Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 485470

Summary: >=sys-apps/systemd-207: /etc/pam.d/systemd-user needs pam_systemd.so
Product: Gentoo Linux Reporter: Benjamin Franzke <benjaminfranzke>
Component: [OLD] Core systemAssignee: Gentoo systemd Team <systemd>
Status: RESOLVED OBSOLETE    
Severity: normal CC: alexander, pam-bugs+disabled, poncho, ssuominen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 504492    
Bug Blocks: 487344, 592616    

Description Benjamin Franzke 2013-09-20 08:38:34 UTC
Since systemd version 207 a PAM File "/etc/pam.d/systemd-user" is included by systemd upstream.
This is used and needed by the user@.service unit. (Note in prior systemd version this was called systemd-shared, and missing at all in Gentoo)
According to http://cgit.freedesktop.org/systemd/systemd/commit/?id=5c390a4ae0d383b2003074ed011d47876c7e630c they choose to include /etc/pam.d/system-auth in /etc/pam.d/systemd-user since it seems to be the more popular on most distributions.
Problem is: In Fedora system-auth includes "session pam_systemd.so", but in Gentoo this is not in systemd-auth, but in system-login which wraps pam_systemd.so.

Problem is: Without pam_systemd in the pam session phase, required environment variables ($XDG_RUNTIME_DIR) for user@.service will be missing.

Without XDG_RUNTIME_DIR "systemd --user" fails to acquire a private bus connection. systemctl --user wont work, and all %t in unit files are expanded as /run instead of /run/user/$UID, which is not writable by users, so creating files there will fail..

A simple patch like this will help us:
diff --git a/src/login/systemd-user b/src/login/systemd-user
index 7b57dbf..cdddcf8 100644
--- a/src/login/systemd-user
+++ b/src/login/systemd-user
@@ -4,5 +4,6 @@
 
 account include system-auth
 session include system-auth
+session optional pam_systemd.so
 auth required pam_deny.so
 password required pam_deny.so

Reproducible: Always

Steps to Reproduce:
1. Login as any user
2. Run "systemctl --user"
(This has to work since user@$UID.service is autospawned since systemd 207)
Actual Results:  
Failed to issue method call: Process /bin/false exited with status 1

Expected Results:  
List of active loaded units.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2013-09-20 09:33:03 UTC
Hmm. Are you sure that's correct? See this link,

https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/pambase&id=03746a9aad67c62d396dd9528ef40d14de28c844

I suspect we need same patch for our pambase (since ArchLinux's pambase is based on our pambase but it has changed since initial forking)
Comment 2 Benjamin Franzke 2013-09-20 09:51:35 UTC
I'm not sure how you come to the conclusion the could be incorrect from that patch.. I think the pam_env move in archlinux's pambase has no direct relationship with this bug. I'm still sure its correct that pam_systemd is needed in /etc/pam.d/systemd-user. (How its included there, is another question - directly, or via another file..) Since we need $XDG_RUNTIME_DIR, which is provided by pam-systemd.


BTW, offtopic: I also think that archlinux patch would be useful for gentoo users, to be able to use $XDG_RUNTIME_DIR (which is set by pam_systemd) in /etc/security/pam_env.conf
Comment 3 Alexander Tsoy 2013-10-12 21:12:21 UTC
Any news? Shouldn't this bug block stabilization of systemd-208?
Comment 4 Mike Gilbert gentoo-dev 2013-10-13 15:31:50 UTC
I agree with Benjamin; we either need to add pam_systemd.so to /etc/pam.d/systemd-user or /etc/pam.d/system-auth.

I have tested both, and they both allow systemctl --user to function on my system.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-10-18 18:35:32 UTC
@PAM, have any preference in this?
Comment 6 Alexander Tsoy 2013-10-19 23:31:45 UTC
(In reply to Mike Gilbert from comment #4)
> I agree with Benjamin; we either need to add pam_systemd.so to
> /etc/pam.d/systemd-user or /etc/pam.d/system-auth.

Would be better to move pam_systemd.so from system-login to system-auth, because system-login includes system-auth:

$ egrep -A1 'session.*system-auth' /etc/pam.d/system-login 
session         include         system-auth
-session        optional        pam_systemd.so
$ qlist -ICv pambase
sys-auth/pambase-20120417-r2
Comment 7 Pacho Ramos gentoo-dev 2013-10-26 16:02:17 UTC
(In reply to Michał Górny from comment #5)
> @PAM, have any preference in this?

Looks like they don't have any. What systemd team think? (I don't have any strong preference)
Comment 8 Mike Gilbert gentoo-dev 2013-10-26 16:07:51 UTC
I prefer the system-auth approach.
Comment 9 Pacho Ramos gentoo-dev 2013-10-27 15:10:34 UTC
+*pambase-20120417-r3 (27 Oct 2013)
+
+  27 Oct 2013; Pacho Ramos <pacho@gentoo.org>
+  +files/pambase-20120417-systemd-auth.patch, +pambase-20120417-r3.ebuild:
+  Load pam_systemd from system-auth instead of system-login, bug #485470 by
+  Benjamin Franzke
+
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2014-03-13 17:38:43 UTC
This is what ArchLinux's systemd-user looks like,

#%PAM-1.0

# Used by systemd when launching systemd user instances.

account include system-login
session include system-login
auth required pam_deny.so
password required pam_deny.so

I believe pam_systemd.so will have a problem when patch from bug 504492 is merged into our pambase, and we should in fact move pam_systemd.so back to system-login, and fix systemd-user file to use 'system-login' instead of 'system-auth'

Reopen
Comment 11 Mike Gilbert gentoo-dev 2014-03-14 02:46:47 UTC
(In reply to Samuli Suominen from comment #10)

Should pam_systemd.so come before or after "include system-auth" in the system-login file?
Comment 12 Mike Gilbert gentoo-dev 2014-03-14 02:55:39 UTC
Also, can you elaborate on what problem you think that patch moving pam_env around will cause?
Comment 13 Samuli Suominen (RETIRED) gentoo-dev 2014-03-14 06:20:11 UTC
1) move it just before pam_env, second last line, like it's in 'Arch' too:

https://projects.archlinux.org/svntogit/packages.git/tree/trunk/system-login?h=packages/pambase

2) fix systemd-user to use 'system-login' instead of 'system-auth'

The PAM module just belongs in system-login just like pam_ck_connector.so, I'm not aware of general requirement for pam_systemd.so, as if you move it to system-auth, you cause *multiple* different per package PAM files to include it:
ssuominen@null ~ $ grep system-auth /etc/pam.d/*|wc -l
76
ssuominen@null ~ $ grep system-login /etc/pam.d/*|wc -l
8

Plus I suspect possible PAM env problems if we are to fix bug 451956 ever, with $XDG_VTNR being involved...
Comment 14 Samuli Suominen (RETIRED) gentoo-dev 2014-03-14 12:40:36 UTC
Add these lines to src_prepare() of systemd's ebuild:

    # Gentoo's pambase has system-login where pam_systemd.so is included #485470
    sed -i -e 's:system-auth:system-login:' src/login/systemd-user || die
Comment 15 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-03-14 13:05:53 UTC
Can we upstream this? Or is system-login Gentoo-specific?
Comment 16 Samuli Suominen (RETIRED) gentoo-dev 2014-03-14 13:11:36 UTC
(In reply to Michał Górny from comment #15)
> Can we upstream this? Or is system-login Gentoo-specific?

i'm sure some others use it too, but they don't use same structure as our pambase, so it means different thing in them, so this is gentoo and archlinux specific

see latest patch in bug 504492, comment #3, after that gets in, the change would be necessary