223 views
# Waking up the neighbors! # UPDATE, the systemd changes went in on March 1, 2023, but are not in Debian Bookworm. ## Prerequisites see [here](https://github.com/systemd/systemd/issues/17564#issuecomment-1025800826) * **systemd** released after Feb 2, 2022 (ie, v251) :white_check_mark: systemd needs to correctly use PAM_DATA_SILENT in the pam_end(), bookworm version is OK * **libcap2** version >= 2.58 :white_check_mark: `sudo apt -t experimental install libcap2` * **libpam-cap** >=2.58 :white_check_mark: (part of the *libcap2* source package but a separate binary package, so `sudo apt -t experimental install libpam-cap`) * include the **pam_cap.so module arguments**: keepcaps and defer in the file `/etc/pam.d/common-auth` :white_check_mark: ``` - auth optional pam_cap.so + auth optional pam_cap.so keepcaps defer ``` * grant the ambient capability to users by adding to into `/etc/security/capability.conf`: `^cap_wake_alarm *` Afterwards this command `su - mobian -c "/usr/sbin/capsh --print"` results in: ``` Current: cap_wake_alarm=eip Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore Ambient set =cap_wake_alarm Current IAB: ^cap_wake_alarm ``` ### Create a wake up timer create file `~/.config/systemd/user/alarmclock.timer` ``` [Unit] Description=Wake me up early every day... [Timer] OnCalendar=*-*-* 13:00:00 # Execute job if missed a run (e.g. during machine being off) XXX Needed? Persistent=false WakeSystem=true # optional, in case we want a different name for the .service file Unit=alarmclock.service [Install] WantedBy=timers.target ``` Enable your timer like other units: `systemctl --user enable alarmclock.timer`. #### Notes: - check existing user timers with `systemctl --user list-timers` - check if your date format is correct by doing e.g. `systemd-analyze calendar * *-*-* 13:00:00` (many time formats are possible, e.g. `Mon..Fri 22:30`) ### Create a wake up service create file `~/.config/systemd/user/alarmclock.service` ``` [Unit] Description=Wake me up [Service] ExecStart=/usr/bin/true ``` - Enable your service file too: `systemctl --user enable alarmclock.service` ## Putting it all together Unfortunately it does not work. `systemctl --user restart alarmclock.timer` still leads to ``` Jun 23 13:36:26 mobian systemd[672]: alarmclock.timer: Failed to enter waiting state: Operation not permitted Jun 23 13:36:26 mobian systemd[672]: alarmclock.timer: Failed with result 'resources'. ``` # :angry: ## Working theory on what goes wrong OK, I think I got a clue what goes wrong. `/usr/sbin/capsh --print` does not show any capabilities on a gnome-termial and `/usr/bin/getpcaps <PID of systemd --user` ALSO shows no capabilities (which makes sense as gnome-terminal seems to be spawned by systemd-user and not the gnome-session!). But when I do `su - USER -c "/usr/sbin/capsh --print"` I do have all the caps I need! It also works when I first do a `login USER`! In both of these cases we go through /etc/pam.d/common-auth where the line pam_cap.so bestows capabilities on the user. systemd --user has no capabilities and is spawned directly by PID1 (according to pstree), it seems to never go through pam.d/common-auth and thus never get the ambient capabilities! But how to solve that is beyond me. ` ## Acknowledgements Credits to: AndrewGMorgan, Lennart Poettering, Christian Kastner, Kai Lueke, jsparber and many others. ## References Sytemd and capabilities: * https://gitlab.gnome.org/GNOME/gnome-clocks/-/issues/153 * https://gitlab.gnome.org/GNOME/gnome-clocks/-/issues/100 * https://gitlab.gnome.org/GNOME/gnome-clocks/-/merge_requests/146 * Systemd issue [Make WakeSystem= available for user units](https://github.com/systemd/systemd/issues/17564) Systemd and timer units: * https://wiki.archlinux.org/title/Systemd/Timers # More notes immediately create a timer without creating files: `systemd-run --collect --user --unit=alarm-clock --on-active="1m" --timer-property=WakeSystem=true flatpak run io.bassi.Amberol`