[arch-general] [pam/consolekit] Help needed for desktop permission handling
While packaging Xfce 4.7 I had to find a way to allow the desktop user to shutdown/reboot(consolekit), hibernate/suspend(upower),mounte removable devices(udisks).
Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore.
As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages.
But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at
https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391
Pam has an update pending (also fixing security related issues) and quiet a lot open bugs: https://bugs.archlinux.org/index.php?string=pam&project=1&search_nam...
So please someone with time and knowledge may have look (Tobias P. doesn't seem to have the time for this). If we can't menage to fix this until the Xfce release I'd like to know what you think could be a good and safe workaround (recommending power/storage groups?).
Note: Gentoo seems also running into this pam/consolekit issue. Not sure about Ubuntu and Fedora(that does heavy pam configurations).
-Andy
On 11/21/2010 04:55 PM, Andreas Radke wrote:
Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore.
indeed in consolekit 0.4.2 the default behavior is to not trust anyone unless is specified by a third party like gdm/kdm/etc. For other we need to authorized them using pam
As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages.
the last one we rejected https://bugs.archlinux.org/task/21029 couples of weeks ago.
But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at
https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391
first one is a must for easy management in the future
On Mon, Nov 22, 2010 at 2:01 PM, Ionuț Bîru ibiru@archlinux.org wrote:
On 11/21/2010 04:55 PM, Andreas Radke wrote:
Recent display managers (gdm, kdm and lxdm) can handle their own polkit/consolekit session through pam access. The gnome/xfce4-session packages only have basic access to consolekit and since the consolekit 0.4.2 in testing they can't deal with it anymore.
indeed in consolekit 0.4.2 the default behavior is to not trust anyone unless is specified by a third party like gdm/kdm/etc. For other we need to authorized them using pam
As a workaround I have plans to ship files in xfce4-session as proto files where the admin can add users or groups to allow certain actions: /etc/polkit-1/localauthority/50-local.d/org.freedesktop.upower.pkla and /etc/polkit-1/localauthority/50-local.d/org.freedesktop.consolekit.pkla and maybe one for udisk something like https://aur.archlinux.org/packages.php?ID=42669 . This could also be done each in the consolekit/upower/udisks packages.
the last one we rejected https://bugs.archlinux.org/task/21029 couples of weeks ago.
But all this is crap working around some nasty bugs in our pam pkg not allowing direct access to consolekit. Please have a look at
https://bugs.archlinux.org/task/17188 https://bugs.archlinux.org/task/21391
first one is a must for easy management in the future
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ?
Slim was recently updated with a patch which remove "Host" setting from PAM and Ionut updated shadow package to add pam_ck_connector to pam login.
I make some test tonight and i don't find a right way to have active = TRUE and is-local = TRUE in ck-list-session with slim login or from a startx from a console shell. My best solution is with is-local=TRUE and active = FALSE (with this, networkmanger is not working!).
Someone succeeded?
Regards,
[2011-01-31 08:40:37 +0100] Seblu:
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ?
I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet.
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
http://arch.vesath.org/all/slim-1.3.2-3.src.tar.xz
On 01/31/2011 10:05 AM, Gaetan Bisson wrote:
[2011-01-31 08:40:37 +0100] Seblu:
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit> 0.4.1 ?
I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet.
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I think the proper solution would be pam.d/slim to include pam.d/login. I don't know the right syntax but this one should avoid loading two times pam_ck_connector.so
pam.d/slim has all the modules that pam.d/login has.
Proper testing is required.
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson bisson@archlinux.org wrote:
[2011-01-31 08:40:37 +0100] Seblu:
Hello, I dug up this old thread to know if someone find a suitable solution to use slim (or startx) + window manager working correctly with consolekit > 0.4.1 ?
I made a new package for i686 (after Ionut/Foutrelis suggested a session pam_ck_connector.so line to be added to slim.pam) which hopefully fixes this. Then my build system for x86_64 got broken and I haven't had time to repair it yet.
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.
Regards,
[2011-01-31 09:50:35 +0100] Seblu:
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson bisson@archlinux.org wrote:
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.
Nevermind then, wrong file. :)
I've just put the right one at the exact same URL.
On Mon, Jan 31, 2011 at 10:03 AM, Gaetan Bisson bisson@archlinux.org wrote:
[2011-01-31 09:50:35 +0100] Seblu:
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson bisson@archlinux.org wrote:
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.
Nevermind then, wrong file. :)
I've just put the right one at the exact same URL.
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.
On Mon, Jan 31, 2011 at 10:58 AM, Seblu seblu@seblu.net wrote:
On Mon, Jan 31, 2011 at 10:03 AM, Gaetan Bisson bisson@archlinux.org wrote:
[2011-01-31 09:50:35 +0100] Seblu:
On Mon, Jan 31, 2011 at 9:05 AM, Gaetan Bisson bisson@archlinux.org wrote:
If you run i686, please let me know if this package solves your issues:
http://arch.vesath.org/all/slim-1.3.2-3-i686.pkg.tar.xz
Or you can compile your own package from source:
I'm on x86_64, I downloaded your source file and i don't see in slim.pam a line about pam_ck_connector, but a new 90-consolekit file. I suppose solution is in this file. Package is compiled, i will test it this evening after work.
Nevermind then, wrong file. :)
I've just put the right one at the exact same URL.
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.
Sometime an image speak more than text.
When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good.
[2011-01-31 11:42:56 +0100] Seblu:
On Mon, Jan 31, 2011 at 10:58 AM, Seblu seblu@seblu.net wrote:
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.
When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good.
This would all probably be better discussed in a bug report (targeted specifically at slim). Could you open one?
On Mon, Jan 31, 2011 at 12:00 PM, Gaetan Bisson bisson@archlinux.org wrote:
[2011-01-31 11:42:56 +0100] Seblu:
On Mon, Jan 31, 2011 at 10:58 AM, Seblu seblu@seblu.net wrote:
Got it. The only difference is the line added in slim.pam? Because i made some test by manually adding this line tonight, and this was not a solution.
When i make test with gdm/kdm all works perfectly. But i'm really wondering why when i start my sessions manually from a console with a local granted console it's not good.
This would all probably be better discussed in a bug report (targeted specifically at slim). Could you open one?
I need more investigation before filling a bug report. I will do this week if necessary.
participants (4)
-
Andreas Radke
-
Gaetan Bisson
-
Ionuț Bîru
-
Seblu