# Waking up the neighbors!
# UPDATE, the systemd changes went in on March 1, 2023, but are not in Debian Bookworm.
## Prerequisites
see [here](https://github.com/systemd/systemd/issues/17564#issuecomment-1025800826)
* **systemd** released after Feb 2, 2022 (ie, v251) :white_check_mark:
systemd needs to correctly use PAM_DATA_SILENT in the pam_end(), bookworm version is OK
* **libcap2** version >= 2.58 :white_check_mark:
`sudo apt -t experimental install libcap2`
* **libpam-cap** >=2.58 :white_check_mark:
(part of the *libcap2* source package but a separate binary package, so `sudo apt -t experimental install libpam-cap`)
* include the **pam_cap.so module arguments**: keepcaps and defer in the file `/etc/pam.d/common-auth` :white_check_mark:
```
- auth optional pam_cap.so
+ auth optional pam_cap.so keepcaps defer
```
* grant the ambient capability to users by adding to into `/etc/security/capability.conf`: `^cap_wake_alarm *`
Afterwards this command `su - mobian -c "/usr/sbin/capsh --print"` results in:
```
Current: cap_wake_alarm=eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =cap_wake_alarm
Current IAB: ^cap_wake_alarm
```
### Create a wake up timer
create file `~/.config/systemd/user/alarmclock.timer`
```
[Unit]
Description=Wake me up early every day...
[Timer]
OnCalendar=*-*-* 13:00:00
# Execute job if missed a run (e.g. during machine being off) XXX Needed?
Persistent=false
WakeSystem=true
# optional, in case we want a different name for the .service file
Unit=alarmclock.service
[Install]
WantedBy=timers.target
```
Enable your timer like other units:
`systemctl --user enable alarmclock.timer`.
#### Notes:
- check existing user timers with `systemctl --user list-timers`
- check if your date format is correct by doing e.g. `systemd-analyze calendar * *-*-* 13:00:00` (many time formats are possible, e.g. `Mon..Fri 22:30`)
### Create a wake up service
create file `~/.config/systemd/user/alarmclock.service`
```
[Unit]
Description=Wake me up
[Service]
ExecStart=/usr/bin/true
```
- Enable your service file too: `systemctl --user enable alarmclock.service`
## Putting it all together
Unfortunately it does not work.
`systemctl --user restart alarmclock.timer`
still leads to
```
Jun 23 13:36:26 mobian systemd[672]: alarmclock.timer: Failed to enter waiting state: Operation not permitted
Jun 23 13:36:26 mobian systemd[672]: alarmclock.timer: Failed with result 'resources'.
```
# :angry:
## Working theory on what goes wrong
OK, I think I got a clue what goes wrong. `/usr/sbin/capsh --print` does not show any capabilities on a gnome-termial and `/usr/bin/getpcaps <PID of systemd --user` ALSO shows no capabilities (which makes sense as gnome-terminal seems to be spawned by systemd-user and not the gnome-session!). But when I do `su - USER -c "/usr/sbin/capsh --print"` I do have all the caps I need! It also works when I first do a `login USER`! In both of these cases we go through /etc/pam.d/common-auth where the line pam_cap.so bestows capabilities on the user. systemd --user has no capabilities and is spawned directly by PID1 (according to pstree), it seems to never go through pam.d/common-auth and thus never get the ambient capabilities! But how to solve that is beyond me.
`
## Acknowledgements
Credits to: AndrewGMorgan, Lennart Poettering, Christian Kastner, Kai Lueke, jsparber and many others.
## References
Sytemd and capabilities:
* https://gitlab.gnome.org/GNOME/gnome-clocks/-/issues/153
* https://gitlab.gnome.org/GNOME/gnome-clocks/-/issues/100
* https://gitlab.gnome.org/GNOME/gnome-clocks/-/merge_requests/146
* Systemd issue [Make WakeSystem= available for user units](https://github.com/systemd/systemd/issues/17564)
Systemd and timer units:
* https://wiki.archlinux.org/title/Systemd/Timers
# More notes
immediately create a timer without creating files:
`systemd-run --collect --user --unit=alarm-clock --on-active="1m" --timer-property=WakeSystem=true flatpak run io.bassi.Amberol`