FS#21391 - [shadow] [pam] consolekit should enable pam_ck_connector.so in /etc/pam.d/login

Attached to Project: Arch Linux
Opened by Clemens Fruhwirth (therp) - Thursday, 21 October 2010, 14:17 GMT
Last edited by Ionut Biru (wonder) - Saturday, 29 January 2011, 22:50 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Ionut Biru (wonder)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 13
Private No

Details

Description:

pam_ck_connector.so is a pam plugin to track local user session. A local user is privileged over a remote user in that he can shut down the box, change the network configuration, etc. dbus makes use of this.

I presume 100% of Desktop ArchLinux installations have dbus installed (and its dependency consolekit as well). It would be convenient to have a proper installation of

session optional pam_ck_connector.so

in /etc/pam.d/login.

ATM there is just the comment:
# install consolekit and uncomment the line below
# to have ACL handle non-standard udev permissions
But why should 98% of the user should do that by hand...

Thanks.
This task depends upon

Closed by  Ionut Biru (wonder)
Saturday, 29 January 2011, 22:50 GMT
Reason for closing:  Implemented
Additional comments about closing:  shadow-4.1.4.2-4

slim users, see my last comment
Comment by Jan de Groot (JGC) - Thursday, 21 October 2010, 20:27 GMT
98% of the users who use consolekit on the desktop never have to bother with this, because their login manager has native consolekit support. I don't want to add these modules to pam configuration by default. Besides, it has to be added to a lot of pam modules in that case, not only login. Things like /etc/pam.d/slim come to my mind.
Comment by Tom Gundersen (tomegun) - Friday, 22 October 2010, 01:33 GMT
An option is to prepend the line by "-". I.e.:
-session optional pam_ck_connector.so
It will then be ignored if consolekit is not installed, but loaded if it is.

And then 100% of the users should be happy ;-)
Comment by Clemens Fruhwirth (therp) - Friday, 22 October 2010, 08:14 GMT
Good point tomegun. Please implement that solution.

No login manager for me -> startx (There is some bug, involving rotation GTK apps and gdm)
Comment by Ionut Biru (wonder) - Monday, 25 October 2010, 00:07 GMT
@Jan, with consolekit 0.4.2 users that are using startx are not authorized at all because of:

http://cgit.freedesktop.org/ConsoleKit/commit/?id=4f88228f31a63c026c424a92827f26ad7535275c

if you look at upstream bug report, it seems we need to do some modification to login.
https://bugs.freedesktop.org/show_bug.cgi?id=28377

debian and gentoo are affected. gentoo found the problem in their shadow packages and have an inconsistent login file
http://bugs.gentoo.org/show_bug.cgi?id=336634
Comment by Jan Spakula (bender02) - Friday, 29 October 2010, 07:19 GMT
I can confirm what wonder wrote, I can't get active sessions even with pam_ck_connector and ck-launch-session with ck-0.4.2 (and it worked with 0.4.1). Pretty annoying, forcing users to use gdm (which is a pain to configure so that it looks acceptable to my eyes) just so that they are able to mount removable media as before.

I looked at the gentoo bug but they don't specify what was the actual problem with the login/shadow files... Can something like this be the cause of the problem also here?
Comment by Xavier (shining) - Sunday, 07 November 2010, 11:58 GMT
I've just spent one hour looking into this pam crap.
I simply use startx and gnome, because login managers piss me off even more than pam.

With consolekit 0.4.1, I simply needed this in .xinitrc :
exec ck-launch-session gnome-session

With 0.4.2, I also had to bother with pam...
Just add at the bottom of /etc/pam.d/login:
session optional pam_loginuid.so
session optional pam_ck_connector.so

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598150#61

With only ck_connector, you get a ck session active/local when you login (in tty1), but login-session-id does not work, so the X session started with ck-launch-session does not inherit from it. With loginuid, it seems to work as expected.
Comment by Jan Spakula (bender02) - Monday, 08 November 2010, 07:50 GMT
First, shining's solution (adding pam_loginuid) works for me.

