Summary: | >=sys-apps/systemd-207: /etc/pam.d/systemd-user needs pam_systemd.so | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Benjamin Franzke <benjaminfranzke> |
Component: | [OLD] Core system | Assignee: | Gentoo systemd Team <systemd> |
Status: | RESOLVED OBSOLETE | ||
Severity: | normal | CC: | alexander, pam-bugs+disabled, poncho, ssuominen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 504492 | ||
Bug Blocks: | 487344, 592616 |
Description
Benjamin Franzke
2013-09-20 08:38:34 UTC
Hmm. Are you sure that's correct? See this link, https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/pambase&id=03746a9aad67c62d396dd9528ef40d14de28c844 I suspect we need same patch for our pambase (since ArchLinux's pambase is based on our pambase but it has changed since initial forking) I'm not sure how you come to the conclusion the could be incorrect from that patch.. I think the pam_env move in archlinux's pambase has no direct relationship with this bug. I'm still sure its correct that pam_systemd is needed in /etc/pam.d/systemd-user. (How its included there, is another question - directly, or via another file..) Since we need $XDG_RUNTIME_DIR, which is provided by pam-systemd. BTW, offtopic: I also think that archlinux patch would be useful for gentoo users, to be able to use $XDG_RUNTIME_DIR (which is set by pam_systemd) in /etc/security/pam_env.conf Any news? Shouldn't this bug block stabilization of systemd-208? I agree with Benjamin; we either need to add pam_systemd.so to /etc/pam.d/systemd-user or /etc/pam.d/system-auth. I have tested both, and they both allow systemctl --user to function on my system. @PAM, have any preference in this? (In reply to Mike Gilbert from comment #4) > I agree with Benjamin; we either need to add pam_systemd.so to > /etc/pam.d/systemd-user or /etc/pam.d/system-auth. Would be better to move pam_systemd.so from system-login to system-auth, because system-login includes system-auth: $ egrep -A1 'session.*system-auth' /etc/pam.d/system-login session include system-auth -session optional pam_systemd.so $ qlist -ICv pambase sys-auth/pambase-20120417-r2 (In reply to Michał Górny from comment #5) > @PAM, have any preference in this? Looks like they don't have any. What systemd team think? (I don't have any strong preference) I prefer the system-auth approach. +*pambase-20120417-r3 (27 Oct 2013) + + 27 Oct 2013; Pacho Ramos <pacho@gentoo.org> + +files/pambase-20120417-systemd-auth.patch, +pambase-20120417-r3.ebuild: + Load pam_systemd from system-auth instead of system-login, bug #485470 by + Benjamin Franzke + This is what ArchLinux's systemd-user looks like, #%PAM-1.0 # Used by systemd when launching systemd user instances. account include system-login session include system-login auth required pam_deny.so password required pam_deny.so I believe pam_systemd.so will have a problem when patch from bug 504492 is merged into our pambase, and we should in fact move pam_systemd.so back to system-login, and fix systemd-user file to use 'system-login' instead of 'system-auth' Reopen (In reply to Samuli Suominen from comment #10) Should pam_systemd.so come before or after "include system-auth" in the system-login file? Also, can you elaborate on what problem you think that patch moving pam_env around will cause? 1) move it just before pam_env, second last line, like it's in 'Arch' too: https://projects.archlinux.org/svntogit/packages.git/tree/trunk/system-login?h=packages/pambase 2) fix systemd-user to use 'system-login' instead of 'system-auth' The PAM module just belongs in system-login just like pam_ck_connector.so, I'm not aware of general requirement for pam_systemd.so, as if you move it to system-auth, you cause *multiple* different per package PAM files to include it: ssuominen@null ~ $ grep system-auth /etc/pam.d/*|wc -l 76 ssuominen@null ~ $ grep system-login /etc/pam.d/*|wc -l 8 Plus I suspect possible PAM env problems if we are to fix bug 451956 ever, with $XDG_VTNR being involved... Add these lines to src_prepare() of systemd's ebuild: # Gentoo's pambase has system-login where pam_systemd.so is included #485470 sed -i -e 's:system-auth:system-login:' src/login/systemd-user || die Can we upstream this? Or is system-login Gentoo-specific? (In reply to Michał Górny from comment #15) > Can we upstream this? Or is system-login Gentoo-specific? i'm sure some others use it too, but they don't use same structure as our pambase, so it means different thing in them, so this is gentoo and archlinux specific see latest patch in bug 504492, comment #3, after that gets in, the change would be necessary |