| View previous topic :: View next topic |
| Author |
Message |
Acatorn
n00b
Joined: 12 Jan 2020
Posts: 6
Location: Faerûn
|
 Posted: Thu Jan 16, 2020 9:36 pm Post subject: Elogind and Polkit - some Polkit rules seems to be ignored |
 |
|
Greetings,
First of all. As this is my first post on the awesome Gentoo forum I would like to say Hello 
So far running Gentoo for about a year now was such a great experience that I think I finally found my operating system to stay.
Now, to the point. As long as I kept things simple everything was great. After some hesitations I decided to try Elogind and Polkit. I think both of them might be quite useful on the enterprise workstations or virtual desktops and I am during some research on that subject in my job (or maybe I am wrong, then feel free to tell me about it:).
So my current setup is as follows:
Gentoo + OpenRC + LightDM + AwesomeWM + dbus + elogind + polkit + polkit-gnome (polkit agent)
Global USE flags:
USE="X glamor vaapi nvidia xvmc vdpau acpi lm_sensors elogind policykit -systemd -consolekit -udisks -upower -zeroconf -avahi -pulseaudio -gnome"
dbus USE flags:
| Code: |
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for sys-apps/dbus-1.12.16:
U I
+ + X : Add support for X11
- - abi_x86_32 : 32-bit (x86) libraries
- - debug : Enable extra debug codepaths, like asserts and extra output.
If you want to get meaningful backtraces see https://wiki.ge
ntoo.org/wiki/Project:Quality_Assurance/Backtraces
- - doc : Add extra documentation (API, Javadoc, etc). It is
recommended to enable per package instead of globally
+ + elogind : Use sys-auth/elogind for session tracking.
- - static-libs : Build static versions of dynamic libraries as well
- - systemd : Build with sys-apps/systemd at_console support
- - test : Enable dependencies and/or preparations necessary to run
tests (usually controlled by FEATURES=test but can be
toggled independently)
+ + user-session : Enable user-session semantics for session bus under systemd
|
elogind USE flags:
| Code: |
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for sys-auth/elogind-241.4:
U I
+ + acl : Add support for Access Control Lists
- - debug : Enable extra debug codepaths, like asserts and extra output. If
you want to get meaningful backtraces see https://wiki.gentoo.o
rg/wiki/Project:Quality_Assurance/Backtraces
- - doc : Add extra documentation (API, Javadoc, etc). It is recommended
to enable per package instead of globally
+ + pam : Add support for PAM (Pluggable Authentication Modules) -
DANGEROUS to arbitrarily flip
+ + policykit : Enable PolicyKit authentication support
|
polkit USE flags:
| Code: |
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for sys-auth/polkit-0.115-r4:
U I
- - consolekit : Use sys-auth/consolekit for session tracking
+ + elogind : Use sys-auth/elogind for session tracking
- - examples : Install examples, usually source code
- - gtk : Add support for x11-libs/gtk+ (The GIMP Toolkit)
+ + introspection : Add support for GObject based introspection
- - jit : Enable just-in-time compilation for improved performance.
May prevent use of some PaX memory protection features in
Gentoo Hardened.