I've just come across an annoying consequence of this: my setup is logging in to tty1 and then startx (eventually runs 'exec ck-launch-session openbox-session'). In openbox, I have 3 ways of running pcmanfm (uses udisks) which I use to mount removable media:
- from openbox menu
- from xbindkeys (which I run from openbox's autostart.sh)
- from lxpanel menu or launcher
Now mounting works with the first 2 ways, and doesn't (Not Authorized) with the last one. I would guess that this is a bug in lxpanel, but it shows that the problem runs a bit deeper that it seemed to me on the first glance.
Comment by Ionut Biru (wonder) - Monday, 08 November 2010, 07:58 GMT
try with exec ck-launch-session dbus-launch openbox-session
Comment by Jan Spakula (bender02) - Monday, 08 November 2010, 12:58 GMT
Sorry for cluttering the comments: my bad. lxpanel was launched directly from .xinitrc before ck-lau... So it didn't inherit the correct permissions (how would I say this correctly?).
Comment by Clemens Fruhwirth (therp) - Monday, 08 November 2010, 13:16 GMT
Here is a little trick I use to launch .xinitrc/.xsession completely into ck-launch-session:

ln -s .xsession .xinit
ln -s .xsession .xsession-for-ck

At the start of the file:

CKLAUNCH=$HOME/.xsession-for-ck

if [ "$0" != $CKLAUNCH ]; then
exec ck-launch-session $CKLAUNCH
fi
Comment by Ionut Biru (wonder) - Sunday, 28 November 2010, 16:48 GMT
our experience with pam is not that great. We asked for help here:

http://mailman.archlinux.org/pipermail/arch-dev-public/2010-November/018491.html

to sumarize on how this should be fixed for real(and not some workaround or reverting some commit) is to split our pam modules in common-auth like suggested in  FS#17188 .

In this way we only add once this rule and not in all pam modules.
Comment by Sébastien Luttringer (seblu) - Sunday, 28 November 2010, 17:48 GMT
Hi,

i've tryed, as shining says, to add
session optional pam_loginuid.so
in addition of my already uncommented line
session optional pam_ck_connector.so in /etc/pam.d/login.
But this change nothing in my X session runned with slim login manager. My active and is-local is always set to false...

i've tryed to add this 2 lines in /etc/pam.d/slim and this changes nothing except there is now 2 sessions open with ck-list-session
Session1:
unix-user = '18136'
realname = '(null)'
seat = 'Seat2'
session-type = ''
active = FALSE
x11-display = ':0.0'
x11-display-device = ''
display-device = ''
remote-host-name = 'localhost'
is-local = FALSE
on-since = '2010-11-28T17:31:05.586006Z'
login-session-id = '4294967295'
Session2:
unix-user = '18136'
realname = '(null)'
seat = 'Seat3'
session-type = ''
active = FALSE
x11-display = ':0.0'
x11-display-device = '/dev/tty9'
display-device = ''
remote-host-name = ''
is-local = FALSE
on-since = '2010-11-28T17:31:05.694794Z'
login-session-id = '1'

As you can see, these sessions are still mark inactive and not local, so polkit authorization is always false.

I don't find a good way to make consolekit functionnal in 0.4.2 (or 0.4.3) when lauching my wm manager from slim .xinirc.
Somebody have an idear?
Comment by Skunnyk (Skunnyk) - Thursday, 02 December 2010, 17:51 GMT
Hi,

I don't use testing right now, but maybe this patch can help for slim + ck 0.4.2: https://bugs.gentoo.org/attachment.cgi?id=254799 (from ssuominen, gentoo user).

More informations: https://developer.berlios.de/bugs/?func=detailbug&bug_id=17757&group_id=2663
Comment by Sébastien Luttringer (seblu) - Thursday, 27 January 2011, 11:41 GMT
you ask to follow  FS#21899  into this request. But issue is still present with this inclusion.
rwolf ~ $ ck-list-sessions
Session2:
unix-user = '18136'
realname = '(null)'
seat = 'Seat3'
session-type = ''
active = FALSE
x11-display = ':0.0'
x11-display-device = '/dev/tty9'
display-device = ''
remote-host-name = ''
is-local = FALSE
on-since = '2011-01-27T05:10:23.519296Z'
login-session-id = ''
Comment by Ionut Biru (wonder) - Thursday, 27 January 2011, 11:42 GMT
@seblu please describe your setup.
Comment by Ionut Biru (wonder) - Saturday, 29 January 2011, 22:49 GMT
ok, we can't do anything regarding slim because archlinux is using stock xinit package and we don't have a common Xsession like debian/ubuntu and gentoo have.

gentoo has a script /etc/X11/xinit/xinitrc.d/ that calls ck-launch-session automatically and is done before the session is started, therefor the whole session is authorized.

we can use that script too but is not called at all since we don't have a common Xsession for all login managers. Right now this is called only if a local .xinitrc doesn't exists.

if ~/.xinitrc exists the ck-launch-session is called after the session has started and the authorization can't have place. Also the system xinitrc is ignored and the consolekit script is ignored.

Feel free to open a _new_ bug against slim if you have a working solution

Loading...