Unverified Commit fb51cc80 authored by Grimmauld's avatar Grimmauld
Browse files

nixos/systemd: run0: enable setLoginUid, disable pamMount 

This brings our `run0` in line with the upstream defaults:
https://github.com/systemd/systemd/blob/bcc73cafdbd9c3947c53e4cff3498f8a73e56d9d/src/run/systemd-run0.in

While working on `auditd`, i noticed differences in how `run0` behaves
in regard to `/proc/$pid/sessionid` and `/proc/$pid/loginuid`. Particularly,
both files were set to `4294967295`, the magic value denoting `unset`.

While the manual page says elevators such as sudo should not set the loginuid,
run0 is a bit of a special case: The unit spawned by it is not child of
the running user session, and as such there is no id to inherit.

`systemd` upstream uses `pam_loginuid`, and for consistency we should too.
Especially because it prevents a whole lot of pain when working with `auditd`.

As to pam mounts:
On nixos we enable those if they are globally enabled. Upstream does not.
Considering the password entered into polkit is usually not the user password
of the account which will own the unit, pam mount will fail for any partition
which requires a password. Thus it makes sense to also disable pam mounts
for our run0, it prevents unnecessary unexpected pain.
parent 1fd9a57c

nixos/modules/system/boot/systemd.nix

+5 −1
Original line number Diff line number Diff line
@@ -838,7 +838,11 @@ in 
    # error that we’re trying to avoid can’t possibly happen if polkit isn’t enabled. When polkit isn’t

    # enabled, run0 will fail before it even tries to run the command.

    security.pam.services = mkIf config.security.polkit.enable {

      systemd-run0 = { };

      systemd-run0 = {

        # Upstream config: https://github.com/systemd/systemd/blob/main/src/run/systemd-run0.in

        setLoginUid = true;

        pamMount = false;

      };

    };

  };