[arch-general] [pam/consolekit] Help needed for desktop permission handling

newer
[arch-general] Frequency of abs...

Andreas Radke

21 Nov 2010 21 Nov '10

2:55 p.m.

While packaging Xfce 4.7 I had to find a way to allow the desktop user to shutdown/reboot(consolekit), hibernate/suspend(upower),mounte removable devices(udisks). Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore. As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages. But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391 Pam has an update pending (also fixing security related issues) and quiet a lot open bugs: https://bugs.archlinux.org/index.php?string=pam&project=1&search_name=&type[]=&sev[]=&pri[]=&due[]=&reported[]=&cat[]=&status[]=open&percent[]=&opened=&dev=&closed=&duedatefrom=&duedateto=&changedfrom=&changedto=&openedfrom=&openedto=&closedfrom=&closedto=&do=index So please someone with time and knowledge may have look (Tobias P. doesn't seem to have the time for this). If we can't menage to fix this until the Xfce release I'd like to know what you think could be a good and safe workaround (recommending power/storage groups?). Note: Gentoo seems also running into this pam/consolekit issue. Not sure about Ubuntu and Fedora(that does heavy pam configurations). -Andy

Show replies by date

Ionuț Bîru

22 Nov 22 Nov

1:01 p.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

On 11/21/2010 04:55 PM, Andreas Radke wrote:

...

Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore.

indeed in consolekit 0.4.2 the default behavior is to not trust anyone unless is specified by a third party like gdm/kdm/etc. For other we need to authorized them using pam

...

As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages.

the last one we rejected https://bugs.archlinux.org/task/21029 couples of weeks ago.

...

But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at

https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391

first one is a must for easy management in the future -- Ionuț

Seblu

31 Jan 31 Jan

7:40 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

On Mon, Nov 22, 2010 at 2:01 PM, Ionuț Bîru wrote:

...

On 11/21/2010 04:55 PM, Andreas Radke wrote:

...
Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore.

indeed in consolekit 0.4.2 the default behavior is to not trust anyone unless is specified by a third party like gdm/kdm/etc. For other we need to authorized them using pam

...
As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages.

the last one we rejected https://bugs.archlinux.org/task/21029 couples of weeks ago.

...
But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at

https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391

first one is a must for easy management in the future

Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ? Slim was recently updated with a patch which remove "Host" setting from PAM and Ionut updated shadow package to add pam_ck_connector to pam login. I make some test tonight and i don't find a right way to have active = TRUE and is-local = TRUE in ck-list-session with slim login or from a startx from a console shell. My best solution is with is-local=TRUE and active = FALSE (with this, networkmanger is not working!). Someone succeeded? Regards, -- Sébastien Luttringer www.seblu.net

Gaetan Bisson

8:05 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

[2011-01-31 08:40:37 +0100] Seblu:

...

Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ?

I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet. If you run i686, please let me know if this package solves your issues: http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz Or you can compile your own package from source: http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz -- Gaetan

Ionuț Bîru

8:08 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

On 01/31/2011 10:05 AM, Gaetan Bisson wrote:

...

[2011-01-31 08:40:37 +0100] Seblu:

...
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit> 0.4.1 ?

I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet.

If you run i686, please let me know if this package solves your issues:

http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz

Or you can compile your own package from source:

http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz

I think the proper solution would be pam.d/slim to include pam.d/login. I don't know the right syntax but this one should avoid loading two times pam_ck_connector.so pam.d/slim has all the modules that pam.d/login has. Proper testing is required. -- Ionuț

Seblu

8:50 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson wrote:

...

[2011-01-31 08:40:37 +0100] Seblu:

...
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ?

I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet.

If you run i686, please let me know if this package solves your issues:

http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz

Or you can compile your own package from source:

http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz

I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work. Regards, -- Sébastien Luttringer www.seblu.net

Gaetan Bisson

9:03 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

[2011-01-31 09:50:35 +0100] Seblu:

...

On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson wrote:

...
If you run i686, please let me know if this package solves your issues:

http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz

Or you can compile your own package from source:

http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz

I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.

Nevermind then, wrong file. :) I've just put the right one at the exact same URL. -- Gaetan

Seblu

9:58 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

On Mon, Jan 31, 2011 at 10:03 AM, Gaetan Bisson wrote:

...

[2011-01-31 09:50:35 +0100] Seblu:

...
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson wrote:

...
If you run i686, please let me know if this package solves your issues:

http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz

Or you can compile your own package from source:

http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz

I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.

Nevermind then, wrong file. :)

I've just put the right one at the exact same URL.

Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution. -- Sébastien Luttringer www.seblu.net

Seblu

10:42 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

On Mon, Jan 31, 2011 at 10:58 AM, Seblu wrote:

...

On Mon, Jan 31, 2011 at 10:03 AM, Gaetan Bisson wrote:

...
[2011-01-31 09:50:35 +0100] Seblu:

...
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson wrote:

...
If you run i686, please let me know if this package solves your issues:

http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz

Or you can compile your own package from source:

http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz

I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.

Nevermind then, wrong file. :)

I've just put the right one at the exact same URL.

Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.

Sometime an image speak more than text. When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good. -- Sébastien Luttringer www.seblu.net

Gaetan Bisson

11 a.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

[2011-01-31 11:42:56 +0100] Seblu:

...

On Mon, Jan 31, 2011 at 10:58 AM, Seblu wrote:

...
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.

When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good.

This would all probably be better discussed in a bug report (targeted specifically at slim). Could you open one? -- Gaetan

Seblu

3:23 p.m.

New subject: [arch-general] [pam/consolekit] Help needed for desktop permission handling

On Mon, Jan 31, 2011 at 12:00 PM, Gaetan Bisson wrote:

...

[2011-01-31 11:42:56 +0100] Seblu:

...
On Mon, Jan 31, 2011 at 10:58 AM, Seblu wrote:

...
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.

When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good.

This would all probably be better discussed in a bug report (targeted specifically at slim). Could you open one?

I need more investigation before filling a bug report. I will do this week if necessary. -- Sébastien Luttringer www.seblu.net

4833

Age (days ago)

4904

Last active (days ago)

List overview

Download

10 comments

4 participants

participants (4)

Andreas Radke
Gaetan Bisson
Ionuț Bîru
Seblu