Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 336634 - sys-auth/consolekit-0.4.2: session always ends up as "active" and "is-local" set FALSE
Summary: sys-auth/consolekit-0.4.2: session always ends up as "active" and "is-local" ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Freedesktop bugs
URL: https://bugs.freedesktop.org/show_bug...
Whiteboard:
Keywords:
Depends on:
Blocks: 342291
  Show dependency tree
 
Reported: 2010-09-09 19:16 UTC by jeff
Modified: 2010-10-27 19:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
patch (consolekit_init_patch.txt,318 bytes, text/plain)
2010-10-08 21:06 UTC, Roman Sergeev
Details
90-consolekit (from Debian) (90consolekit,1.00 KB, text/plain)
2010-10-21 12:54 UTC, Samuli Suominen (RETIRED)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description jeff 2010-09-09 19:16:38 UTC
With consolekit-0.4.2 i can't shutdown/reboot from gnome panel as user and i can't use all options with gnome-power-manager.
Now i use consolekit-0.4.1-r1 and all work fine but i hope you can fix this.
Thanks.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2010-09-09 19:47:12 UTC
Yes, confirmed.  Same problem with p.masked Xfce4, didn't realize it was consolekit-0.4.2 problem before this bug report, was debugging the problem in entirely wrong place...

I've masked 0.4.2 for now.

# Samuli Suominen <ssuominen@gentoo.org> (09 Sep 2010)
# There seems to be some problems with consolekit 0.4.2,
# in ck-list-sessions it always ends up as:
# active = FALSE
# is-local = FALSE
# There is also bug 336634 about this.
=sys-auth/consolekit-0.4.2
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-09-09 19:51:41 UTC
Note that there is new dbus out, and also polkit (needs unreleased glib, or experimental one likely from gnome-overlay). I'd put my money on the fact that ck-0.4.2 needs either, or both of them to go with

Just an educated guess
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2010-09-09 20:53:09 UTC
http://cgit.freedesktop.org/ConsoleKit/commit/?id=4f88228f31a63c026c424a92827f26ad7535275c

might be causing this, too bad the bug it refers to is secret:

https://bugs.freedesktop.org/show_bug.cgi?id=28377
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2010-09-09 21:13:28 UTC
Fixed by 0.4.2-r1.

+*consolekit-0.4.2-r1 (09 Sep 2010)
+
+  09 Sep 2010; Samuli Suominen <ssuominen@gentoo.org>
+  consolekit-0.4.2.ebuild, +consolekit-0.4.2-r1.ebuild,
+  +files/consolekit-0.4.2-revert.patch:
+  Revert upstream "Only set sessions to be is-local=true if set by a trusted
+  party" wrt #336634.
Comment 5 Mart Raudsepp gentoo-dev 2010-09-18 21:20:11 UTC
I wouldn't consider this fixed if the fix is a wholesale reverting of a security patch. Reopening until a complete fix comes, possibly with upstream advice...
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2010-09-18 21:27:35 UTC
Agreed, sorry about that -- didn't realize it was a security bug because the upstream bug was kept secret. :-)

The original Fedora bug:

https://bugzilla.redhat.com/show_bug.cgi?id=585952

Is still marked secret. And at the risk of making fool of myself, I asked for advise at the fdo bug.
Comment 7 Brett Witherspoon 2010-09-26 09:17:40 UTC
I think I can shed some light on this issue. 

Can those whose sessions are being opened with the is-local parameter as false please state what login manager there using or if they are using xinit/startx with agetty?

Those using gdm and kdm should not have issues. These managers run as privileged process that can use the OpenSessionWithParameters from which local graphical sessions can be opened. xdm and slim can most likely use the ck pam module, but there are some limitations there.

For those using xinit and agetty:

1) Enable auditing in the kernel. CONFIG_AUDIT=y
2) Add "session option pam_ck_connector.so" to /etc/pam.d/login.
(I use system-local-login which I include in /etc/pam.d/login. You can also give params like nox. See man pam_ck_connector.so)
3) Use ck-launch-session mywindowmanager somewhere in your xinitrc.

Gentoo currently has this module in system-auth but this is not inherented by login.

The pam module allows a local session to be created via a privileged process using the OpenSessionWithParamters method. A local text session is then created. When xinit is executed ck-launch-session calls the OpenSession method which requires ConsoleKit to check if the new session leader originates from an already existing local session (which is now the case). For linux ConsoleKit uses sessionid's from the /proc/pid interface to determine this so auditing support is need for this to work.

This should fix this issue.

Also the check the script you provide in /etc/X11/xinit/xinitrc.d for ConsoleKit. If it checks the XDG_SESSION_COOKIE env var and only runs ck-launch-session if it is not found this is wrong. Notice we are creating two sessions a text and a graphical this is what we want todo.
Comment 8 Brett Witherspoon 2010-09-26 22:10:04 UTC
Actually, wrt my XDG_SESSION_COOKIE commit I was not entirely correct. If gdm or any other display manager which creates its own ck session is used then ck-launch-session should not be run, so the check will just need to be changed.

