216664 2008-04-07 08:53 0000 gnome-base/gdm-2.20.4: please stop using pam.d/system-local-login 2008-04-20 20:38:18 0000 1 1 1 Unclassified Gentoo Linux Ebuilds unspecified All Linux RESOLVED FIXED P2 normal --- 1 srrijkers@gmail.com gnome@gentoo.org srrijkers@gmail.com 2008-04-07 08:53:13 0000 Seeing flameeyes' final comment to bug #212473 I think it would be better to just let gdm use system-auth instead of system-local-login. This way it won't use pam_lastlog.so and friends by default. The problem with just removing the pam_lastlog.so etc lines from system-login is that they get disabled for normal logins as well, which would be undesireable. However, it seems just plain wrong to use something like pam_mail.so with gdm. Perhaps a "keyring" USE-flag controlling the insertion of the pam_gnome_keyring lines into /etc/pam.d/gdm would be nice. eva@gentoo.org 2008-04-07 09:38:06 0000 If you don't use system-local-login, you don't get consolekit, if you don't use system-login, you don't get keyring (out of many others optional stuff). Solution: from my point of view, the current system is ok as it is because it stacks things well. The only problem as you and other users have seen is that console apps don't need the same things gui apps need. So no, for now, I won't use anything else than system-local-login. I haven't had time to come up with a clever solution. srrijkers@gmail.com 2008-04-08 11:50:12 0000 What's wrong with adding a keyring USE-flag to gdm controlling the corresponding line in /etc/pam.d/gdm? Since consolekit is allready a required DEPEND why not add its corresponding line to /etc/pamd.d/gdm? Same goes for the other stuff that gdm needs and that is not in system-auth - pam_nologin, pam_tally, pam_account, and pam_shells. Also, according to this gnome bug comment [1], pam_gnome_keyring.so should *not* be called from gdm-autologin. This does happen with the current gentoo setup - well, in all fairness, it gets called by every program using system-login, which is just plain *wrong*. Instead, users should use a blank password for the login keyring, which gkr-2.22 should support. Indeed, console logins != gui logins; they need different things. However, if you'd read the bug I mentioned earlier you'd see that flameeyes is not really willing to fix this. To follow his advice in that bug, the 'solution' is for gdm to not use system-login. [1] http://bugzilla.gnome.org/show_bug.cgi?id=506356#c5 eva@gentoo.org 2008-04-08 13:05:22 0000 I read it, thanks and I'm telling you I'm not willing to fix it either. There are more important thinks than a popup a login time to fix first. Thanks for understanding. srrijkers@gmail.com 2008-04-12 08:49:07 0000 For the record, let me note that pam_ck_connector should not explicitly be called from /etc/pam.d/gdm or, as is currently the case, by /etc/pam.d/system-local-login, as gdm launches a ConsoleKit session by itself. See Fedora's gdm pam file for example: it does not have an entry for pam_ck_connector. If pam_ck_console is called by a pam rule this leads to the creation of a bogus session for the logged-in user. Also, specifying this "optional pam_ck_connector" breaks PolicyKit's "active console" functionality. IOW, removing the line unbreaks automounting (and PolicyKit in general) with the PolicyKit snapshot I'm currently using. eva@gentoo.org 2008-04-12 13:22:25 0000 side note: policykit is not supported under gentoo until further notice. srrijkers@gmail.com 2008-04-12 14:24:48 0000 (In reply to comment #5) > side note: policykit is not supported under gentoo until further notice. So what? I'm just trying to figure out how to make it work for Gentoo, especially with regard to automounting since that's the reason it's masked according to package.mask (of course, we have bug #215701 as well). Looks like the fix for the automounting problem lies here. That's all. eva@gentoo.org 2008-04-12 14:31:00 0000 if you are working on policykit, contact people on #gentopia. As policykit is in no way ready to be unmasked this has no place here. Thanks for understanding the original message. And wrt to automounting, it's working on all boxes I have access too and it works for people I know as well. There is a bug opened about this anyway because some people seems to experience problems with it but we are digressing. Please focus on summary subject. srrijkers@gmail.com 2008-04-12 15:02:44 0000 I was talking about automounting when using PolicyKit, not automounting in general. I mentioned it here because gdm's current pam setup breaks it (<- automounting with PolicyKit, that is). dang@gentoo.org 2008-04-15 02:05:19 0000 Personally, I think policykit should be taken out behind the barn and shot... However, it does seem to be gaining traction, so if you can figure it out, we'd like to know. If you can't get it to work, we'll let fedora and ubuntu work out the quirks before we try. (FTR, those timestamps on everything from gdm to sudo are bloody annoying...) eva@gentoo.org 2008-04-20 20:38:18 0000 ok finally got around thinking about this bug enough to get my hands together and I've just commited a fix with 2.20.5. Please reopen if you still find problems with it.