Bug 472098

Do you have: 
session         optional        pam_loginuid.so
in /etc/pam.d/system-auth ?

I recall a user having issues like this before and they had not set the above.

(In reply to Ray Griffin from comment #1)
*facepalm*
I meant: 
"session         optional        pam_systemd.so"
Highlighted the wrong line, sorry for the confusion/extra noise.

Comment 3 Agostino Sarubbo 2013-06-02 13:18:14 UTC

(In reply to Ray Griffin from comment #2)
> (In reply to Ray Griffin from comment #1)
> *facepalm*
> I meant: 
> "session         optional        pam_systemd.so"
> Highlighted the wrong line, sorry for the confusion/extra noise.

np, yes I have it

Comment 4 Michał Górny 2013-06-02 14:08:59 UTC

It may be something related to polkit and the whole newbie fun stuff.

While at it, it would be good to find out why my user has only partial bluetooth access :). Funny enough, on my laptop it all worked out of the box...

Comment 5 Agostino Sarubbo 2013-06-02 17:13:23 UTC

I tried this .pkla

[Allow Everything Dammit]
Identity=unix-user:ago
Action=*
ResultAny=yes
ResultInactive=yes
ResultActive=yes

or this .rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.filesystem-mount" &&
        subject.user == "ago" {
        return "yes";
    }
});


I'm not a polkit expert, but I seriously guess that polkit does not work propely with systemd, at least here.

Comment 6 Samuli Suominen (RETIRED) 2013-06-04 15:44:24 UTC

(In reply to Agostino Sarubbo from comment #5)
> I tried this .pkla

.pkla is a obsolete format and no longer supported by current sys-auth/polkit, (except if you hack around with sys-auth/polkit-pkla-compat)

> polkit.addRule(function(action, subject) {
>     if (action.id == "org.freedesktop.udisks2.filesystem-mount" &&
>         subject.user == "ago" {
>         return "yes";
>     }
> });

Shouldn't that be

return polkit.Result.YES;

instead of

return "yes";

like shown in the `man 8 polkit` page examples?

Comment 7 Agostino Sarubbo 2013-06-04 15:52:41 UTC

(In reply to Samuli Suominen from comment #6)
> Shouldn't that be
> 
> return polkit.Result.YES;
> 
> instead of
> 
> return "yes";
> 
> like shown in the `man 8 polkit` page examples?

It does not work too with that syntax.

Comment 8 Pacho Ramos 2013-07-20 14:53:17 UTC

I have no problem with 205 :/

Comment 9 Agostino Sarubbo 2013-07-20 14:59:39 UTC

(In reply to Pacho Ramos from comment #8)
> I have no problem with 205 :/

I can reproduce with 204. An hint on where start to debug would be great.

Comment 10 Pacho Ramos 2013-07-20 15:01:32 UTC

I would look at journalctl output (specially just after hitting a problem)

Comment 11 Agostino Sarubbo 2013-07-21 07:38:31 UTC

This problem is caused by grsecurity by the module CONFIG_GRKERNSEC_PROC

If I disable it, it works perfectly.

See also bug 455938

Comment 13 Michał Górny 2013-07-30 12:38:25 UTC

Do you maybe have a quick & sane way of reproducing it? Preferably one having least additional deps & factors.

Comment 14 Agostino Sarubbo 2013-07-30 12:50:42 UTC

(In reply to Michał Górny from comment #13)
> Do you maybe have a quick & sane way of reproducing it? Preferably one
> having least additional deps & factors.

1) emerge hardened-sources:3.2.48-r1
2) In the menuconfig go to security options -> grsecurity.
3) Configuration Method (Automatic)
4) Usage Type (Desktop)

Check that CONFIG_GRKERNSEC_PROC is enabled. Compile and boot. That's enough.

Comment 15 Michał Górny 2013-07-30 13:05:50 UTC

(In reply to Agostino Sarubbo from comment #14)
> (In reply to Michał Górny from comment #13)
> > Do you maybe have a quick & sane way of reproducing it? Preferably one
> > having least additional deps & factors.
> 
> 1) emerge hardened-sources:3.2.48-r1
> 2) In the menuconfig go to security options -> grsecurity.
> 3) Configuration Method (Automatic)
> 4) Usage Type (Desktop)
> 
> Check that CONFIG_GRKERNSEC_PROC is enabled. Compile and boot. That's enough.

Yes, I did that. Now what should be failing for me? Preferably without the need to install GNOME :P.

Comment 16 Michał Górny 2013-07-30 17:27:54 UTC

Ok, unless I'm missing something I think I am able to reproduce it with 'systemctl reboot'. The message is: Unix process subject does not have uid set.

I'm going to investigate further.

