With consolekit-0.4.2 i can't shutdown/reboot from gnome panel as user and i can't use all options with gnome-power-manager. Now i use consolekit-0.4.1-r1 and all work fine but i hope you can fix this. Thanks.
Yes, confirmed. Same problem with p.masked Xfce4, didn't realize it was consolekit-0.4.2 problem before this bug report, was debugging the problem in entirely wrong place... I've masked 0.4.2 for now. # Samuli Suominen <ssuominen@gentoo.org> (09 Sep 2010) # There seems to be some problems with consolekit 0.4.2, # in ck-list-sessions it always ends up as: # active = FALSE # is-local = FALSE # There is also bug 336634 about this. =sys-auth/consolekit-0.4.2
Note that there is new dbus out, and also polkit (needs unreleased glib, or experimental one likely from gnome-overlay). I'd put my money on the fact that ck-0.4.2 needs either, or both of them to go with Just an educated guess
http://cgit.freedesktop.org/ConsoleKit/commit/?id=4f88228f31a63c026c424a92827f26ad7535275c might be causing this, too bad the bug it refers to is secret: https://bugs.freedesktop.org/show_bug.cgi?id=28377
Fixed by 0.4.2-r1. +*consolekit-0.4.2-r1 (09 Sep 2010) + + 09 Sep 2010; Samuli Suominen <ssuominen@gentoo.org> + consolekit-0.4.2.ebuild, +consolekit-0.4.2-r1.ebuild, + +files/consolekit-0.4.2-revert.patch: + Revert upstream "Only set sessions to be is-local=true if set by a trusted + party" wrt #336634.
I wouldn't consider this fixed if the fix is a wholesale reverting of a security patch. Reopening until a complete fix comes, possibly with upstream advice...
Agreed, sorry about that -- didn't realize it was a security bug because the upstream bug was kept secret. :-) The original Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=585952 Is still marked secret. And at the risk of making fool of myself, I asked for advise at the fdo bug.
I think I can shed some light on this issue. Can those whose sessions are being opened with the is-local parameter as false please state what login manager there using or if they are using xinit/startx with agetty? Those using gdm and kdm should not have issues. These managers run as privileged process that can use the OpenSessionWithParameters from which local graphical sessions can be opened. xdm and slim can most likely use the ck pam module, but there are some limitations there. For those using xinit and agetty: 1) Enable auditing in the kernel. CONFIG_AUDIT=y 2) Add "session option pam_ck_connector.so" to /etc/pam.d/login. (I use system-local-login which I include in /etc/pam.d/login. You can also give params like nox. See man pam_ck_connector.so) 3) Use ck-launch-session mywindowmanager somewhere in your xinitrc. Gentoo currently has this module in system-auth but this is not inherented by login. The pam module allows a local session to be created via a privileged process using the OpenSessionWithParamters method. A local text session is then created. When xinit is executed ck-launch-session calls the OpenSession method which requires ConsoleKit to check if the new session leader originates from an already existing local session (which is now the case). For linux ConsoleKit uses sessionid's from the /proc/pid interface to determine this so auditing support is need for this to work. This should fix this issue. Also the check the script you provide in /etc/X11/xinit/xinitrc.d for ConsoleKit. If it checks the XDG_SESSION_COOKIE env var and only runs ck-launch-session if it is not found this is wrong. Notice we are creating two sessions a text and a graphical this is what we want todo.
Actually, wrt my XDG_SESSION_COOKIE commit I was not entirely correct. If gdm or any other display manager which creates its own ck session is used then ck-launch-session should not be run, so the check will just need to be changed. Sorry, I should really be filing another bug on this.
Once again, it seems that the Kits want a hard requirement of PAM. Without reverting the commit in comment #3, is there any good way to make all of this function as expected *without* a login manager *and* without PAM?
hi i have some different problem - only "active = false" I checked and found the reason - wrong initsript daemon starts as "/usr/sbin/console-kit-daemon --no-daemon"
Created attachment 249973 [details] patch
rechecked unfortunately does not work on sys-auth/consolekit-0.4.2 :( works on sys-auth/consolekit-0.4.1
Comment on attachment 249973 [details] patch This bug is for 0.4.2 without the -revert.patch 0.4.1 works correctly as is.
(In reply to comment #7) > Can those whose sessions are being opened with the is-local parameter as false > please state what login manager there using or if they are using xinit/startx > with agetty? startx (with .xinitrc and startxfce4 script from xfce-utils). no display managers. > For those using xinit and agetty: > > 1) Enable auditing in the kernel. CONFIG_AUDIT=y > 2) Add "session option pam_ck_connector.so" to /etc/pam.d/login. > (I use system-local-login which I include in /etc/pam.d/login. You can also > give params like nox. See man pam_ck_connector.so) > 3) Use ck-launch-session mywindowmanager somewhere in your xinitrc. doesn't change anything to put "session optional pam_ck_connector.so" to login, and/or system-local-login. still active and is-local at FALSE. > Gentoo currently has this module in system-auth but this is not inherented by > login. doesn't help either, still active and is-local at FALSE > The pam module allows a local session to be created via a privileged process > using the OpenSessionWithParamters method. A local text session is then > created. When xinit is executed ck-launch-session calls the OpenSession method > which requires ConsoleKit to check if the new session leader originates from an > already existing local session (which is now the case). For linux ConsoleKit > uses sessionid's from the /proc/pid interface to determine this so auditing > support is need for this to work. $ zgrep -i audit /proc/config.gz CONFIG_AUDIT=y $ ls -l /proc/pid* ls: cannot access /proc/pid*: No such file or directory > Also the check the script you provide in /etc/X11/xinit/xinitrc.d for > ConsoleKit. If it checks the XDG_SESSION_COOKIE env var and only runs > ck-launch-session if it is not found this is wrong. Notice we are creating two > sessions a text and a graphical this is what we want todo. > that seems to be broken then... (/etc/X11/xinit/xinitrc.d/90-consolekit): # -*- sh -*- # Xsession.d script for ck-launch-session. # # # This file is sourced by Xsession(5), not executed. CK_LAUNCH_SESSION=/usr/bin/ck-launch-session if [ -z "$XDG_SESSION_COOKIE" ] && [ -x "$CK_LAUNCH_SESSION" ]; then command="$CK_LAUNCH_SESSION $command" fi
Created attachment 251443 [details] 90-consolekit (from Debian) The more advanced version from Debian, but doesn't change this bug at all. Still need the -revert.patch.
(In reply to comment #7) > 2) Add "session option pam_ck_connector.so" to /etc/pam.d/login. > (I use system-local-login which I include in /etc/pam.d/login. You can also > give params like nox. See man pam_ck_connector.so) > 3) Use ck-launch-session mywindowmanager somewhere in your xinitrc. > > Gentoo currently has this module in system-auth but this is not inherented by > login. Gentoo has it in system-login, not systema-auth and looks to be included from others: system-login:session optional pam_ck_connector.so nox11 system-local-login:session include system-login system-remote-login:session include system-login Tried adding it directly to others (like directly to login) but no change...
Ignore previous, we tracked this down to broken revision of sys-auth/shadow that installed inconsistent login file, thanks to Diego for helping with this. +*consolekit-0.4.2-r3 (21 Oct 2010) + + 21 Oct 2010; Samuli Suominen <ssuominen@gentoo.org> + +consolekit-0.4.2-r3.ebuild, +files/90-consolekit-2: + Update /etc/X11/xinit/xinitrc.d/90-consolekit from Debian. Remove + -revert.patch and block broken sys-apps/shadow instead wrt #336634.