Bug 2056595 - Provide a way to forbid migration of processes started via su/sudo from service cgroup
Summary: Provide a way to forbid migration of processes started via su/sudo from servi...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: systemd
Version: 8.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: systemd maint
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-21 14:41 UTC by Renaud Métrich
Modified: 2023-08-14 11:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Story
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd issues 6356 0 None open RFE: provide an option to forbid migrating processes to a different unit/cgroup 2022-11-15 13:46:45 UTC
Red Hat Issue Tracker RHELPLAN-112931 0 None None None 2022-02-21 14:56:25 UTC

Description Renaud Métrich 2022-02-21 14:41:04 UTC 
Description of problem:

When sudo'ing, su'ing or calling "runuser -l", pam_systemd makes the cgroup change, but not always, e.g:

- it changes the cgroup when sudo'ing from a service
- it doesn't change the cgroup when sudo'ing from another user session

Why is this done? What is the benefit for doing this?

IMHO if we are in a service already, nothing should happen at all and the executable called after sudo'ing or su'ing should remain in the cgroup of the service.
This would would greatly permit reusing customer's legacy scripts that internally make use of "su" or "sudo" without rewriting anything.

Version-Release number of selected component (if applicable):

systemd-219+

How reproducible:

Always
Note You need to log in before you can comment on or make changes to this bug.