[arch-general] systemd sessions, su -l, and access to /dev/

[MSal]

On Sat, Nov 24, 2012 at 07:00:10PM +0100, Tom Gundersen wrote:
> On Nov 23, 2012 12:21 AM, "MSal" <msal at tormail.org> wrote:
> > I asked about this in the forum. But it looks like this is a better
> > place to discuss systemd-related issues.
> >
> > If I login to user1 or user2 then try to play audio which requires
> > access to /dev/snd/* , proper access to the logged in user is set by
> > the session and everything works correctly.
> >
> > But, if I login to user1 then su to user2, audio wouldn't work because
> > access permissions are assigned to the session user only (user1).
> >
> > Any idea how to fix this issue?
> 
> Could you elaborate a bit on what you are trying to do? (there might be a
> better way without using 'su'.
> 
> The behaviour you are getting is by design, so there is nothing really to
> fix. However, you can of course make the system behave the way you want:
> 
> Either, assign your devices to the audio group and the same with your users.
> 

.....

> Or add systemd_pam to the su pam file. This will create a new session for
> you when you use su and should therefore adjust the ACLs accordingly.
> 

pam_systemd is exactly what I was looking for. It works with
systemd's/logind's upstream behaviour instead of working around it.

For reference, I added the following 2 lines to both /etc/pam.d/su{,-l}
as I want a unified behaviour for all su invocations. Both files are
backup which is an added plus:

session         required        pam_loginuid.so
session         required        pam_systemd.so kill-session-processes=1

Warning: This will break su in already-open sessions.
Note: "pam_loginuid.so" is an absolute requirement for this use-case not
just a recommendation.

Check out `man 8 pam_systemd` and `man 8 pam_loginuid` for more info.