You are not logged in.
Hi,
I'm trying to set up a simple systemd user unit to lock my laptop screen when the system is suspended.
When I attempt to start the unit, it fails with an unexpected error:
● suspend@cjs.service - User suspend actions
Loaded: loaded (/home/cjs/.config/systemd/user/suspend@.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2017-12-27 23:15:31 CST; 7min ago
Process: 1314 ExecStart=/usr/bin/xlock -mode mountain (code=exited, status=216/GROUP)
Main PID: 1314 (code=exited, status=216/GROUP)
Dec 27 23:15:31 mauritius systemd[649]: Started User suspend actions.
Dec 27 23:15:31 mauritius systemd[1314]: suspend@cjs.service: Failed to determine supplementary groups: Operation not permitted
Dec 27 23:15:31 mauritius systemd[1314]: suspend@cjs.service: Failed at step GROUP spawning /usr/bin/xlock: Operation not permitted
Dec 27 23:15:31 mauritius systemd[649]: suspend@cjs.service: Main process exited, code=exited, status=216/GROUP
Dec 27 23:15:31 mauritius systemd[649]: suspend@cjs.service: Failed with result 'exit-code'.The unit is super simple and looks like this:
[Unit]
Description=User suspend actions
Before=sleep.target
[Service]
User=%I
Environment=DISPLAY=:0
ExecStart=/usr/bin/xlock -mode mountain
[Install]
WantedBy=sleep.targetLooking at the systemd source code, I think that it might be failing on initgroups(3) here:
https://github.com/systemd/systemd/blob … ute.c#L984
Am I missing something simple?
Last edited by Defender110 (2017-12-28 18:38:29)
Offline
Something is really strange here. I made a quick test of initgroups(3) to see what it was returning:
$ cat > initgroups.c << EOF
#include <sys/types.h>
#include <grp.h>
#include <stdio.h>
int main(void) {
int ret;
ret = initgroups("cjs",1000);
printf("RET: %m\n", ret);
return 0;
}
EOF
$
$ uname -a
Linux mauritius 4.14.9-1-hardened #1 SMP PREEMPT Tue Dec 26 02:35:44 CET 2017 x86_64 GNU/Linux
$ id
uid=1000(cjs) gid=1000(cjs) groups=1000(cjs),995(wheel)
$ gcc -o initgroups initgroups.c
$ ./initgroups
RET: Operation not permitted
$ sudo ./initgroups
[sudo] password for cjs:
RET: SuccessReading through manpages gets me to the manual for setgroups(2), specifically this error:
EPERM The calling process has insufficient privilege (the caller does not have the
CAP_SETGID capability in the user namespace in which it resides).
EPERM (since Linux 3.19)
The use of setgroups() is denied in this user namespace. See the description of
/proc/[pid]/setgroups in user_namespaces(7).Last edited by Defender110 (2017-12-28 18:19:17)
Offline
OK, so I fixed that error by removing the "User=%I" line from the unit. Still not activating xlock on suspend but it's progress.
Offline
The solution for this is to run the unit as a system unit, not a user unit. It will need to be enabled by root and the User= does need to be used:
[Unit]
Description=User suspend actions
Before=suspend.target
[Service]
User=%I
Environment=DISPLAY=:0
ExecStart=/usr/bin/xlock -mode mountain
[Install]
WantedBy=suspend.targetIt's less than ideal on my machine because xlock isn't actually triggered before the system sleeps. Rather, when you wake the machine up, you will see the unlocked screen for a brief moment before the unit is triggered and the sleep begins. But, it's better than nothing.
Offline