- - kde : Add support for software made by KDE, a free software
community
+ + nls : Add Native Language Support (using gettext - GNU locale
utilities)
+ + pam : Add support for PAM (Pluggable Authentication Modules) -
DANGEROUS to arbitrarily flip
- - systemd : Use sys-apps/systemd for session tracking
- - test : Enable dependencies and/or preparations necessary to run
tests (usually controlled by FEATURES=test but can be
toggled independently)
|
I wrote some simple polkit rule to test if it works:
/etc/polkit-1/rules.d/10-custom.rules:
| Code: |
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.attach-device" ||
action.id == "org.freedesktop.login1.flush-devices" ||
action.id == "org.freedesktop.login1.halt" ||
action.id == "org.freedesktop.login1.halt-ignore-inhibit" ||
action.id == "org.freedesktop.login1.halt-multiple-sessions" ||
action.id == "org.freedesktop.login1.hibernate" ||
action.id == "org.freedesktop.login1.hibernate-ignore-inhibit" ||
action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ||
action.id == "org.freedesktop.login1.inhibit-block-idle" ||
action.id == "org.freedesktop.login1.inhibit-block-shutdown" ||
action.id == "org.freedesktop.login1.inhibit-block-sleep" ||
action.id == "org.freedesktop.login1.inhibit-delay-shutdown" ||
action.id == "org.freedesktop.login1.inhibit-delay-sleep" ||
action.id == "org.freedesktop.login1.inhibit-handle-hibernate-key" ||
action.id == "org.freedesktop.login1.inhibit-handle-lid-switch" ||
action.id == "org.freedesktop.login1.inhibit-handle-power-key" ||
action.id == "org.freedesktop.login1.inhibit-handle-suspend-key" ||
action.id == "org.freedesktop.login1.lock-sessions" ||
action.id == "org.freedesktop.login1.manage" ||
action.id == "org.freedesktop.login1.power-off" ||
action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
action.id == "org.freedesktop.login1.reboot" ||
action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
action.id == "org.freedesktop.login1.reload-config" ||
action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
action.id == "org.freedesktop.login1.set-self-linger" ||
action.id == "org.freedesktop.login1.set-user-linger" ||
action.id == "org.freedesktop.login1.set-wall-message" ||
action.id == "org.freedesktop.login1.suspend" ||
action.id == "org.freedesktop.login1.suspend-ignore-inhibit" ||
action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
action.id == "org.gnome.gparted") {
if (subject.user == "tombo") {
return polkit.Result.AUTH_ADMIN;
} else if (subject.user == "lightdm") {
return polkit.Result.YES;
}
}
});
|
Now, the problem is some of the above org.freedesktop.login1.* actions seems to be completely ignored. In particular those that does not work are those responsible for suspend, hibernate and session lock. The funny thing is that at first I had user-session USE flag disabled in dbus because it's description regards systemd so I though it's not relevant in my case, but when that flag was disabled even actions responsible for poweroff and reboot got ignored. So now (after I enabled user-session USE flag in dbus) commands like:
| Code: |
loginctl poweroff
loginctl reboot
gparted
|
works fine - polkit-gnome agent prompts for admin password when I run them with my user "tombo" and "poweroff" and "reboot" buttons are enabled and in LightDM (I run LightDM as user lightdm)
But when I use commands (no matter which user I am):
| Code: |
loginctl suspend
loginctl hibernate
loginctl lock-session
|
then they are executed immediately 
Here's the log from /var/log/auth.log when I use logictl suspend:
| Code: |
Jan 16 22:28:57 GENTOO-L-T polkitd[3571]: Registered Authentication Agent for unix-process:7412:7779293 (system bus name :1.66 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 16 22:29:05 GENTOO-L-T polkitd[3571]: Unregistered Authentication Agent for unix-process:7412:7779293 (system bus name :1.66, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jan 16 22:29:07 GENTOO-L-T lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jan 16 22:29:09 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.suspend-multiple-sessions']
Jan 16 22:29:09 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=7568 user='lightdm' groups=lightdm,video,grp_reboot seat='seat0' session='6' local=true active=true]
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-delay-sleep']
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-block-sleep']
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-block-shutdown']
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-delay-shutdown']
Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]
|
I'm really puzzled with it and I cannot figure it out myself. Please good people, help me to understand what am I doing wrong. Or maybe it's some kind of bug in elogind, polkit, pam or dbus?
_________________
Take heart fellow adventurers, for you have curried the favor of Boo, the only miniature giant space hamster in the Realm!
~ Minsc, the Berserker |
|
| Back to top |
|
 |
charles17
Advocate
Joined: 02 Mar 2008
Posts: 3664
|
| Posted: Fri Jan 17, 2020 9:11 am Post subject: |
|
|
| Acatorn wrote: | So my current setup is as follows:
Gentoo + OpenRC + LightDM + AwesomeWM + dbus + elogind + polkit + polkit-gnome (polkit agent)
Global USE flags:
USE="X glamor vaapi nvidia xvmc vdpau acpi lm_sensors elogind policykit -systemd -consolekit -udisks -upower -zeroconf -avahi -pulseaudio -gnome"
|
Do I correctly understand you need or want https://wiki.gentoo.org/wiki/Polkit and https://wiki.gentoo.org/wiki/PAM?
Regarding your selection of USE flags are you aware that many are set by the profile you selected?
To keep it simple you might want want to remove all settings which can be removed without causing changes in next emerge. E.g. X, on desktop profiles this is already set.
