On Thu, Mar 10, 2016 at 12:37:31PM +0000, Daniel P. Berrange wrote:
> On Wed, Mar 09, 2016 at 01:01:40PM -0500, Lars Kellogg-Stedman wrote:
> > I ran into an odd problem today. I wanted to share it here in the
> > hopes of maybe saving someone else some lost time.
> >
> > When you run libvirtd as an unprivileged user (e.g., if you target
> > qemu:///session from a non-root account), then libvirt will open a
> > unix domain socket in one of two places:
> >
> > - If XDG_RUNTIME_DIR is defined, then inside
> > $XDG_RUNTIME_DIR/libvirt/libvirt-sock
> >
> > - If XDG_RUNTIME_DIR is *not* defined, then inside
> > $HOME/.cache/libvirt/libvirt-sock
> >
> > With a CentOS 7 system, at least, if you ssh directly into an
> > account, XDG_RUNTIME_DIR is set. But! If you `su -` to the account
> > from root, e.g:
> >
> > # su - stack
> >
> > Then XDG_RUNTIME_DIR is *not* set. The problem is a little subtle,
> > because most operations you will perform will work just fine in both
> > cases: you can query for defined but not active guests, storagep
> > pools, volumes, and so forth without a problem and you'll get the same
> > answer.
>
> IMHO this is a bug in the pam config. We really expect to see the
> same environment setup no matter how you login text console vs su
> vs ssh vs GDM. If that's not happening, its always going to cause
> bad behaviour across many apps, not only libvirt.
Talking to Alexander Bokovoy (of FreeIPA, CCed) on IRC on this topic, he
says:
'su -' does initialize environment to start a shell
as a login shell. It clears out everything but TERM from the old
environment
and sets a new one. If your shell for $user does
not set XDG_RUNTIME_DIR, then that's the issue, not PAM
XDG_RUNTIME_DIR is set by pam_systemd after logind created a session
for that user, but only in the case if user who authenticated is the
same as the original user of the session
when you do 'su - $user' as root, you'd get this [error message is
manually wrapped for this email]:
su[9188]: pam_systemd(su-l:session): pam-systemd initializing
su[9188]: pam_systemd(su-l:session): Asking logind to create
session: uid=1792600000 pid=9188 service=su-l type=tty
class=user desktop= seat= vtnr=0 tty=pts/1 display= remote=no
remote_user=root remote_host=
su[9188]: pam_systemd(su-l:session): Cannot create session:
Already running in a session
[NOTE: you need to add 'debug' option to pam_systemd.so,
/etc/pam.d/system-auth]
`su -` isn't a best tool, specifically under systemd -- it may be
more efficient to use systemd tools to create sessions and
activate/switch them
--
/kashyap
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
