1 |
On Mon, Feb 10, 2014 at 4:52 AM, Samuli Suominen <ssuominen@g.o> wrote: |
2 |
> |
3 |
> On 10/02/14 00:43, walt wrote: |
4 |
>> Recent threads about consolekit vs logind(systemd) have made me curious, so |
5 |
>> I've been studying... |
6 |
>> |
7 |
>> A few of us have had recent problems with things like plugging USB sticks, |
8 |
>> which once worked transparently but now require root privileges. |
9 |
>> |
10 |
>> I've discovered that my own such problems are caused by this: |
11 |
>> |
12 |
>> $loginctl show-session 1 (I have only one session, cleverly named '1') |
13 |
>> |
14 |
>> Id=1 |
15 |
>> Timestamp=Sun 2014-02-09 07:18:32 PST |
16 |
>> TimestampMonotonic=389744251 |
17 |
>> VTNr=1 |
18 |
>> TTY=/dev/tty1 |
19 |
>> Remote=no |
20 |
>> Service=login |
21 |
>> Scope=session-1.scope |
22 |
>> Leader=426 |
23 |
>> Audit=1 |
24 |
>> Type=tty |
25 |
>> Class=user |
26 |
>> Active=no <========================= should be 'yes' |
27 |
>> State=online <======================= should be 'active' |
28 |
>> |
29 |
>> Users of consolekit, don't feel neglected. You should try this instead: |
30 |
>> |
31 |
>> $ck-list-sessions |
32 |
>> Session1: |
33 |
>> unix-user = '1001' |
34 |
>> realname = '(null)' |
35 |
>> seat = 'Seat2' |
36 |
>> session-type = '' |
37 |
>> active = FALSE (correct because I'm ssh'd into a remote box) |
38 |
>> x11-display = ':0' |
39 |
>> x11-display-device = '/dev/tty2' |
40 |
>> display-device = '/dev/tty1' |
41 |
>> remote-host-name = '' |
42 |
>> is-local = FALSE |
43 |
>> on-since = '2014-02-09T22:00:10.750312Z' |
44 |
>> login-session-id = '1' |
45 |
>> |
46 |
>> Canek explained that the reason my session is not 'active' is that I'm |
47 |
>> not using a Display Manager (gdm kdm lightdm), which talks to logind or |
48 |
>> consolekit and vouches for my physical presence at the local keyboard. |
49 |
>> |
50 |
>> However, when I do the same thing on arch linux (as a virtualbox guest) |
51 |
>> I see that my session (running gnome) is 'active' and I have no trouble |
52 |
>> powering off the virtual machine as an unprivileged user. |
53 |
>> |
54 |
>> Any ideas how I can fix it? |
55 |
>> |
56 |
>> BTW, this helped me to understand some of the buzzwords I used above: |
57 |
>> |
58 |
>> http://www.freedesktop.org/wiki/Software/systemd/multiseat/ |
59 |
>> |
60 |
>> |
61 |
> |
62 |
> sys-auth/pambase with USE="consolekit" or USE="systemd" brings in |
63 |
> pam_ck_connector.so (ConsoleKit) or pam_systemd.so (systemd) |
64 |
> is required in login to get the initial active session: |
65 |
> ConsoleKit or systemd-logind starts during boot -> user logins to tty1 |
66 |
> -> PAM triggers pam_ck_connector.so or pam_systemd.so -> and now you |
67 |
> have one |
68 |
> initial session, second one is started after 'startx' and the |
69 |
> login-session-id is the key knowing it's the same user now in X11, |
70 |
> instead of console since |
71 |
> it changes the first session inactive (since it knows you now started |
72 |
> X11 and are no longer in console) and activates the newly started one in X11 |
73 |
|
74 |
Exactly. |
75 |
|
76 |
> however display managers with *built-in* CK or logind support are |
77 |
> special, and more straightforward and directly talk to CK or logind, and |
78 |
> thus, work |
79 |
> somewhat more easily by skipping many possible problems |
80 |
|
81 |
Again, exactly. |
82 |
|
83 |
> maybe you can somehow do it with GDM |
84 |
|
85 |
Yes, you can, but you can also do it via startx passing vt01 (or |
86 |
whatever) to Xorg. |
87 |
|
88 |
> so that remote session shows |
89 |
> active, i don't know about that, but what you can do is write your own |
90 |
> polkit |
91 |
> rules like: |
92 |
> |
93 |
> Put the following content to file: /etc/polkit-1/rules.d/51-local.rules |
94 |
> |
95 |
> polkit.addAdminRule(function(action, subject) { |
96 |
> return ["unix-group:wheel"]; |
97 |
> }); |
98 |
> |
99 |
> Now users in group "wheel" should be able to do anything, this is also |
100 |
> in "man 8 polkit" |
101 |
|
102 |
I don't think that's a good idea. It's going to work, but it's like |
103 |
killing flies with cannons, and perhaps a security risk. |
104 |
|
105 |
More importantly, it's not necessary since X.org has built in support |
106 |
for logind; you just need to pass to it the virtual terminal to use so |
107 |
the user session it's shared in X11. |
108 |
|
109 |
No need to configure anything, works out-of-the-box, and you don't |
110 |
even need the root password. You just need to use startx this way: |
111 |
|
112 |
startx -- vt01 |
113 |
|
114 |
(Or vt02, or vt03, etc.) And that's it. By the way, you can also |
115 |
specify the seat for X.org with -seat seatX or whatever. |
116 |
|
117 |
And that's the beauty of logind; it's getting support everywhere |
118 |
(GNOME, polkit, KDE, Xfce, barebones X), and it frees us from |
119 |
modifying permissions, or adding/joining groups, or creating policykit |
120 |
rules, since it does the Right Thing™. |
121 |
|
122 |
Regards. |
123 |
-- |
124 |
Canek Peláez Valdés |
125 |
Posgrado en Ciencia e Ingeniería de la Computación |
126 |
Universidad Nacional Autónoma de México |