My personal recommendation is removing the USE= line from make.conf and start with a fresh and empty /etc/portage/package.use file adding only what's really needed. |
|
| Back to top |
|
|
Acatorn
n00b
Joined: 12 Jan 2020
Posts: 6
Location: Faerûn
|
| Posted: Fri Jan 17, 2020 3:43 pm Post subject: |
|
|
| Quote: |
Regarding your selection of USE flags are you aware that many are set by the profile you selected?
To keep it simple you might want want to remove all settings which can be removed without causing changes in next emerge. E.g. X, on desktop profiles this is already set.
My personal recommendation is removing the USE= line from make.conf and start with a fresh and empty /etc/portage/package.use file adding only what's really needed.
|
Yes, I am aware of that and I choose:
| Code: |
[16] default/linux/amd64/17.1 (stable) *
|
Actually I think I understand USE flags mechanics quite well. I set some flags in /etc/portage/make.conf simply for convenience - I enabled X because in most cases I want packages to provide GUI (if they have it). When I find package foo that I don't want to be compiled with X USE flag then I simply create a file /etc/portage/package.use/foo and set -X in there.
I have already read those wiki articles and I think I grasped well the polkit one. But I cannot say that about the PAM one 
Do you suggest that, in my setup, polkit and pam are kinda in conflict with each other? Because I don't understand why commands like:
| Code: |
loginctl poweroff
loginctl reboot
gparted
|
works correctly - they ask user tombo for admin password as I wrote in /etc/polkit-1/rules.d/10-custom.rules.
But commands like:
| Code: |
loginctl suspend
loginctl hibernate
loginctl lock-session
|
just ignore my polkit rules 
Sorry if my previous post is too long. I wanted it to contain all the informations I've got. Also sorry if answer for my questions lies in those wiki articles and I still do not understand it. I'm still noob in pam and polkit [/quote]
_________________
Take heart fellow adventurers, for you have curried the favor of Boo, the only miniature giant space hamster in the Realm!
~ Minsc, the Berserker |
|
| Back to top |
|
|
charles17
Advocate
Joined: 02 Mar 2008
Posts: 3664
|
| Posted: Fri Jan 17, 2020 5:30 pm Post subject: |
|
|
| Acatorn wrote: | I have already read those wiki articles and I think I grasped well the polkit one. But I cannot say that about the PAM one
Do you suggest that, in my setup, polkit and pam are kinda in conflict with each other? ... |
With polkit I have no experience. But for PAM there was this recent topic 1000290. |
|
| Back to top |
|
|
dmpogo
Advocate
Joined: 02 Sep 2004
Posts: 3267
Location: Canada
|
| Posted: Fri Jan 17, 2020 5:57 pm Post subject: |
|
|
I suspect polkit does not have a good reputation on this forum  If you search, you'll find many more posts about how to remove it entirely (not easy) or minimize its presence, than how to use it effectively. Honestly, I do not recall any discussion on polkit useful application in a while. |
|
| Back to top |
|
|
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3627
|
| Posted: Tue Feb 04, 2020 10:24 pm Post subject: |
|
|
Same kind of issue link
polkit doesn't seem to be doing anything here, as current user can reboot with root logged at console.
Thks 4 ur attention. |
|
| Back to top |
|
|
Yamakuzure
Advocate
Joined: 21 Jun 2006
Posts: 2284
Location: Adendorf, Germany
|
| Posted: Wed Feb 05, 2020 7:09 am Post subject: |
|
|
| Acatorn wrote: | But when I use commands (no matter which user I am):
| Code: |
loginctl suspend
loginctl hibernate
loginctl lock-session
|
then they are executed immediately |
This is fixed in 97d2a93 as noted in issue 149 you opened. From next release on your rules will be heeded again.
| CaptainBlood wrote: | Same kind of issue link
polkit doesn't seem to be doing anything here, as current user can reboot with root logged at console.
Thks 4 ur attention. |
Nope, this is something completely different. Please see the thread you opened.
_________________
Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
| Back to top |
|
|
CaptainBlood
Advocate
Joined: 24 Jan 2010
Posts: 3627
|
| Posted: Wed Feb 05, 2020 9:32 am Post subject: |
|
|
@Yamakuzure
Thks 4 ur attention, interest & support |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
