| Summary: | sys-auth/polkit doesn't configure/compile without pam support | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Daniel Drake (RETIRED) <dsd> |
| Component: | New packages | Assignee: | Freedesktop bugs <freedesktop-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ampsaltis, flaschenkopp, nicolasbock, pacho, rworkman, ulm |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugs.freedesktop.org/show_bug.cgi?id=25155 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 288249 | ||
| Attachments: | patch to support shadow in polkit-1 | ||
also seems like you would want to fall back on shadow support, not none for the authfw (In reply to comment #1) > also seems like you would want to fall back on shadow support, not none for the > authfw > Unfortunately, polkit doesn't have support for shadow (the configure.ac flag is just a stub). Polkit doesn't even seem to support a dummy authdb. If you don't select pam, you unconditionally get this: libtool: link: i686-pc-linux-gnu-gcc -D_POLKIT_COMPILATION -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -Os -march=pentium4 -pipe -Wall -Wchar-subscripts -Wmissing-declarations -Wnested-externs -Wpointer-arith -Wcast-align -Wsign-compare -Wformat -Wformat-security -Wl,-O1 -Wl,--hash-style=gnu -o .libs/polkit-agent-helper-1 polkit_agent_helper_1-polkitagenthelper.o -Wl,--as-needed ../../src/polkit/.libs/libpolkit-gobject-1.so -L/usr/lib /usr/lib/libeggdbus-1.so /usr/lib/libdbus-glib-1.so -lnsl /usr/lib/libdbus-1.so /usr/lib/libgio-2.0.so -lresolv /usr/lib/libgobject-2.0.so /usr/lib/libgmodule-2.0.so -ldl /usr/lib/libglib-2.0.so polkit_agent_helper_1-polkitagenthelper.o: In function `main': polkitagenthelper.c:(.text+0x102): undefined reference to `pam_start' polkitagenthelper.c:(.text+0x116): undefined reference to `pam_strerror' polkitagenthelper.c:(.text+0x130): undefined reference to `pam_set_item' polkitagenthelper.c:(.text+0x144): undefined reference to `pam_strerror' polkitagenthelper.c:(.text+0x15e): undefined reference to `pam_authenticate' polkitagenthelper.c:(.text+0x172): undefined reference to `pam_strerror' polkitagenthelper.c:(.text+0x189): undefined reference to `pam_acct_mgmt' polkitagenthelper.c:(.text+0x19d): undefined reference to `pam_strerror' polkitagenthelper.c:(.text+0x1b7): undefined reference to `pam_get_item' polkitagenthelper.c:(.text+0x1cb): undefined reference to `pam_strerror' polkitagenthelper.c:(.text+0x20c): undefined reference to `pam_end' polkitagenthelper.c:(.text+0x2fa): undefined reference to `pam_end' collect2: ld returned 1 exit status --- Upstream is probably completely uninterested in fixing this. I'm forcing pam on for now. Turns out, this is slightly more severe than I thought. gnome-session depends on devicekit-power unconditionally, which depends on polkit unconditionally; which means gnome pulls in pam. We can either: a) Fix polkit to build with a dummy authdb (will compile, but won't work) b) Fix polkit to work with a shadow backend (no idea how difficult this is) c) Revert the commits that ported devicekit-power from policykit to polkit (will be messy to maintain) Currently, a solution (as discovered by ulm), is to use devicekit-power-009 (which unfortunately uses devicekit, which was deprecated in favour of gudev) Re-assigning to freedesktop-bugs due to increased scope of problem. (In reply to comment #3) > a) Fix polkit to build with a dummy authdb (will compile, but won't work) Sounds easy to do but kind of defeats the purpose of PK. Doable if b) takes too long to cook up. > b) Fix polkit to work with a shadow backend (no idea how difficult this is) Sounds like the correct solution. > c) Revert the commits that ported devicekit-power from policykit to polkit > (will be messy to maintain) NAK, let's forget about the old policykit. Let's focus efforts on the new one. Going backwards _will_ bite us in the ass later on. PK already has us by the balls, let's no ask for even _more_ pain. > Currently, a solution (as discovered by ulm), is to use devicekit-power-009 > (which unfortunately uses devicekit, which was deprecated in favour of gudev) Not sure if that's a good plan too, maybe if the situation doesn't last more than a few days/weeks? My 2¢ Have you think about debian's patch for making devicekit gnome-session support optional? I know it doesn't fix main issue but maybe it could help :-/: http://patch-tracker.debian.org/patch/series/view/gnome-session/2.28.0-4/03_devicekit_optional.patch Created attachment 216150 [details, diff] patch to support shadow in polkit-1 I talked to Nirbheek about this, and he suggested I post this here for more broad consumption. Here is a patch that removes the dependency on PAM on the polkit in the freedesktop.org git (http://cgit.freedesktop.org/PolicyKit/). The