On Tue, Jan 22, 2019 at 3:52 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
Am 22.01.19 um 08:12 schrieb Mantas Mikulėnas:
> On Tue, Jan 22, 2019 at 3:46 AM Reindl Harald <h.reindl@xxxxxxxxxxxxx
> <mailto:h.reindl@xxxxxxxxxxxxx>> wrote:
>
>
> "ProtectSystem=full" with the setup below just works, "su -" in a
> konsole within the graphical session don't gain write permissions
>
> Tasks: 4
> why?
>
> shouldn't everything started after the graphical login interherit any
> settings from teh display-manager service and run under it's cgroup?
>
>
> No, one of the first things done during login is to create a new logind
> session with associated cgroup (under user.slice) and move your process
> into it.
so that ProtectSystem and FS namespaces are properly interhited is more
luck than by design?
Namespaces are not cgroup parameters.
I don't think namespacing a user-login service was ever part of the design...
Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
