It appears that occasionally, the Terminal application and other Linux applications entirely refuse to start after running `sudo su; exit` and exiting Terminal -- as opposed to the privilege escalation behavior.

Sorry! It would be better for me to say -- the behavior persists until the `termina` VM is stopped and restarted (e.g. via `crosh`, restart, etc.). Hard to say if this might be a bug with the `termina` VM as opposed to ChromeOS.

Ah -- here is a simpler complete repro:
1. install `screen` (e.g. `sudo apt-get install screen`)
2. run `screen`
3. from the `screen` session, run `sudo su`
4. close the Terminal
5. subsequent times that the Terminal application is opened, now, it will be opened as `root`; moreover, any other application that runs from the VM (for example, ones with a `/usr/share/applications` entry) will also run as `root

One can get out of this state with a restart and/or by stopping and restarting the `termina` vm from `crosh`.

The attached screenshot is an example of the Terminal application operating as Root after re-opening it.

Deleted: Screenshot 2018-09-29 at 2.05.14 PM.png 1.6 MB

	Screenshot 2018-09-29 at 2.05.14 PM.png 1.6 MB View Download

Dylan, can you triage?

Since this is all happening within the Crostini container, there's no immediate security implication for Chrome OS as the host -> setting low severity for now.

this is def a bug, but i don't think we consider it a security bug because no privs are gained inside the container that the user doesn't already fully have

so we prob should set this to Type=Bug and drop security markings entirely

I concur with #5, there's no security issue here.

I suspect what's happening is that su starts a systemd user session as root. So garcon and sommelier both also start up as root and shadow the normal uid=1000 garcon/sommelier instances.

Dropping security labels...I reproduced this. When you do a 'sudo su', then as smbarber suggested, it is spawning a systemd user session as root and launching other garcon/sommelier instances. However, when I exit the su session...that quits the 'root' garcon, and it sends the ContainerShutdown message to cicerone...so you can't get a terminal, launch an app, or do anything else with that container from Chrome until you restart the VM at that point.  If I would not have exited that session...then I would have expected app launches and terminals via root.  I'll look into how we can resolve this.

There is a 'ConditionUser' option in the Unit section for systemd, which would be perfect for this...however that is only implemented in a newer version of systemd, which we are not using. :( If anybody has any other ideas, let me know.  This isn't just a problem with root either...as you'd expect if you created a second user in the container and 'su'd into that user you hit the same problem.

https://www.freedesktop.org/software/systemd/man/systemd.unit.html

Here's the github change which added ConditionUser:

https://github.com/systemd/systemd/pull/5926

I think the solution here would be to continue installing the cros-garcon and sommelier units system-wide, but enable them per-user. So as part of the SetUpUser phase in tremplin we'd enable the systemd units. That would ensure that secondary users or su'ing to root wouldn't wreck your session.

One could of course manually start up garcon or sommelier as a secondary user, but at least that's harder to accidentally do than su.

smbarber@ that sounds good...I'll transfer ownership of this to you then. :)