Systemd Introduces Its Own "su" Like Command
The latest addition to systemd is offering its own command to provide su-like behavior on Linux systems. The machinectl shell command is meant to replace su for running privileged sessions.
If you've spent anytime using Linux systems, chances are you've encountered su to substitute a user's session, most often to become the super user. However, Lennart Poettering has been arguing that su isn't good. On a recent report, the systemd lead developer explained:
So as of this week he's now introduced a "machinectl shell" command for su(1)-like behaviour. Using machinectl shell can now create su-like privileged sessions that are fully isolated from the original session. Machinectl's shell sub-command also accepts --uid= for specifying the user ID to open for the interactive shell switch, with the default being root. There's also a --setenv= optional parameter for setting any needed environment variables of the new session.
This new machinectl shell feature is just one of many new (and sometimes controversial) features added to systemd in the past year as it re-architects key portions of the Linux stack. Later this year is also the first systemd conference taking place in Berlin, Germany.
If you've spent anytime using Linux systems, chances are you've encountered su to substitute a user's session, most often to become the super user. However, Lennart Poettering has been arguing that su isn't good. On a recent report, the systemd lead developer explained:
Well, there have been long discussions about this, but the problem is that what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.
Long story short: "su" is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one.
This has come up many times, but nothing really changed, hence closing this now. I understand this is confusing and unexpected, but well, that's UNIX...
So as of this week he's now introduced a "machinectl shell" command for su(1)-like behaviour. Using machinectl shell can now create su-like privileged sessions that are fully isolated from the original session. Machinectl's shell sub-command also accepts --uid= for specifying the user ID to open for the interactive shell switch, with the default being root. There's also a --setenv= optional parameter for setting any needed environment variables of the new session.
This new machinectl shell feature is just one of many new (and sometimes controversial) features added to systemd in the past year as it re-architects key portions of the Linux stack. Later this year is also the first systemd conference taking place in Berlin, Germany.
65 Comments