If I run this command:
su -l otheruser -c 'strace /usr/lib/systemd/systemd --user 2> /tmp/su.err'
It fails:
Failed to create root cgroup hierarchy: Permission denied
Failed to allocate manager object: Permission denied
I see in the strace output that starting systemd as user failed here:
mkdir("/sys/fs/cgroup/systemd/user/root/754/systemd-3893", 0755) = -1
EACCES (Permission denied)
Where does /sys/fs/cgroup/systemd/user/root/ come from?
If I run the same command via ssh to localhost it works:
ssh otheruser@localhost 'strace /usr/lib/systemd/systemd --user 2> /tmp/ssh.err'
Here, the right directory gets used:
mkdir("/sys/fs/cgroup/systemd/user/modwork_gew_dfj/825/systemd-4272", 0755) = 0
Why does it work via ssh, but not via su?
Version: su (GNU coreutils) 8.17
Here you can see that the cgroup does not get changed by my version of su:
host:~ # su -l otheruser
otheruser@host:~$ cat /proc/$PPID/cgroup
10:hugetlb:/
9:perf_event:/
8:blkio:/
7:net_cls:/
6:freezer:/
5:devices:/
4:memory:/
3:cpuacct,cpu:/
2:cpuset:/
1:name=systemd:/user/root/5913 <################ root
Via ssh:
host:~ # ssh otheruser@host
otheruser@host:~$ cat /proc/$PPID/cgroup
10:hugetlb:/
9:perf_event:/
8:blkio:/
7:net_cls:/
6:freezer:/
5:devices:/
4:memory:/
3:cpuacct,cpu:/
2:cpuset:/
1:name=systemd:/user/otheruser/5919 <################ otheruser
My version of su does not change the cgroup (See the link in the answer of user "ax."). Is there a way to change the cgroup (before or after) calling su?
This version does not have this issue: su util-linux 2.25
su inherits its cgroup from the originating session, not from the user passed to su. So when you call su -l otheruser -c systemd ... as root, systemd tries to use the root cgroup (/sys/fs/cgroup/systemd/user/root/...) as otheruser and fails.
With ssh otheruser@localhost ..., both user and cgroup are otheruser, and everything works as expected.