configure script defaults to using PAM, so you have to pass "--with-authfw=shadow" to it in addition to whatever other flags you need. I have tested it on my local machine, and some of the Slackware developers have also got their hands on it, and have said that it worked for them. I'd also appreciate it if some interested gentoo users would test it before I submit it for inclusion in the polkit-1 mainline. A caveat is that this also requires ConsoleKit. Right now, console logins with shadow will not register with CK, causing polkit to function incorrectly if one then enters X with "startx". I had to log in with gdm (you may need to recompile it against CK if you already are using it, I do not know for sure) to be able to test it. To follow up Andrew's post, assuming the polkit patch is fine (I'm one of the testers, and it seems fine here, best I can tell), we'll need login to poke ConsoleKit when a user logs in at the console. I don't know if you guys use login from shadow or util-linux-ng, but we use the one from shadow, for what that's worth. There's an old patch from David Zeuthen in comment #7 at https://bugzilla.redhat.com/show_bug.cgi?id=229172 but that's for login from util-linux-ng, and for selfish reasons, a patch against the one from shadow would be better... :-) (In reply to comment #7) > To follow up Andrew's post, assuming the polkit patch is fine (I'm one of the > testers, and it seems fine here, best I can tell), we'll need login to poke > ConsoleKit when a user logs in at the console. I don't know if you guys use > login from shadow or util-linux-ng, but we use the one from shadow, for what > that's worth. We seem to use login from shadow too: $ equery b login * Searching for login ... sys-apps/shadow-4.1.2.2 (/etc/pam.d/login) sys-apps/shadow-4.1.2.2 (/bin/login) I've just committed the updated version of the patch I found at http://lists.freedesktop.org/archives/polkit-devel/2010-January/000288.html to the tree in 0.96 (test by building with USE=-pam). I've only compile-tested it, so I don't know if it works with our setup. Shadow users are strongly encouraged to test this patch out so we know if it works or not. GNOME 2.28 will go stable soon, and we don't want it to get held up by this. @Andrew, is there a a newer version of this patch around? It would be great if we could somehow push this upstream before davidz makes his 1.0 release. I found this bug: https://bugs.freedesktop.org/show_bug.cgi?id=25155 (In reply to comment #9) > @Andrew, is there a a newer version of this patch around? It would be great if > we could somehow push this upstream before davidz makes his 1.0 release. I > found this bug: https://bugs.freedesktop.org/show_bug.cgi?id=25155 > No further updated patch is available, since no changes have been made to the polkit git since I first submitted it. Also, I think I found a small bug in the patch that affects users who set password change time limits. I need to do further testing to be sure of this, but a great many users will not notice this problem (it indeed works for my system, which has no such limits). If this problem indeed exists, I will submit another patch to the polkit-devel mailing list that includes this fix, and reply to that bug if necessary. Thanks a lot Nirbheek and Andrew :-) We've been shipping polkit with shadow support since 7th March 2010 thanks to Andrew with no problems. Although shadow auth is still broken if X is not started via gdm (with consolekit enabled), I think we should handle this on the upstream bug now and try to get it merged. Closing as FIXED. Thanks to the Slackware folks for their active cooperation! :) (In reply to comment #12) > We've been shipping polkit with shadow support since 7th March 2010 thanks to > Andrew with no problems. Although shadow auth is still broken if X is not > started via gdm (with consolekit enabled), I think we should handle this on the > upstream bug now and try to get it merged. Closing as FIXED. > > Thanks to the Slackware folks for their active cooperation! :) > Actually, you can get around the GDM/KDM/XDM necessity. Add this in place of just plain $STARTGUI in your xinitrc files: if [ -z "$DESKTOP_SESSION" -a -x /usr/bin/ck-launch-session ]; then ck-launch-session $STARTGUI else $STARTGUI fi This is in the XFCE and KDE Slackware packages and works correctly. Thanks to Robby for figuring this out. |
Fails with: configure: error: 'none' is only a valid authentication framework for the dummy authorization database Looks like a bug with --with-authfw=none in configure.ac. I don't understand the code in that section of the file (what's this authdb thing that it refers to?) Also the ebuild has a bug where USE=expat will override whatever changes were made to ${conf} for PAM.