| 1 |
On Mon, Feb 10, 2014 at 4:52 AM, Samuli Suominen <ssuominen@g.o> wrote: |
| 2 |
> |
| 3 |
> On 10/02/14 00:43, walt wrote: |
| 4 |
>> Recent threads about consolekit vs logind(systemd) have made me curious, so |
| 5 |
>> I've been studying... |
| 6 |
>> |
| 7 |
>> A few of us have had recent problems with things like plugging USB sticks, |
| 8 |
>> which once worked transparently but now require root privileges. |
| 9 |
>> |
| 10 |
>> I've discovered that my own such problems are caused by this: |
| 11 |
>> |
| 12 |
>> $loginctl show-session 1 (I have only one session, cleverly named '1') |
| 13 |
>> |
| 14 |
>> Id=1 |
| 15 |
>> Timestamp=Sun 2014-02-09 07:18:32 PST |
| 16 |
>> TimestampMonotonic=389744251 |
| 17 |
>> VTNr=1 |
| 18 |
>> TTY=/dev/tty1 |
| 19 |
>> Remote=no |
| 20 |
>> Service=login |
| 21 |
>> Scope=session-1.scope |
| 22 |
>> Leader=426 |
| 23 |
>> Audit=1 |
| 24 |
>> Type=tty |
| 25 |
>> Class=user |
| 26 |
>> Active=no <========================= should be 'yes' |
| 27 |
>> State=online <======================= should be 'active' |
| 28 |
>> |
| 29 |
>> Users of consolekit, don't feel neglected. You should try this instead: |
| 30 |
>> |
| 31 |
>> $ck-list-sessions |
| 32 |
>> Session1: |
| 33 |
>> unix-user = '1001' |
| 34 |
>> realname = '(null)' |
| 35 |
>> seat = 'Seat2' |
| 36 |
>> session-type = '' |
| 37 |
>> active = FALSE (correct because I'm ssh'd into a remote box) |
| 38 |
>> x11-display = ':0' |
| 39 |
>> x11-display-device = '/dev/tty2' |
| 40 |
>> display-device = '/dev/tty1' |
| 41 |
>> remote-host-name = '' |
| 42 |
>> is-local = FALSE |
| 43 |
>> on-since = '2014-02-09T22:00:10.750312Z' |
| 44 |
>> login-session-id = '1' |
| 45 |
>> |
| 46 |
>> Canek explained that the reason my session is not 'active' is that I'm |
| 47 |
>> not using a Display Manager (gdm kdm lightdm), which talks to logind or |
| 48 |
>> consolekit and vouches for my physical presence at the local keyboard. |
| 49 |
>> |
| 50 |
>> However, when I do the same thing on arch linux (as a virtualbox guest) |
| 51 |
>> I see that my session (running gnome) is 'active' and I have no trouble |
| 52 |
>> powering off the virtual machine as an unprivileged user. |
| 53 |
>> |
| 54 |
>> Any ideas how I can fix it? |
| 55 |
>> |
| 56 |
>> BTW, this helped me to understand some of the buzzwords I used above: |
| 57 |
>> |
| 58 |
>> http://www.freedesktop.org/wiki/Software/systemd/multiseat/ |
| 59 |
>> |
| 60 |
>> |
| 61 |
> |
| 62 |
> sys-auth/pambase with USE="consolekit" or USE="systemd" brings in |
| 63 |
> pam_ck_connector.so (ConsoleKit) or pam_systemd.so (systemd) |
| 64 |
> is required in login to get the initial active session: |
| 65 |
> ConsoleKit or systemd-logind starts during boot -> user logins to tty1 |
| 66 |
> -> PAM triggers pam_ck_connector.so or pam_systemd.so -> and now you |
| 67 |
> have one |
| 68 |
> initial session, second one is started after 'startx' and the |
| 69 |
> login-session-id is the key knowing it's the same user now in X11, |
| 70 |
> instead of console since |
| 71 |
> it changes the first session inactive (since it knows you now started |
| 72 |
> X11 and are no longer in console) and activates the newly started one in X11 |
| 73 |
|
| 74 |
Exactly. |
| 75 |
|
| 76 |
> however display managers with *built-in* CK or logind support are |
| 77 |
> special, and more straightforward and directly talk to CK or logind, and |
| 78 |
> thus, work |
| 79 |
> somewhat more easily by skipping many possible problems |
| 80 |
|
| 81 |
Again, exactly. |
| 82 |
|
| 83 |
> maybe you can somehow do it with GDM |
| 84 |
|
| 85 |
Yes, you can, but you can also do it via startx passing vt01 (or |
| 86 |
whatever) to Xorg. |
| 87 |
|
| 88 |
> so that remote session shows |
| 89 |
> active, i don't know about that, but what you can do is write your own |
| 90 |
> polkit |
| 91 |
> rules like: |
| 92 |
> |
| 93 |
> Put the following content to file: /etc/polkit-1/rules.d/51-local.rules |
| 94 |
> |
| 95 |
> polkit.addAdminRule(function(action, subject) { |
| 96 |
> return ["unix-group:wheel"]; |
| 97 |
> }); |
| 98 |
> |
| 99 |
> Now users in group "wheel" should be able to do anything, this is also |
| 100 |
> in "man 8 polkit" |
| 101 |
|
| 102 |
I don't think that's a good idea. It's going to work, but it's like |
| 103 |
killing flies with cannons, and perhaps a security risk. |
| 104 |
|
| 105 |
More importantly, it's not necessary since X.org has built in support |
| 106 |
for logind; you just need to pass to it the virtual terminal to use so |
| 107 |
the user session it's shared in X11. |
| 108 |
|
| 109 |
No need to configure anything, works out-of-the-box, and you don't |
| 110 |
even need the root password. You just need to use startx this way: |
| 111 |
|
| 112 |
startx -- vt01 |
| 113 |
|
| 114 |
(Or vt02, or vt03, etc.) And that's it. By the way, you can also |
| 115 |
specify the seat for X.org with -seat seatX or whatever. |
| 116 |
|
| 117 |
And that's the beauty of logind; it's getting support everywhere |
| 118 |
(GNOME, polkit, KDE, Xfce, barebones X), and it frees us from |
| 119 |
modifying permissions, or adding/joining groups, or creating policykit |
| 120 |
rules, since it does the Right Thing™. |
| 121 |
|
| 122 |
Regards. |
| 123 |
-- |
| 124 |
Canek Peláez Valdés |
| 125 |
Posgrado en Ciencia e Ingeniería de la Computación |
| 126 |
Universidad Nacional Autónoma de México |
Archives