:19, Paul Wouters (p...@nohats.ca) wrote: > > > On Jun 1, 2016, at 09:48, Lennart Poettering wrote: > > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > fix the inherent security problem: after logout a user should not be > > able consume further

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thursday 02 June 2016 14:38:38 Matthias Clasen wrote: > I think the discussion is starting to go in circles. It is pretty clear > that we have different opinions about the desired behavior of logout. I'll take this as an opportunity to raise a separate issue. The current implementation has

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, Jun 2, 2016 at 7:09 PM, Zbigniew Jędrzejewski-Szmek wrote: > On Tue, May 31, 2016 at 04:07:28PM -0400, Eric Griffith wrote: >> On May 31, 2016 15:44, "Adam Williamson" wrote: >> > >> > On Tue, 2016-05-31 at 15:26 -0400, Eric Griffith wrote:

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/02/2016 01:39 AM, Gerd Hoffmann wrote: Hi, As mentioned, this isn't just about screen, tmux, and nohup (or if there's any other programs used in a similar context). *Any* command run with a trailing & is commonly expected to survive logout, usually from remote shells. No. They get

Re: systemd 230 change - KillUserProcesses defaults to yes

On Tue, May 31, 2016 at 04:07:28PM -0400, Eric Griffith wrote: > On May 31, 2016 15:44, "Adam Williamson" wrote: > > > > On Tue, 2016-05-31 at 15:26 -0400, Eric Griffith wrote: > > > What if the Anaconda team changed it so the "Make this user an > > > administrator"

Re: systemd 230 change - KillUserProcesses defaults to yes

On Tue, May 31, 2016 at 03:04:52PM -0600, Orion Poplawski wrote: > On 05/29/2016 05:14 PM, Chris Murphy wrote: > > On Fri, May 27, 2016 at 5:03 PM, Paul Wouters wrote: > > > >> If there is a systematic > >> problem of badly written code leaving orphaned code running when > >> a

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 2016-06-02 at 18:01 -0400, Sam Varshavchik wrote: > Gerd Hoffmann writes: > > > On Do, 2016-06-02 at 10:07 -0400, Matthias Clasen wrote: > > > > > > You are misinformed. This is not about 'obviously broken' windowing > > > apps. Applications that have X or wayland connections get killed

Re: systemd 230 change - KillUserProcesses defaults to yes

Gerd Hoffmann writes: On Do, 2016-06-02 at 10:07 -0400, Matthias Clasen wrote: > > You are misinformed. This is not about 'obviously broken' windowing > apps. Applications that have X or wayland connections get killed > reliably when the session ends, because that connection is going away. No.

Re: systemd 230 change - KillUserProcesses defaults to yes

Lennart Poettering writes: Well. Let's say you are responsible for the Linux desktops of a large security-senstive company (let's say bank, whatever), and the desktops are installed as fixed workstations, which different employees using them at different times. They log in, they do some

Re: systemd 230 change - KillUserProcesses defaults to yes

Thanks.. I forgot an important part. 5. People comment about the broken cycle and then various people nitpick that comment in some fashion that doesn't improve anything but 'proves' that they are 'correcter' than the commenter. Overall everyone involved feels worse off. On 2 June 2016 at 16:31,

Re: systemd 230 change - KillUserProcesses defaults to yes

Stephen John Smoogen wrote: 1. There is a problem for a certain group that systemd people care about (usually desktop but not always). 2. Systemd puts in a fix for that problem. In this timeline, your step (2) is crucially missing a piece. Systemd has put in a *change* but it has been shown

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/02/2016 02:19 PM, Paul Wouters wrote: On Jun 1, 2016, at 09:48, Lennart Poettering wrote: Any scheme that relies on unprivileged programs "being nice" doesn't fix the inherent security problem: after logout a user should not be able consume further runtime resources on the system,

Re: systemd 230 change - KillUserProcesses defaults to yes

On 2 June 2016 at 15:17, Justin Brown wrote: > On Thu, Jun 2, 2016 at 1:26 PM, Ivan Chavero wrote: >> Well, if i'm writing a malware i'll make sure it uses systemd-run so it > keeps on running. > > The point of the feature is not to prevent users

Re: systemd 230 change - KillUserProcesses defaults to yes

- Original Message - > From: "Justin Brown" <justin.br...@fandingo.org> > To: "Development discussions related to Fedora" > <devel@lists.fedoraproject.org> > Sent: Thursday, June 2, 2016 1:17:22 PM > Subject: Re: systemd 230 change - KillU

