[sudo-users] Sudo/systemd behavior change
Joe DiTommasso
joe at ditommasso.com
Tue Feb 5 16:46:31 MST 2019
Hi, I've just run into a behavior change with sudo and systemd after
upgrading from CentOS 7.5 to 7.6. Sudo version change was from
1.8.19p2-14.el7_5 to 1.8.23-3.el7. Here's my minimal reproduction:
[root at host ~]# cat /usr/lib/systemd/system/sudo-test.service
[Unit]
Description=Sudo test
[Service]
WorkingDirectory=/tmp
ExecStart=/tmp/sudo-test.sh
TimeoutStopSec=10
User=joe
[root at host ~]# cat /tmp/sudo-test.sh
#!/bin/env bash
sudo sleep 300
Old version:
[root at nitrogen ~]# rpm -qa | grep sudo
sudo-1.8.19p2-14.el7_5.x86_64
[root at host ~]# systemctl status sudo-test
#!/bin/env bash
● sudo-test.service - Sudo test
Loaded: loaded (/usr/lib/systemd/system/sudo-test.service; static;
vendor preset: disabled)
Active: active (running) since Tue 2019-02-05 23:23:04 UTC; 4s ago
Main PID: 29877 (bash)
CGroup: /system.slice/sudo-test.service
├─29877 bash /tmp/sudo-test.sh
├─29878 sudo sleep 300
└─29885 sleep 300
All child processes show up in the same cgroup.
New version:
[root at nitrogen ~]# rpm -qa | grep sudo
sudo-1.8.23-3.el7.x86_64
[root at host ~]# systemctl start sudo-test
[root at host ~]# systemctl status sudo-test
● sudo-test.service - Sudo test
Loaded: loaded (/usr/lib/systemd/system/sudo-test.service; static;
vendor preset: disabled)
Active: active (running) since Tue 2019-02-05 23:27:41 UTC; 3s ago
Main PID: 30091 (bash)
CGroup: /system.slice/sudo-test.service
└─30091 bash /tmp/sudo-test.sh
Feb 05 23:27:41 host systemd[1]: Started Sudo test.
Feb 05 23:27:41 host sudo[30092]: joe : TTY=unknown ; PWD=/tmp ;
USER=root ; COMMAND=/bin/sleep 300
[root at host ~]# pgrep -alf sleep
30092 sudo sleep 300
30101 sleep 300
[root at host ~]# systemctl status 30092
● session-c1.scope - Session c1 of user root
Loaded: loaded (/run/systemd/system/session-c1.scope; static; vendor
preset: disabled)
Drop-In: /run/systemd/system/session-c1.scope.d
└─50-After-systemd-logind\x2eservice.conf,
50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf,
50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.conf
Active: active (running) since Tue 2019-02-05 23:27:41 UTC; 17s ago
CGroup: /user.slice/user-0.slice/session-c1.scope
├─30092 sudo sleep 300
└─30101 sleep 300
Only the initial bash script is in the systemd-managed cgroup, meaning
'systemctl
stop sudo-test' leaves the children in an unmanaged state. The other child
processes are in a new root user slice. I'm aware that what we're doing
with a non-root service calling sudo is probably an antipattern, but we're
in the process of moving away from sudo and weren't expecting this change
in behavior. Is this an expected change? Let me know if there's any other
information you need.
Joe
More information about the sudo-users
mailing list