On Sa, 13.04.19 14:03, Steve Grubb (sgrubb(a)redhat.com) wrote:
> If you enable lingering for a user, it's the "systemd
--user" instance
> (i.e. the per-user service manager) that is started at boot and
> terminated at shutdown (instead of started at first login and
> terminated at last logout of the user), that's all.
>
> If you then run code as user service (i.e. as a service started and
> managed by the "systemd --user" instance instead of PID 1) then it is
> lifecycled (and its processes killed as needed) by the user service
> manager. And you can configure the way you want killing to behave like
> you would for any systemd service: with KillMode= in the unit file.
This doesn't really fit with the security requirements we need.
Anything run outside of a user session needs to have an audit session id
and login uid assigned to anything run.
It has. As mentioned, systemd --user runs as part of a PAM session,
hence it acquire its own session ID and loginuid setting as part of that.
We also need to have the ability to know the name of the script that
is being run in an audit event.
To my knowledge audit collects the comm name of any process already, no?
Lennart
--
Lennart Poettering, Berlin