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, Jun 2, 2016 at 1:26 PM, Ivan Chavero wrote: > Well, if i'm writing a malware i'll make sure it uses systemd-run so it keeps on running. The point of the feature is not to prevent users from running anything in the background. It's that *anything* the user runs has

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 2016-06-02 at 14:19 -0400, Paul Wouters wrote: > > > > On Jun 1, 2016, at 09:48, Lennart Poettering wrote: > > > > Any scheme that relies on unprivileged programs "being nice" > > doesn't > > fix the inherent security problem: after logout a user should not > > be > > able consume

Re: systemd 230 change - KillUserProcesses defaults to yes

> On Thursday, June 02, 2016 13:04:44 Lennart Poettering wrote: > > On Wed, 01.06.16 07:20, Adam Williamson (adamw...@fedoraproject.org) wrote: > > > On Wed, 2016-06-01 at 15:48 +0200, Lennart Poettering wrote: > > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > > >

Re: systemd 230 change - KillUserProcesses defaults to yes

> On Jun 1, 2016, at 09:48, Lennart Poettering wrote: > > Any scheme that relies on unprivileged programs "being nice" doesn't > fix the inherent security problem: after logout a user should not be > able consume further runtime resources on the system, regardless if he > does that because of a

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/02/2016 12:37 PM, Tom Rivers wrote: The potential problem I see with changing the default behavior of systemd is that it is non-intuitive and could be potentially harmful if the user is not aware of it. Consider the following example. I routinely use screen when I connect to the

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 10:25:32AM +0100, Tom Hughes wrote: > On 01/06/16 10:20, Bastien Nocera wrote: > > >>On Sun, May 29, 2016 at 06:51:20PM -0600, Chris Murphy wrote: > >>>So there's tmux, screen, curl, wget, and probably quite a few others > >>>that don't necessarily get daemonized that are

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, Jun 2, 2016 at 7:14 AM, Björn Persson wrote: > Lennart Poettering wrote: > >> And even more: after you disabled his >> user account and logged him out, he really should be gone. > > After you disabled his user account, he really should be gone.

Re: systemd 230 change - KillUserProcesses defaults to yes

On 6/2/2016 7:04 AM, Lennart Poettering wrote: In all of these cases you really want to make sure that whatever the user did ends – really ends – by the time he logs out. I apologize if this has already been brought up, but I didn't see this particular point raised in the replies I've read

Re: systemd 230 change - KillUserProcesses defaults to yes

Hi, > I don't think we need to change Fedora 24 for this. Unless I misunderstood, > this > systemd change has not been pushed to Fedora 24 (nor proposed for it). We're > prepping for how to deal with things in Fedora 25. No, I was the one misunderstanding things. I thought the systemd change

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, Jun 02, 2016 at 01:04:44PM +0200, Lennart Poettering wrote: > Well. Let's say you are responsible for the Linux desktops of a large > security-senstive company (let's say bank, whatever), and the desktops > are installed as fixed workstations, which different employees using > them at

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, Jun 2, 2016 at 9:01 AM, Ray Strode wrote: > > Of course, starting in Fedora 24, we no longer have a session bus. > It's a user bus now. So the bus won't go away until the last user > session (for a user) ends, and those background services won't go away > until they

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/02/2016 11:36 AM, Jóhann B. Guðmundsson wrote: > On 06/02/2016 03:13 PM, Stephen Gallagher wrote: > >> I don't think we need to change Fedora 24 for this. Unless I misunderstood, >> this >> systemd change has not been pushed to Fedora 24 (nor proposed for it). We're >> prepping for how to

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/02/2016 03:13 PM, Stephen Gallagher wrote: I don't think we need to change Fedora 24 for this. Unless I misunderstood, this systemd change has not been pushed to Fedora 24 (nor proposed for it). We're prepping for how to deal with things in Fedora 25. You should not so easily dismiss

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/02/2016 11:01 AM, Ray Strode wrote: > Hi, > > On Wed, Jun 1, 2016 at 10:58 AM, Matthias Clasen wrote: >> Leaking session processes have been a perennial problem that >> we have been battling forever (gconf, ibus, pulseaudio, the list goes >> on...). And they are causing

Re: systemd 230 change - KillUserProcesses defaults to yes

On 2 June 2016 at 11:01, Ray Strode wrote: > Hi, > > > We may want to consider reverting the user bus change for F24 and > revisit in F25, not sure. I believe we are less than a week from releasing F24... if there is a need to do this how far back does testing need to