Sorry, I should really be filing another bug on this.
Comment 9 Robby Workman 2010-09-28 01:36:55 UTC
Once again, it seems that the Kits want a hard requirement of PAM.  Without reverting the commit in comment #3, is there any good way to make all of this function as expected *without* a login manager *and* without PAM?
Comment 10 Roman Sergeev 2010-10-08 21:05:37 UTC
hi

i have some different problem - only "active = false"

I checked and found the reason - wrong initsript

daemon starts as "/usr/sbin/console-kit-daemon --no-daemon"
Comment 11 Roman Sergeev 2010-10-08 21:06:07 UTC
Created attachment 249973 [details]
patch
Comment 12 Roman Sergeev 2010-10-08 21:50:57 UTC
rechecked
unfortunately does not work on sys-auth/consolekit-0.4.2
:(
works on sys-auth/consolekit-0.4.1
Comment 13 Samuli Suominen (RETIRED) gentoo-dev 2010-10-09 14:24:53 UTC
Comment on attachment 249973 [details]
patch

This bug is for 0.4.2 without the -revert.patch

0.4.1 works correctly as is.
Comment 14 Samuli Suominen (RETIRED) gentoo-dev 2010-10-21 12:34:41 UTC
(In reply to comment #7)
> Can those whose sessions are being opened with the is-local parameter as false
> please state what login manager there using or if they are using xinit/startx
> with agetty?

startx (with .xinitrc and startxfce4 script from xfce-utils). no display managers.

> For those using xinit and agetty:
> 
> 1) Enable auditing in the kernel. CONFIG_AUDIT=y
> 2) Add "session option pam_ck_connector.so" to /etc/pam.d/login.
> (I use system-local-login which I include in /etc/pam.d/login. You can also
> give params like nox. See man pam_ck_connector.so)
> 3) Use ck-launch-session mywindowmanager somewhere in your xinitrc.

doesn't change anything to put "session optional pam_ck_connector.so" to login, and/or system-local-login. still active and is-local at FALSE.

> Gentoo currently has this module in system-auth but this is not inherented by
> login.

doesn't help either, still active and is-local at FALSE

> The pam module allows a local session to be created via a privileged process
> using the OpenSessionWithParamters method. A local text session is then
> created. When xinit is executed ck-launch-session calls the OpenSession method
> which requires ConsoleKit to check if the new session leader originates from an
> already existing local session (which is now the case). For linux ConsoleKit
> uses sessionid's from the /proc/pid interface to determine this so auditing
> support is need for this to work.


$ zgrep -i audit /proc/config.gz 
CONFIG_AUDIT=y

$ ls -l /proc/pid*
ls: cannot access /proc/pid*: No such file or directory

> Also the check the script you provide in /etc/X11/xinit/xinitrc.d for
> ConsoleKit. If it checks the XDG_SESSION_COOKIE env var and only runs
> ck-launch-session if it is not found this is wrong. Notice we are creating two
> sessions a text and a graphical this is what we want todo.
> 

that seems to be broken then... (/etc/X11/xinit/xinitrc.d/90-consolekit):

# -*- sh -*-
# Xsession.d script for ck-launch-session.
#
#
# This file is sourced by Xsession(5), not executed.

CK_LAUNCH_SESSION=/usr/bin/ck-launch-session

if [ -z "$XDG_SESSION_COOKIE" ] && [ -x "$CK_LAUNCH_SESSION" ]; then
	command="$CK_LAUNCH_SESSION $command"
fi
Comment 15 Samuli Suominen (RETIRED) gentoo-dev 2010-10-21 12:54:24 UTC
Created attachment 251443 [details]
90-consolekit (from Debian)

The more advanced version from Debian, but doesn't change this bug at all. Still need the -revert.patch.
Comment 16 Samuli Suominen (RETIRED) gentoo-dev 2010-10-21 12:59:53 UTC
(In reply to comment #7)
> 2) Add "session option pam_ck_connector.so" to /etc/pam.d/login.
> (I use system-local-login which I include in /etc/pam.d/login. You can also
> give params like nox. See man pam_ck_connector.so)
> 3) Use ck-launch-session mywindowmanager somewhere in your xinitrc.
> 
> Gentoo currently has this module in system-auth but this is not inherented by
> login.

Gentoo has it in system-login, not systema-auth and looks to be included from others:

system-login:session		optional	pam_ck_connector.so nox11
system-local-login:session	include		system-login
system-remote-login:session	include		system-login

Tried adding it directly to others (like directly to login) but no change...

Comment 17 Samuli Suominen (RETIRED) gentoo-dev 2010-10-21 13:38:04 UTC
Ignore previous, we tracked this down to broken revision of sys-auth/shadow that installed inconsistent login file, thanks to Diego for helping with this.

+*consolekit-0.4.2-r3 (21 Oct 2010)
+
+  21 Oct 2010; Samuli Suominen <ssuominen@gentoo.org>
+  +consolekit-0.4.2-r3.ebuild, +files/90-consolekit-2:
+  Update /etc/X11/xinit/xinitrc.d/90-consolekit from Debian. Remove
+  -revert.patch and block broken sys-apps/shadow instead wrt #336634.