Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 422495 - kde-base/kdebase-pam should use system-local-login instead system-auth in their pam.d files
Summary: kde-base/kdebase-pam should use system-local-login instead system-auth in the...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] KDE (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo KDE team
URL:
Whiteboard:
Keywords:
: 433173 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-06-20 03:24 UTC by Egor Y. Egorov
Modified: 2013-05-06 20:58 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Egor Y. Egorov 2012-06-20 03:24:09 UTC
Now pam_systemd.so added into system-local-login pam.d file (see #372229) if USE=systemd is set. But kdm pam.d files includes system-auth. This leads to the fact that if you use systemd-loginctl instead consolekit the user session is not created when you login via kdm. Please, fix it.

Reproducible: Always
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2012-07-20 21:45:32 UTC
I dont understand half of the bug report, and probably the rest of the kde team does not fare much better. @pam, systemd: we could need some advice here.
Comment 2 Ulenrich 2012-08-29 14:30:08 UTC
This bug claims the wrong package. This might not be understandable to maintainers. So I introduced this new message regarding kdebase-pam:

https://bugs.gentoo.org/show_bug.cgi?id=433173
Comment 3 Johannes Huber (RETIRED) gentoo-dev 2012-09-03 08:35:10 UTC
*** Bug 433173 has been marked as a duplicate of this bug. ***
Comment 4 Johannes Huber (RETIRED) gentoo-dev 2012-10-14 08:53:52 UTC
Thanks for reporting. New version masked in kde overlay available. Please note that this version bump addresses bug #436948 also.

http://git.overlays.gentoo.org/gitweb/?p=proj/kde.git;a=commit;h=bb0a90872c54b1a4314bed80d69e9763582cd44c
Comment 5 Johannes Huber (RETIRED) gentoo-dev 2012-10-28 10:39:20 UTC
(In reply to comment #4)
> Thanks for reporting. New version masked in kde overlay available. Please
> note that this version bump addresses bug #436948 also.
> 
> http://git.overlays.gentoo.org/gitweb/?p=proj/kde.git;a=commit;
> h=bb0a90872c54b1a4314bed80d69e9763582cd44c

Unmasked in overlay. Please give feedback.
Comment 6 Egor Y. Egorov 2012-10-30 09:29:19 UTC
I installed kdebase-pam from kde-overlay. It works.
However, at the login shows a message box "Last Login ..."
Can set up so as not to get this message?
Thanks.
Comment 7 Egor Y. Egorov 2012-10-30 09:56:29 UTC
And while I comment lines in /etc/pam.d/system-login:
#session                optional        pam_lastlog.so
Comment 8 Dennis Schridde 2012-11-01 14:17:44 UTC
This appears to break my kwallet.

Syslog has following messages:
Nov 01 14:41:57 [kcheckpass] PAM unable to dlopen(/lib64/security/pam_selinux.so): /lib64/security/pam_selinux.so: cannot open shared object file: No such file or directory
Nov 01 14:41:57 [kcheckpass] PAM adding faulty module: /lib64/security/pam_selinux.so

It lists the same message earlier for kdm.

In addition I get a message box when KDM starts, that it is going to login my user. This was not there previously.

I use autologin without a password.
Comment 9 Andrei Mihăilă 2012-11-03 22:32:41 UTC
Commenting out the pam_lastlog.so line in /etc/pam.d/system-login removes the message box on KDE startup but the last login time will no longer be recorded and the message no longer displayed in the terminal. There is a 'silent' option for the module so the line in /etc/pam.d/system-login could be changed to something like:

session         optional        pam_lastlog.so silent

This should just log the time and not show any message. Then, because I wanted the message to show when I login from a terminal, I added another invocation of the module in /etc/pam.d/login (I hope that doesn't have any unpleasant side-effects):

session    optional     pam_lastlog.so



Could add a - in front of the selinux related line, so the module gets used if it is there and the error message is not shown in case the module is missing. So something like:

-session   optional      pam_selinux.so
Comment 10 Dennis Schridde 2012-11-20 07:54:39 UTC
(In reply to comment #9)
I was not CCed to this bug, and thus developed the same fixes for pam_lastlog and pam_selinux in the meantime.