Re: systemd 230 change - KillUserProcesses defaults to yes

Hi, On Wed, Jun 1, 2016 at 10:58 AM, Matthias Clasen wrote: > Leaking session processes have been a perennial problem that > we have been battling forever (gconf, ibus, pulseaudio, the list goes > on...). And they are causing actual problems, from preventing re-login > to

Re: systemd 230 change - KillUserProcesses defaults to yes

Hi, > In all of these cases you really want to make sure that whatever the > user did ends – really ends – by the time he logs out. Sure, there are valid use cases for that. The admin will probably also turn off lingering then, right? So, what is problem with simply allowing screen + tmux

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 2016-06-02 at 13:04 +0200, Lennart Poettering wrote: > On Wed, 01.06.16 07:20, Adam Williamson (adamw...@fedoraproject.org) wrote: > > > On Wed, 2016-06-01 at 15:48 +0200, Lennart Poettering wrote: > > > > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > > fix

Re: systemd 230 change - KillUserProcesses defaults to yes

On Do, 2016-06-02 at 10:07 -0400, Matthias Clasen wrote: > On Thu, 2016-06-02 at 10:02 -0400, Paul Wouters wrote: > > > > People aren't agreeing with you. So making it a default seems like a > > bad > > idea. People do seem to agree on "obviously broken windoing apps" > > that > > are left

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 2016-06-02 at 10:02 -0400, Paul Wouters wrote: >  > People aren't agreeing with you. So making it a default seems like a > bad > idea. People do seem to agree on "obviously broken windoing apps" > that > are left lingering. Why can't we just let those get killed? >  You are misinformed.

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thu, 2 Jun 2016, Lennart Poettering wrote: Well. Let's say you are responsible for the Linux desktops of a large security-senstive company (let's say bank, whatever), and the desktops are installed as fixed workstations, which different employees using them at different times. They log in,

Re: systemd 230 change - KillUserProcesses defaults to yes

Lennart Poettering wrote: > On Wed, 01.06.16 07:20, Adam Williamson (adamw...@fedoraproject.org) wrote: > > > On Wed, 2016-06-01 at 15:48 +0200, Lennart Poettering wrote: > > > > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > > fix the

Re: systemd 230 change - KillUserProcesses defaults to yes

On Thursday, June 02, 2016 13:04:44 Lennart Poettering wrote: > On Wed, 01.06.16 07:20, Adam Williamson (adamw...@fedoraproject.org) wrote: > > On Wed, 2016-06-01 at 15:48 +0200, Lennart Poettering wrote: > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > > fix the

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, 01.06.16 07:20, Adam Williamson (adamw...@fedoraproject.org) wrote: > On Wed, 2016-06-01 at 15:48 +0200, Lennart Poettering wrote: > > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > fix the inherent security problem: after logout a user should not be > >

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, 01.06.16 16:28, Tomasz Torcz (to...@pipebreaker.pl) wrote: > Five years ago, so basically from day one. We have this optional > security feature – fantastic! > Also, the concept of a ”session” isn't anything new, it's core UNIX > concept (setsid() enyone?) setsid() is really mostly

Re: systemd 230 change - KillUserProcesses defaults to yes

Hi, > As mentioned, this isn't just about screen, tmux, and nohup (or if > there's any other programs used in a similar context). *Any* command > run with a trailing & is commonly expected to survive logout, usually > from remote shells. No. They get SIGHUP when you logout, and the default

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 04:09:19PM +0100, Howard Chu wrote: > Matthias Clasen wrote: > > I am very much in favor of systemd enforcing that the session actually > > ends when I log out, so that I don't accidentally leave processes > > running. Leaking session processes have been a perennial problem

Re: systemd 230 change - KillUserProcesses defaults to yes

Dne 1.6.2016 v 18:18 Ben Rosser napsal(a): > > > On Wed, Jun 1, 2016 at 10:58 AM, Matthias Clasen > wrote: > > On Wed, 2016-06-01 at 09:59 -0400, Matthew Miller wrote: > > > > > This paints a very specific premise of what a "logout"

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 03:22:45PM -0500, Justin Brown wrote: > On the topic of consistency, it makes the most sense to do same as > /usr/bin/yum currently does for nohup (tmux/screen/etc can become actual > Good call. Yum and dnf take logout inhibitors on the desktop, which helps in some cases,

