Why does sudo -i not set XDG_RUNTIME_DIR for the target user?

I have replicated this issue on my Fedora 25 system.

I found a very suspicious condition in the source code. https://github.com/systemd/systemd/blob/f97b34a/src/login/pam_systemd.c#L439 It looks as if it was written with normal sudo in mind but not sudo -u non-root-user.

machinectl shell --uid=non-root-user worked as you requested.

systemd-run did not appear to work as desired, despite the reference to it in the machinectl documentation.

Some machinectl commands don't work if you have enabled SELinux at the moment, and these specific commands didn't work for me until I did setenforce 0. However I'm in the middle of trying workarounds to get machinectl working as I want it to w.r.t SELinux, so it's possible my fiddling is what causes e.g. machinectl shell to timeout.

EDIT: I think this code was introduced after this discussion. And apparently su - / sudo -i could be made to work, but no-one has implemented it (still).


What I'm really wondering, though, is how come the session is set up correctly with ssh, but not with su or sudo -i?

https://github.com/systemd/systemd/issues/7451#issuecomment-346787237

Sorry, but "su" is a tool for changing user identities and very few other process credentials temporarily. It's not a tool for opening a completely new login session. A new login session has a very well defined, pristine setup, not inheriting anything from any other session, but this is really not the case for "su" uid changes: most of the execution environment is inherited over, in numerous and non-obvious ways, for example MAC contexts, audit contexts, cgroup contexts, namespace contexts, scheduling, timer granularity, …

if you want a full new session, use something like "machinectl login" or "machinectl shell", which will actually get your a fully clean, independent, detach environment, with no hidden process properties leaking from where you call it into it.

logind sessions are mostly bound to the audit session concept, and audit sessions remain unaffected by "su", in fact they are defined to be "sealed off", i.e. in a way that if a process entered a session once, it will always stay with it, and so will its children, i.e. the only way to get a new session is by forking off something off PID 1 (or something similar) that never has been part of a session.

Or to say this differently: the stuff you invoke through "su" will show up just fine in "loginctl", however, it remains part of your original session, you logged in originally. You can verify that by invoking "loginctl status" on the original session's ID (which you can see through echo $XDG_SESSION_ID)