During the test of systemd due to bug 465870, I just see that my current user has not enough permissions. Infact, I can't manage networkmanager connections, I can't suspend, I can't mount via udisks but loginctl says that I'm an active user. ago@arcadia ~ $ loginctl --no-pager show-session $XDG_SESSION_ID | grep Active Active=yes I completely killed consolekit and I have -consolekit +systemd globally. Portage 2.1.11.62 (default/linux/amd64/13.0/no-multilib, gcc-4.6.3, glibc-2.15-r3, 3.2.42-hardened-r1 x86_64) ================================================================= System uname: Linux-3.2.42-hardened-r1-x86_64-Intel-R-_Atom-TM-_CPU_N455_@_1.66GHz-with-gentoo-2.2 KiB Mem: 1009124 total, 92036 free KiB Swap: 2047996 total, 2047996 free Timestamp of tree: Fri, 24 May 2013 19:30:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.3-r3 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ago x-portage ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=atom -mtune=atom" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/themes/oxygen-gtk/gtk-3.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=atom -mtune=atom" DISTDIR="/media/dati/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" MAKEOPTS="-j2" PKGDIR="/media/dati/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/media/dati/portage" PORTDIR_OVERLAY="/var/lib/layman/ago /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X aac acl alsa amd64 berkdb bzip2 cairo cli cracklib crypt custom-cflags cxx dri fortran gdbm gpm iconv jpeg jpeg2k kde lame mmx modules mp3 mudflap ncurses networkmanager nptl ogg opengl openmp pam pcre png qt3support qt4 readline session sse sse2 ssl symlink systemd tcpd tiff unicode vorbis zlib" ABI_X86="64" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" USE_PYTHON="2.7"
Do you have: session optional pam_loginuid.so in /etc/pam.d/system-auth ? I recall a user having issues like this before and they had not set the above.
(In reply to Ray Griffin from comment #1) *facepalm* I meant: "session optional pam_systemd.so" Highlighted the wrong line, sorry for the confusion/extra noise.
(In reply to Ray Griffin from comment #2) > (In reply to Ray Griffin from comment #1) > *facepalm* > I meant: > "session optional pam_systemd.so" > Highlighted the wrong line, sorry for the confusion/extra noise. np, yes I have it
It may be something related to polkit and the whole newbie fun stuff. While at it, it would be good to find out why my user has only partial bluetooth access :). Funny enough, on my laptop it all worked out of the box...
I tried this .pkla [Allow Everything Dammit] Identity=unix-user:ago Action=* ResultAny=yes ResultInactive=yes ResultActive=yes or this .rules polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.udisks2.filesystem-mount" && subject.user == "ago" { return "yes"; } }); I'm not a polkit expert, but I seriously guess that polkit does not work propely with systemd, at least here.
(In reply to Agostino Sarubbo from comment #5) > I tried this .pkla .pkla is a obsolete format and no longer supported by current sys-auth/polkit, (except if you hack around with sys-auth/polkit-pkla-compat) > polkit.addRule(function(action, subject) { > if (action.id == "org.freedesktop.udisks2.filesystem-mount" && > subject.user == "ago" { > return "yes"; > } > }); Shouldn't that be return polkit.Result.YES; instead of return "yes"; like shown in the `man 8 polkit` page examples?
(In reply to Samuli Suominen from comment #6) > Shouldn't that be > > return polkit.Result.YES; > > instead of > > return "yes"; > > like shown in the `man 8 polkit` page examples? It does not work too with that syntax.
I have no problem with 205 :/
(In reply to Pacho Ramos from comment #8) > I have no problem with 205 :/ I can reproduce with 204. An hint on where start to debug would be great.
I would look at journalctl output (specially just after hitting a problem)
This problem is caused by grsecurity by the module CONFIG_GRKERNSEC_PROC If I disable it, it works perfectly.
See also bug 455938
Do you maybe have a quick & sane way of reproducing it? Preferably one having least additional deps & factors.
(In reply to Michał Górny from comment #13) > Do you maybe have a quick & sane way of reproducing it? Preferably one > having least additional deps & factors. 1) emerge hardened-sources:3.2.48-r1 2) In the menuconfig go to security options -> grsecurity. 3) Configuration Method (Automatic) 4) Usage Type (Desktop) Check that CONFIG_GRKERNSEC_PROC is enabled. Compile and boot. That's enough.
(In reply to Agostino Sarubbo from comment #14) > (In reply to Michał Górny from comment #13) > > Do you maybe have a quick & sane way of reproducing it? Preferably one > > having least additional deps & factors. > > 1) emerge hardened-sources:3.2.48-r1 > 2) In the menuconfig go to security options -> grsecurity. > 3) Configuration Method (Automatic) > 4) Usage Type (Desktop) > > Check that CONFIG_GRKERNSEC_PROC is enabled. Compile and boot. That's enough. Yes, I did that. Now what should be failing for me? Preferably without the need to install GNOME :P.