Re: systemd 230 change - KillUserProcesses defaults to yes

> Date: Wed, 1 Jun 2016 15:48:04 +0200 > From: Lennart Poettering <mzerq...@0pointer.de> > Subject: Re: systemd 230 change - KillUserProcesses defaults to yes > To: Development discussions related to Fedora > <devel@lists.fedoraproject.org> > Message-ID:

Re: systemd 230 change - KillUserProcesses defaults to yes

OK so back to a specific example on Fedora 24 with a restart/shutdown delay. User gdm owns session-c1.scope, and for some reason I can't figure out, it won't quit on its own. So it enters a failed state 1m30s after I ask for a restart/shutdown. [1] I edited /etc/systemd/logind.conf uncommented

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/01/2016 09:48 AM, Lennart Poettering wrote: On Wed, 01.06.16 12:19, Howard Chu (h...@symas.com) wrote: This is still looking at the problem back-asswards. The problem isn't that screen and tmux are special cases. The problem is that some handful of programs that got spawned in a GUI

Re: systemd 230 change - KillUserProcesses defaults to yes

I couldn't agree more. Despite Lennart's repeatedly mentioning that this is substantially -- if not primarily -- a security feature, a lot of people are disregarding it. I think it's pretty dangerous and counter-productive in the long-term to have different security settings across the Fedora

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 02:34:01PM -0400, Robert Marcano wrote: > >I would really like to see a solution whereby tmux and screen _just > >work_ without any required changes to user behavior. They're basically > >commands which _indicate_ "I want a new session that persists". > What about a default

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 02:08:13PM -0400, Solomon Peachy wrote: > > Fedora as a distro needs to determine which of these assumptions are > > valid *for Fedora* and set the defaults accordingly, as well as > > determining if/how to give users the freedom to set them differently. > I don't think

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/01/2016 04:43 AM, Matthew Miller wrote: On Sun, May 29, 2016 at 06:51:20PM -0600, Chris Murphy wrote: So there's tmux, screen, curl, wget, and probably quite a few others that don't necessarily get daemonized that are probably affected. I would really like to see a solution whereby tmux

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 1, 2016 at 2:19 PM, Przemek Klosowski < przemek.klosow...@nist.gov> wrote: > On 05/27/2016 12:45 PM, Christopher wrote: > > > It seems to me that what's happening is that systemd is now enforcing this > "login session" perspective... metaphorically speaking, gluing the > transparent

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/01/2016 02:19 PM, Przemek Klosowski wrote: > On 05/27/2016 12:45 PM, Christopher wrote: >> >> It seems to me that what's happening is that systemd is now enforcing this >> "login session" perspective... metaphorically speaking, gluing the >> transparent >> overlay onto the map (but don't

Re: systemd 230 change - KillUserProcesses defaults to yes

On 05/27/2016 12:45 PM, Christopher wrote: It seems to me that what's happening is that systemd is now enforcing this "login session" perspective... metaphorically speaking, gluing the transparent overlay onto the map (but don't worry! they also provide a special adhesive remover!). This

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 01:21:06PM -0400, DJ Delorie wrote: > Fedora as a distro needs to determine which of these assumptions are > valid *for Fedora* and set the defaults accordingly, as well as > determining if/how to give users the freedom to set them differently. I don't think it's possible

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 1, 2016 at 3:20 AM, Bastien Nocera wrote: > > > - Original Message - >> On Sun, May 29, 2016 at 06:51:20PM -0600, Chris Murphy wrote: >> > So there's tmux, screen, curl, wget, and probably quite a few others >> > that don't necessarily get daemonized that

RE: systemd 230 change - KillUserProcesses defaults to yes

> -Original Message- > From: Vít Ondruch [mailto:vondr...@redhat.com] > Sent: Wednesday, June 01, 2016 06:03 > To: devel@lists.fedoraproject.org > Subject: Re: systemd 230 change - KillUserProcesses defaults to yes > > > How many users logs out if they leave thei

Re: systemd 230 change - KillUserProcesses defaults to yes

Lennart Poettering writes: > Again, this isn't just work-arounds around broken programs. It's a > security thing. It's privileged code (logind, PID 1) that enforces a > clear life-cycle on unprivileged programs. You're making three invalid assumptions here: 1. You're

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 05:11:13PM +0100, Howard Chu wrote: > > '&' in of itself was *never* any sort of guarantee, regardless of > > foolish expectations to the contrary. > > Wrong, for all csh users. > > You folks are all talking from quite narrow perspectives. You inadvertantly proved my

