[arch-general] [pam/consolekit] Help needed for desktop permission handling
While packaging Xfce 4.7 I had to find a way to allow the desktop user to shutdown/reboot(consolekit), hibernate/suspend(upower),mounte removable devices(udisks). Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore. As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages. But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391 Pam has an update pending (also fixing security related issues) and quiet a lot open bugs: https://bugs.archlinux.org/index.php?string=pam&project=1&search_name=&type[]=&sev[]=&pri[]=&due[]=&reported[]=&cat[]=&status[]=open&percent[]=&opened=&dev=&closed=&duedatefrom=&duedateto=&changedfrom=&changedto=&openedfrom=&openedto=&closedfrom=&closedto=&do=index So please someone with time and knowledge may have look (Tobias P. doesn't seem to have the time for this). If we can't menage to fix this until the Xfce release I'd like to know what you think could be a good and safe workaround (recommending power/storage groups?). Note: Gentoo seems also running into this pam/consolekit issue. Not sure about Ubuntu and Fedora(that does heavy pam configurations). -Andy
On 11/21/2010 04:55 PM, Andreas Radke wrote:
Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore.
indeed in consolekit 0.4.2 the default behavior is to not trust anyone unless is specified by a third party like gdm/kdm/etc. For other we need to authorized them using pam
As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages.
the last one we rejected https://bugs.archlinux.org/task/21029 couples of weeks ago.
But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at
https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391
first one is a must for easy management in the future -- Ionuț
On Mon, Nov 22, 2010 at 2:01 PM, Ionuț Bîru <ibiru@archlinux.org> wrote:
On 11/21/2010 04:55 PM, Andreas Radke wrote:
Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore.
indeed in consolekit 0.4.2 the default behavior is to not trust anyone unless is specified by a third party like gdm/kdm/etc. For other we need to authorized them using pam
As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages.
the last one we rejected https://bugs.archlinux.org/task/21029 couples of weeks ago.
But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at
https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391
first one is a must for easy management in the future
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ? Slim was recently updated with a patch which remove "Host" setting from PAM and Ionut updated shadow package to add pam_ck_connector to pam login. I make some test tonight and i don't find a right way to have active = TRUE and is-local = TRUE in ck-list-session with slim login or from a startx from a console shell. My best solution is with is-local=TRUE and active = FALSE (with this, networkmanger is not working!). Someone succeeded? Regards, -- Sébastien Luttringer www.seblu.net
[2011-01-31 08:40:37 +0100] Seblu:
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ?
I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet. If you run i686, please let me know if this package solves your issues: http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz Or you can compile your own package from source: http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz -- Gaetan
On 01/31/2011 10:05 AM, Gaetan Bisson wrote:
[2011-01-31 08:40:37 +0100] Seblu:
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit> 0.4.1 ?
I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet.
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I think the proper solution would be pam.d/slim to include pam.d/login. I don't know the right syntax but this one should avoid loading two times pam_ck_connector.so pam.d/slim has all the modules that pam.d/login has. Proper testing is required. -- Ionuț
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-01-31 08:40:37 +0100] Seblu:
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ?
I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet.
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work. Regards, -- Sébastien Luttringer www.seblu.net
[2011-01-31 09:50:35 +0100] Seblu:
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.
Nevermind then, wrong file. :) I've just put the right one at the exact same URL. -- Gaetan
On Mon, Jan 31, 2011 at 10:03 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-01-31 09:50:35 +0100] Seblu:
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.
Nevermind then, wrong file. :)
I've just put the right one at the exact same URL.
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution. -- Sébastien Luttringer www.seblu.net
On Mon, Jan 31, 2011 at 10:58 AM, Seblu <seblu@seblu.net> wrote:
On Mon, Jan 31, 2011 at 10:03 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-01-31 09:50:35 +0100] Seblu:
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.
Nevermind then, wrong file. :)
I've just put the right one at the exact same URL.
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.
Sometime an image speak more than text. When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good. -- Sébastien Luttringer www.seblu.net
[2011-01-31 11:42:56 +0100] Seblu:
On Mon, Jan 31, 2011 at 10:58 AM, Seblu <seblu@seblu.net> wrote:
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.
When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good.
This would all probably be better discussed in a bug report (targeted specifically at slim). Could you open one? -- Gaetan
On Mon, Jan 31, 2011 at 12:00 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2011-01-31 11:42:56 +0100] Seblu:
On Mon, Jan 31, 2011 at 10:58 AM, Seblu <seblu@seblu.net> wrote:
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.
When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good.
This would all probably be better discussed in a bug report (targeted specifically at slim). Could you open one?
I need more investigation before filling a bug report. I will do this week if necessary. -- Sébastien Luttringer www.seblu.net
participants (4)
-
Andreas Radke
-
Gaetan Bisson
-
Ionuț Bîru
-
Seblu