Ok, unless I'm missing something I think I am able to reproduce it with 'systemctl reboot'. The message is: Unix process subject does not have uid set. I'm going to investigate further.
$ dbus-send --print-reply --system --dest=org.freedesktop.login1 \ /org/freedesktop/login1 org.freedesktop.login1.Manager.Reboot \ boolean:false Error org.freedesktop.PolicyKit1.Error.Failed: Unix process subject does not have uid set Looks like it's an issue in polkit rather than systemd itself.
Yep, 100% polkit issue. polkit tries to obtain some user information from procfs, and since it is running as 'polkitd' it doesn't see other users' processes. I was able to work-around this through adding 'polkitd' to 'wheel' but I doubt that's the correct solution.
this does not happen on openrc. Please restore the summary and the assignee.
(In reply to Michał Górny from comment #18) > I was able to work-around this through adding 'polkitd' to 'wheel' but I > doubt that's the correct solution. This is a solution which I described in bug 455938 $ sudo zgrep CONFIG_GRKERNSEC_PROC_GID /proc/config.gz CONFIG_GRKERNSEC_PROC_GID=666 $ getent group 666 procr:x:666:root,user1,polkitd Does it work for you?
(In reply to Agostino Sarubbo from comment #19) > this does not happen on openrc. Please restore the summary and the assignee. The bug only happens on systemd, but that does not imply that the cause of the bug is in systemd itself, or that the bug must be assigned to the systemd team. After all, it also happens only on hardened kernels, but that does not imply that hardened@g.o should automatically be the assignee.
(In reply to Alexander Tsoy from comment #20) > (In reply to Michał Górny from comment #18) > > I was able to work-around this through adding 'polkitd' to 'wheel' but I > > doubt that's the correct solution. > > This is a solution which I described in bug 455938 > > $ sudo zgrep CONFIG_GRKERNSEC_PROC_GID /proc/config.gz > CONFIG_GRKERNSEC_PROC_GID=666 > $ getent group 666 > procr:x:666:root,user1,polkitd > > Does it work for you? this is a workaround, not a real fix
*** Bug 455938 has been marked as a duplicate of this bug. ***
Seems this is not a polkit problem. polkit[systemd] links against libsystemd-login.so. Here Lennart describes why sd-login need to call sd_pid_get_owner_uid() and sd_pid_get_session() so that access to /proc is required: http://lists.freedesktop.org/archives/systemd-devel/2012-October/006860.html
If systemd can't be fixed, then solution from comment 20 looks like a real fix. =P
(In reply to Alexander Tsoy from comment #24) > so that access to /proc is required /proc/1/cgroup, to be more precise
(In reply to Alexander Tsoy from comment #24) > http://lists.freedesktop.org/archives/systemd-devel/2012-October/006860.html Thank you for tracking this down. So the best solution might be to make a list of systemd and polkit executables that need to access /proc/1 and install them with whatever capability bits or paxctl flags that are needed to do their job when GRKERNSEC_PROC is enabled or /proc is mounted with hidepid.
Maybe we should try to convince the hardened guys to give an option to make PID 1 visible to everyone? Assuming that would help.
(In reply to Alexandre Rostovtsev from comment #27) With GRKERNSEC_PROC enabled processess of other users completely hidden by the kernel. So I have no idea how this can be handled by the caps or psxctl flags. user2@host $ ls -ld /proc/[0-9]* dr-xr-x--- 8 user2 procr 0 Jul 31 01:51 /proc/2068
(In reply to Alexander Tsoy from comment #29) > With GRKERNSEC_PROC enabled processess of other users completely hidden by > the kernel. So I have no idea how this can be handled by the caps or psxctl > flags. You are right, it seems that the hardened patch makes the kernel check only for the process's uid == 0 or gid == GRKERNSEC_PROC_GID when accessing /proc, completely ignoring capabilities :/ Alternative solution - add a tiny suid-root program that reads /proc/1/cgroup, and patch systemd's sd_pid_get_owner_uid() to call that program instead of reading /proc/1/cgroup directly?
