11

When I use ssh to log in to the root user on my server, an entry 0 is created in /var/run/user because pam_systemd tells systemd-logind to do this. This is an indicator that a user session has been started for uid 0.

Then, when I run su jack, I still only see the 0 entry in /var/run/user; no entry has been made for this session.

However, journalctl shows that a pam session was opened, and /etc/pam.d/su includes common-session, which adds session optional pam_systemd.so. So I think that a user session should have been created.

How can I make su create a user session?

If it's relevant, I'm on Debian 11.

Improve this question
11
  • Why do you need a full session? Have you tried su - jack ? Commented May 21, 2022 at 20:00
  • I'm trying to get a full session so that systemctl --user works. su - jack didn't work either :( Commented May 21, 2022 at 20:25
  • su is intended to allow for access with alternate credentials within another session. If you want a new session, you have to log in instead. Commented May 21, 2022 at 21:11
  • 1
    I use loginctl enable-linger to make the user manager of a user start regardless of whether it has a session. When I also have some user service that starts e.g. tmux. Then I'll be able to systemctl --user if I attach to the same tmux server (by setting TMUX_TMPDIR) after su -. Commented May 22, 2022 at 10:28
  • 1
    Relating unix.stackexchange.com/q/545328/117549 Commented May 22, 2022 at 10:58

1 Answer 1

Reset to default
9

The PAM module does not create a session if the current process is already a member of an existing session. I found the following workaround to create a session from an existing session:

systemd-run --system --scope \
    su -l

Basically you run su -l inside a system level scope, this is not part of the current user session and so the PAM module will create a session for the su -l process. Once the process has been moved to the session the temporary scope is empty and will be removed.

The only issue is that your current user must have the permission to create scopes at system level and you have to authenticate twice, once for the current user to authenticate creation of the scope and then again as the user for whom you want to create a session.

Improve this answer
1

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.