Bug 2056595

Summary: Provide a way to forbid migration of processes started via su/sudo from service cgroup
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: systemdAssignee: systemd maint <systemd-maint>
Status: NEW --- QA Contact: Frantisek Sumsal <fsumsal>
Severity: high Docs Contact:
Priority: high    
Version: 8.5CC: dtardon, systemd-maint-list
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-02-21 14:41:04 UTC 
Description of problem:

When sudo'ing, su'ing or calling "runuser -l", pam_systemd makes the cgroup change, but not always, e.g:

- it changes the cgroup when sudo'ing from a service
- it doesn't change the cgroup when sudo'ing from another user session

Why is this done? What is the benefit for doing this?

IMHO if we are in a service already, nothing should happen at all and the executable called after sudo'ing or su'ing should remain in the cgroup of the service.
This would would greatly permit reusing customer's legacy scripts that internally make use of "su" or "sudo" without rewriting anything.

Version-Release number of selected component (if applicable):

systemd-219+

How reproducible:

Always