Comment 17 Michał Górny 2013-07-30 17:55:18 UTC

$ dbus-send --print-reply --system --dest=org.freedesktop.login1 \
  /org/freedesktop/login1 org.freedesktop.login1.Manager.Reboot \
  boolean:false

Error org.freedesktop.PolicyKit1.Error.Failed: Unix process subject does not have uid set

Looks like it's an issue in polkit rather than systemd itself.

Comment 18 Michał Górny 2013-07-30 18:08:02 UTC

Yep, 100% polkit issue. polkit tries to obtain some user information from procfs, and since it is running as 'polkitd' it doesn't see other users' processes.

I was able to work-around this through adding 'polkitd' to 'wheel' but I doubt that's the correct solution.

Comment 19 Agostino Sarubbo 2013-07-30 18:44:35 UTC

this does not happen on openrc. Please restore the summary and the assignee.

(In reply to Michał Górny from comment #18)
> I was able to work-around this through adding 'polkitd' to 'wheel' but I
> doubt that's the correct solution.

This is a solution which I described in bug 455938

$ sudo zgrep CONFIG_GRKERNSEC_PROC_GID /proc/config.gz 
CONFIG_GRKERNSEC_PROC_GID=666
$ getent group 666
procr:x:666:root,user1,polkitd

Does it work for you?

Comment 21 Alexandre Rostovtsev (RETIRED) 2013-07-30 19:01:47 UTC

(In reply to Agostino Sarubbo from comment #19)
> this does not happen on openrc. Please restore the summary and the assignee.

The bug only happens on systemd, but that does not imply that the cause of the bug is in systemd itself, or that the bug must be assigned to the systemd team.

After all, it also happens only on hardened kernels, but that does not imply that hardened@g.o should automatically be the assignee.

Comment 22 Agostino Sarubbo 2013-07-30 19:09:26 UTC

(In reply to Alexander Tsoy from comment #20)
> (In reply to Michał Górny from comment #18)
> > I was able to work-around this through adding 'polkitd' to 'wheel' but I
> > doubt that's the correct solution.
> 
> This is a solution which I described in bug 455938
> 
> $ sudo zgrep CONFIG_GRKERNSEC_PROC_GID /proc/config.gz 
> CONFIG_GRKERNSEC_PROC_GID=666
> $ getent group 666
> procr:x:666:root,user1,polkitd
> 
> Does it work for you?

this is a workaround, not a real fix

Comment 23 Alexandre Rostovtsev (RETIRED) 2013-07-30 20:21:44 UTC

*** Bug 455938 has been marked as a duplicate of this bug. ***

Seems this is not a polkit problem. polkit[systemd] links against libsystemd-login.so. Here Lennart describes why sd-login need to call sd_pid_get_owner_uid() and sd_pid_get_session() so that access to /proc is required:

http://lists.freedesktop.org/archives/systemd-devel/2012-October/006860.html

If systemd can't be fixed, then solution from comment 20 looks like a real fix. =P

(In reply to Alexander Tsoy from comment #24)
> so that access to /proc is required

/proc/1/cgroup, to be more precise

Comment 27 Alexandre Rostovtsev (RETIRED) 2013-07-30 21:03:17 UTC

(In reply to Alexander Tsoy from comment #24)
> http://lists.freedesktop.org/archives/systemd-devel/2012-October/006860.html

Thank you for tracking this down.

So the best solution might be to make a list of systemd and polkit executables that need to access /proc/1 and install them with whatever capability bits or paxctl flags that are needed to do their job when GRKERNSEC_PROC is enabled or /proc is mounted with hidepid.

Comment 28 Michał Górny 2013-07-30 21:56:24 UTC

Maybe we should try to convince the hardened guys to give an option to make PID 1 visible to everyone? Assuming that would help.

(In reply to Alexandre Rostovtsev from comment #27)

With GRKERNSEC_PROC enabled processess of other users completely hidden by the kernel. So I have no idea how this can be handled by the caps or psxctl flags.

user2@host $ ls -ld /proc/[0-9]*
dr-xr-x--- 8 user2 procr 0 Jul 31 01:51 /proc/2068

Comment 30 Alexandre Rostovtsev (RETIRED) 2013-07-30 22:30:58 UTC

(In reply to Alexander Tsoy from comment #29)
> With GRKERNSEC_PROC enabled processess of other users completely hidden by
> the kernel. So I have no idea how this can be handled by the caps or psxctl
> flags.

You are right, it seems that the hardened patch makes the kernel check only for the process's uid == 0 or gid == GRKERNSEC_PROC_GID when accessing /proc, completely ignoring capabilities :/

Alternative solution - add a tiny suid-root program that reads /proc/1/cgroup, and patch systemd's sd_pid_get_owner_uid() to call that program instead of reading /proc/1/cgroup directly?