-> The solution proposed in comment #9 works for me.
Comment 11 Dennis Schridde 2012-11-20 07:56:18 UTC
P.S: Why is pam_selinux chained in pam.d/kde and not in pam.d/system-auth or similar?
Comment 12 Dennis Schridde 2012-11-21 14:39:24 UTC
commit 23983c0b56e5619339c85eff017db88536e980c0
Author: Dennis Schridde <devurandom@gmx.net>
Date:   Wed Nov 21 14:53:16 2012 +0100

    [sys-auth/pambase] Fix KDE autologin (bug #422495)
    
    Was showing lastlog dialogue box on every login, delaying the time until the system becomes usable unnecessarily.
    
    pam_lastlog is now silent by default and only for login shells it shows a message.
    
    Thanks to Andrei Mihăilă and Egor Y. Egorov!
    
    Bug: #422495
    
    Package-Manager: portage-2.2.0_alpha142

commit c60540d975f9bb0dd9619324200e24e140eaa397
Author: Dennis Schridde <devurandom@gmx.net>
Date:   Wed Nov 21 15:00:04 2012 +0100

    [kde-base/kdebase-pam] Fix selinux error message (bug #422495)
    
    Using the pam_selinux module on non-selinux systems would have caused an error message.
    I removed this module from the KDE PAM chains, because sys-auth/pambase already deals with it in its system-* chains.
    
    Thanks to Andrei Mihăilă!
    
    Bug: #422495
Comment 13 Egor Y. Egorov 2012-11-22 14:49:21 UTC
It works!

$ emerge -pv pambase kdebase-pam

These are the packages that would be merged, in order:

Calculating dependencies                               ... done!
[ebuild   R   ~] sys-auth/pambase-20120417-r2::kde  USE="cracklib sha512 systemd -consolekit -debug -gnome-keyring -minimal -mktemp -pam_krb5 -pam_ssh -passwdqc (-selinux)" 0 kB
[ebuild   R   ~] kde-base/kdebase-pam-9::kde  0 kB
Comment 14 Marian Kyral 2013-01-14 07:18:37 UTC
Hi,
last login is fixed now, but could you also fix the "You have an email" message? Usually I have new emails and I don't want to stop KDE loading because of this message.

Thanks
Comment 15 Dennis Schridde 2013-01-14 16:23:26 UTC
(In reply to comment #14)
> last login is fixed now, but could you also fix the "You have an email"
> message? Usually I have new emails and I don't want to stop KDE loading
> because of this message.
Do you know who presents this message? I.e. which PAM module?

To figure that out, please post your PAM chain, i.e. /etc/pam.d/kde and recursively any files it includes, up to system-auth.
Comment 16 Marian Kyral 2013-01-14 16:41:49 UTC
Could it be pam_mail.so?

[17:19:43 marian@nbmkyral-E6500 ~]$ cat /etc/pam.d/kde
#%PAM-1.0

auth       required     pam_nologin.so

auth       include      system-local-login

account    include      system-local-login

password   include      system-local-login

session    include      system-local-login

[17:33:13 marian@nbmkyral-E6500 ~]$ cat /etc/pam.d/system-local-login 
auth            include         system-login
account         include         system-login
password        include         system-login
session         include         system-login

[17:35:46 marian@nbmkyral-E6500 ~]$ cat /etc/pam.d/system-login 
auth            required        pam_tally2.so onerr=succeed
auth            required        pam_shells.so 
auth            required        pam_nologin.so 
auth            include         system-auth
 
account         required        pam_access.so 
account         required        pam_nologin.so 
account         include         system-auth
account         required        pam_tally2.so onerr=succeed 
 
password        include         system-auth
 
session         optional        pam_loginuid.so
session         required        pam_env.so 
session         optional        pam_lastlog.so silent 
session         include         system-auth
-session        optional        pam_ck_connector.so nox11
session         optional        pam_motd.so motd=/etc/motd
session         optional        pam_mail.so
Comment 17 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-01-14 17:24:57 UTC
It is pam_mail.

Suggestion: USE=minimal emerge pambase.