I'm using openrc only and have this issue, with hardened kernel and grsec. openrc-0.17 Tried to start it manually here: # /usr/lib/polkit-1/polkitd Successfully changed to user polkitd Killed dmesg says: [ 1864.475910] grsec: From 10.0.2.2: chdir to /var/lib/polkit-1 by /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0 [ 1864.539922] grsec: From 10.0.2.2: denied RWX mmap of <anonymous mapping> by /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0 [ 1864.541373] polkitd[16619]: segfault at 10 ip 0000036e56cd7ce7 sp 000003ca9ced1cb0 error 4 in libpthread-2.21.so[36e56cce000+18000] [ 1864.541428] grsec: From 10.0.2.2: Segmentation fault occurred at 0000000000000010 in /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0 [ 1864.541580] grsec: From 10.0.2.2: bruteforce prevention initiated due to crash of /usr/lib64/polkit-1/polkitd against uid 102, banning suid/sgid execs for 15 minutes. Please investigate the crash report for /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0 ... # gdb /lib64/libpthread-2.21.so ... (gdb) info symbol 0x0000036e56cd7ce7-0x36e56cce000 pthread_mutex_lock + 23 in section .text (gdb) list *pthread_mutex_lock+23 0x9ce7 is in __GI___pthread_mutex_lock (../nptl/pthread_mutex_lock.c:67). 62 __pthread_mutex_lock (mutex) 63 pthread_mutex_t *mutex; 64 { 65 assert (sizeof (mutex->__size) >= sizeof (mutex->__data)); 66 67 unsigned int type = PTHREAD_MUTEX_TYPE_ELISION (mutex); 68 69 LIBC_PROBE (mutex_entry, 1, mutex); 70 71 if (__builtin_expect (type & ~(PTHREAD_MUTEX_KIND_MASK_NP ... Any ideas? I wonder how I could get it to dump a 'core' file (having * soft core unlimited in /etc/security/limits.conf is not doing it(nor # ulimit -c unlimited ) - but works fine for firefox for example) Does anyone know? # emerge --info sys-auth/polkit Portage 2.2.20.1 (python 3.4.3-final-0, hardened/linux/amd64/no-multilib, gcc-5.2.0, glibc-2.21-r1, 4.1.6-hardened-r1-g45b4b78 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.1.6-hardened-r1-g45b4b78-x86_64-AMD_A6-3400M_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.2 KiB Mem: 10809864 total, 9085548 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Tue, 01 Sep 2015 00:45:02 +0000 sh bash 4.3_p42 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 ccache version 3.2.3 [enabled] app-shells/bash: 4.3_p42::gentoo dev-lang/perl: 5.22.0::gentoo dev-lang/python: 2.7.10::gentoo, 3.4.3::gentoo dev-util/ccache: 3.2.3::gentoo dev-util/cmake: 3.3.1-r1::gentoo dev-util/pkgconfig: 0.28-r3::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.17::gentoo sys-apps/sandbox: 2.6-r1::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r1::gentoo sys-devel/automake: 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.8.5::gentoo, 5.2.0::gentoo sys-devel/gcc-config: 1.8::gentoo sys-devel/libtool: 2.4.6-r1::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.1::gentoo (virtual/os-headers) sys-libs/glibc: 2.21-r1::gentoo Repositories: gentoo location: /usr/portage priority: -1000 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache cgroup collision-protect config-protect-if-modified distlocks downgrade-backup ebuild-locks fakeroot fixlafiles force-mirror installsources ipc-sandbox merge-sync multilib-strict network-sandbox news nostrip parallel-fetch parallel-install prelink-checksums preserve-libs sandbox sfperms split-elog split-log strict unknown-features-warn unmerge-backup unmerge-logs userfetch userpriv usersandbox webrsync-gpg" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://ftp.romnet.org/gentoo/ http://tux.rainside.sk/gentoo/ http://de-mirror.org/gentoo/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://www.las.ic.unicamp.br/pub/gentoo/" INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="3dnow 3dnowext X acl amd64 berkdb bindist btrfs bzip2 cli consolekit cracklib crypt cryptsetup cscope cxx dbus device-mapper dri egl extensions gdbm git gpg gpm gtk3 hardened iconv jpeg justify lock mmx mmxext modules mosh-hardening ncurses nptl openmp pam pax_kernel pcre pie policykit pulseaudio qt4 readline seccomp session sse sse2 sse3 ssl ssp startup-notification strong-security system-icu system-jpeg system-libvpx system-sqlite urandom xattr xcomposite xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext sse sse2 sse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard virtualbox evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="virtualbox" XFCE_PLUGINS="brightness clock trash battery power" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= sys-auth/polkit-0.113::gentoo was built with the following: USE="introspection pam -examples -gtk -jit -kde -nls (-selinux) -systemd -test" CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all" CXXFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all"
(In reply to Emanuel Czirai from comment #31) Please do not hijack unrelated bug reports. File a new bug please.
I apologize. Filed new: https://bugs.gentoo.org/show_bug.cgi?id=559436