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 1, 2016 at 10:58 AM, Matthias Clasen wrote: > On Wed, 2016-06-01 at 09:59 -0400, Matthew Miller wrote: > > > > > This paints a very specific premise of what a "logout" is, and I'm > > not > > sure I agree with it. There are actually many cases where I want to > >

Re: systemd 230 change - KillUserProcesses defaults to yes

Solomon Peachy wrote: On Wed, Jun 01, 2016 at 10:35:31AM -0400, Dan Book wrote: As mentioned, this isn't just about screen, tmux, and nohup (or if there's any other programs used in a similar context). *Any* command run with a trailing & is commonly expected to survive logout, usually from

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 10:35:31AM -0400, Dan Book wrote: > As mentioned, this isn't just about screen, tmux, and nohup (or if there's > any other programs used in a similar context). *Any* command run with a > trailing & is commonly expected to survive logout, usually from remote > shells. Um,

Re: systemd 230 change - KillUserProcesses defaults to yes

Matthias Clasen wrote: On Wed, 2016-06-01 at 09:59 -0400, Matthew Miller wrote: This paints a very specific premise of what a "logout" is, and I'm not sure I agree with it. There are actually many cases where I want to use resources on systems I have accounts on without specifically being

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, 2016-06-01 at 09:59 -0400, Matthew Miller wrote: > > This paints a very specific premise of what a "logout" is, and I'm > not > sure I agree with it. There are actually many cases where I want to > use > resources on systems I have accounts on without specifically being > logged in — the

Re: systemd 230 change - KillUserProcesses defaults to yes

On 06/01/2016 02:01 PM, Josh Boyer wrote: Given the principle of least surprise, it would make more sense to default with this being disabled out of the box. I have to disagree with this statement. Upstream should always reflect how things should be while downstream reflects how things are

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 07:35:21AM -0700, Andrew Lutomirski wrote: > On Jun 1, 2016 7:29 AM, "Tomasz Torcz" wrote: > > > > On Wed, Jun 01, 2016 at 10:04:27AM -0400, Dan Book wrote: > > > > > > > > Again, this isn't just work-arounds around broken programs. It's a > > > >

Re: systemd 230 change - KillUserProcesses defaults to yes

Hi, Lennart Poettering wrote on Wed, Jun 01, 2016 at 03:48:04PM +0200: > Again, this isn't just work-arounds around broken programs. It's a > security thing. It's privileged code (logind, PID 1) that enforces a > clear life-cycle on unprivileged programs. > > Any scheme that relies on

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 1, 2016 at 10:28 AM, Tomasz Torcz wrote: > > > I think that programs needing special treatment should use operating > system's facilities to communicate that. So tmux, screen, nohup should > really open a new session. It's unfortunate that tmux author is

Re: systemd 230 change - KillUserProcesses defaults to yes

On Jun 1, 2016 7:29 AM, "Tomasz Torcz" wrote: > > On Wed, Jun 01, 2016 at 10:04:27AM -0400, Dan Book wrote: > > > > > > Again, this isn't just work-arounds around broken programs. It's a > > > security thing. It's privileged code (logind, PID 1) that enforces a > > > clear

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 01, 2016 at 10:04:27AM -0400, Dan Book wrote: > > > > Again, this isn't just work-arounds around broken programs. It's a > > security thing. It's privileged code (logind, PID 1) that enforces a > > clear life-cycle on unprivileged programs. > > > > Any scheme that relies on

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, 2016-06-01 at 15:48 +0200, Lennart Poettering wrote: > > Any scheme that relies on unprivileged programs "being nice" doesn't > fix the inherent security problem: after logout a user should not be > able consume further runtime resources on the system, regardless if he > does that because

Re: systemd 230 change - KillUserProcesses defaults to yes

On Wed, Jun 1, 2016 at 9:48 AM, Lennart Poettering wrote: > On Wed, 01.06.16 12:19, Howard Chu (h...@symas.com) wrote: > > > This is still looking at the problem back-asswards. The problem isn't > that > > screen and tmux are special cases. The problem is that some handful

Re: systemd 230 change - KillUserProcesses defaults to yes

On Jun 1, 2016 3:03 AM, "Vít Ondruch" wrote: > > > > Dne 31.5.2016 v 21:20 DJ Delorie napsal(a): > > Lennart Poettering writes: > >> Again, as mentioned before: key here is that permitting user processes > >> to stick around after all sessions of the

  1   2   >