This is one of the long list of problems that requires a new pambase (which I started, but it's way too much for just me, and nobody stepped up).
Comment 18 Dennis Schridde 2013-01-14 17:33:55 UTC
(In reply to comment #16)
> Could it be pam_mail.so?
Probably. You might want to move it (and probably also motd, since that also generates output you might not want to see on every login) to pam.d/login.

(In reply to comment #17)
> This is one of the long list of problems that requires a new pambase (which
> I started, but it's way too much for just me, and nobody stepped up).
What has to be done for the new pambase? (bug #210767?)
Comment 19 Marian Kyral 2013-01-15 09:45:59 UTC
(In reply to comment #17)
> It is pam_mail.
> 
> Suggestion: USE=minimal emerge pambase.
> 

Thanks. It seems that it works. At least for now. I'll do more test.


(In reply to comment #18)
> Probably. You might want to move it 
> (and probably also motd, since that also 
> generates output you might not want to see 
> on every login) to pam.d/login.

Well, I have no problem with motd. It does not show on KDE start even it is configured properly and motd is shown in terminal.

Regarding to move pam.d/login - I never edited such files, all were configured during packages installation. So, probably, changes needs to be done there.
Comment 20 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-01-15 12:24:19 UTC
USE=minimal on pambase is designed for this.
Comment 21 Johannes Huber (RETIRED) gentoo-dev 2013-05-03 21:05:16 UTC
Thanks all, overlay version is moved to the tree.

+  03 May 2013; Johannes Huber <johu@gentoo.org> +files/kde-np.pam-9,
+  +files/kde.pam-9, +kdebase-pam-9.ebuild:
+  Version bump, fixes bugs #422495, #436948. Thanks to all who were involved.
Comment 22 Michele Alzetta 2013-05-05 08:17:35 UTC
Seems that kdebase-pam-9 has reintroduced this bug.
Comment 23 Dennis Schridde 2013-05-05 14:40:00 UTC
(In reply to comment #22)
> Seems that kdebase-pam-9 has reintroduced this bug.

Which bug exactly? /etc/pam.d/kde* includes system-local-login on my system.
Comment 24 Denys Duchier 2013-05-06 10:06:36 UTC
(In reply to comment #23)
> (In reply to comment #22)
> > Seems that kdebase-pam-9 has reintroduced this bug.
> 
> Which bug exactly? /etc/pam.d/kde* includes system-local-login on my system.

the "last login" bug, I guess, since that's what I am observing on my system.  it's very annoying.
Comment 25 Dennis Schridde 2013-05-06 12:30:48 UTC
(In reply to comment #24)
> (In reply to comment #23)
> > (In reply to comment #22)
> > > Seems that kdebase-pam-9 has reintroduced this bug.
> > 
> > Which bug exactly? /etc/pam.d/kde* includes system-local-login on my system.
> 
> the "last login" bug, I guess, since that's what I am observing on my
> system.  it's very annoying.

You are right. I am using the sys-auth/pambase-20120417-r2 I developed alongside kde-base/kdebase-pam-9. But it was forgotten in the KDE overlay, and not moved to the main tree.

Please REOPEN and also move pambase.
Comment 26 Johannes Huber (RETIRED) gentoo-dev 2013-05-06 19:25:58 UTC
(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #23)
> > > (In reply to comment #22)
> > > > Seems that kdebase-pam-9 has reintroduced this bug.
> > > 
> > > Which bug exactly? /etc/pam.d/kde* includes system-local-login on my system.
> > 
> > the "last login" bug, I guess, since that's what I am observing on my
> > system.  it's very annoying.
> 
> You are right. I am using the sys-auth/pambase-20120417-r2 I developed
> alongside kde-base/kdebase-pam-9. But it was forgotten in the KDE overlay,
> and not moved to the main tree.
> 
> Please REOPEN and also move pambase.

No this ticket is about "kde-base/kdebase-pam should use system-local-login". 

Instead of silently adding packages which are not maintained by kde herd, please file a bug about it to the package maintainer.
Comment 27 Dennis Schridde 2013-05-06 20:58:22 UTC
(In reply to comment #26)
> Instead of silently adding packages which are not maintained by kde herd,
> please file a bug about it to the package maintainer.

comment #12 was not really silent. I reported the issue as bug #468798.