I'm using openrc only  and have this issue, with hardened kernel and grsec.
openrc-0.17

Tried to start it manually here:

# /usr/lib/polkit-1/polkitd
Successfully changed to user polkitd
Killed

dmesg says:
[ 1864.475910] grsec: From 10.0.2.2: chdir to /var/lib/polkit-1 by /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
[ 1864.539922] grsec: From 10.0.2.2: denied RWX mmap of <anonymous mapping> by /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
[ 1864.541373] polkitd[16619]: segfault at 10 ip 0000036e56cd7ce7 sp 000003ca9ced1cb0 error 4 in libpthread-2.21.so[36e56cce000+18000]
[ 1864.541428] grsec: From 10.0.2.2: Segmentation fault occurred at 0000000000000010 in /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
[ 1864.541580] grsec: From 10.0.2.2: bruteforce prevention initiated due to crash of /usr/lib64/polkit-1/polkitd against uid 102, banning suid/sgid execs for 15 minutes.  Please investigate the crash report for /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
...
# gdb /lib64/libpthread-2.21.so
...
(gdb) info symbol 0x0000036e56cd7ce7-0x36e56cce000
pthread_mutex_lock + 23 in section .text
(gdb) list *pthread_mutex_lock+23
0x9ce7 is in __GI___pthread_mutex_lock (../nptl/pthread_mutex_lock.c:67).
62	__pthread_mutex_lock (mutex)
63	     pthread_mutex_t *mutex;
64	{
65	  assert (sizeof (mutex->__size) >= sizeof (mutex->__data));
66	
67	  unsigned int type = PTHREAD_MUTEX_TYPE_ELISION (mutex);
68	
69	  LIBC_PROBE (mutex_entry, 1, mutex);
70	
71	  if (__builtin_expect (type & ~(PTHREAD_MUTEX_KIND_MASK_NP
...

Any ideas? I wonder how I could get it to dump a 'core' file (having 
*               soft    core            unlimited
 in /etc/security/limits.conf is not doing it(nor # ulimit -c unlimited ) - but works fine for firefox for example) Does anyone know?

# emerge --info sys-auth/polkit
Portage 2.2.20.1 (python 3.4.3-final-0, hardened/linux/amd64/no-multilib, gcc-5.2.0, glibc-2.21-r1, 4.1.6-hardened-r1-g45b4b78 x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.1.6-hardened-r1-g45b4b78-x86_64-AMD_A6-3400M_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.2
KiB Mem:    10809864 total,   9085548 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Tue, 01 Sep 2015 00:45:02 +0000
sh bash 4.3_p42
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
ccache version 3.2.3 [enabled]
app-shells/bash:          4.3_p42::gentoo
dev-lang/perl:            5.22.0::gentoo
dev-lang/python:          2.7.10::gentoo, 3.4.3::gentoo
dev-util/ccache:          3.2.3::gentoo
dev-util/cmake:           3.3.1-r1::gentoo
dev-util/pkgconfig:       0.28-r3::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.17::gentoo
sys-apps/sandbox:         2.6-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r1::gentoo
sys-devel/automake:       1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.8.5::gentoo, 5.2.0::gentoo
sys-devel/gcc-config:     1.8::gentoo
sys-devel/libtool:        2.4.6-r1::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.21-r1::gentoo
Repositories:

gentoo
    location: /usr/portage
    priority: -1000

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache cgroup collision-protect config-protect-if-modified distlocks downgrade-backup ebuild-locks fakeroot fixlafiles force-mirror installsources ipc-sandbox merge-sync multilib-strict network-sandbox news nostrip parallel-fetch parallel-install prelink-checksums preserve-libs sandbox sfperms split-elog split-log strict unknown-features-warn unmerge-backup unmerge-logs userfetch userpriv usersandbox webrsync-gpg"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.romnet.org/gentoo/ http://tux.rainside.sk/gentoo/ http://de-mirror.org/gentoo/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://www.las.ic.unicamp.br/pub/gentoo/"
INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="3dnow 3dnowext X acl amd64 berkdb bindist btrfs bzip2 cli consolekit cracklib crypt cryptsetup cscope cxx dbus device-mapper dri egl extensions gdbm git gpg gpm gtk3 hardened iconv jpeg justify lock mmx mmxext modules mosh-hardening ncurses nptl openmp pam pax_kernel pcre pie policykit pulseaudio qt4 readline seccomp session sse sse2 sse3 ssl ssp startup-notification strong-security system-icu system-jpeg system-libvpx system-sqlite urandom xattr xcomposite xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext sse sse2 sse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard virtualbox evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="virtualbox" XFCE_PLUGINS="brightness clock trash battery power" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

sys-auth/polkit-0.113::gentoo was built with the following:
USE="introspection pam -examples -gtk -jit -kde -nls (-selinux) -systemd -test"
CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all"
CXXFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all"

Comment 32 Mike Gilbert 2015-09-02 15:59:06 UTC

(In reply to Emanuel Czirai from comment #31)

Please do not hijack unrelated bug reports. File a new bug please.

I apologize. Filed new: https://bugs.gentoo.org/show_bug.cgi?id=559436