https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c2 Robert Milasan changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |fcrozat@suse.com InfoProvider| |fcrozat@suse.com --- Comment #2 from Robert Milasan 2012-12-10 13:54:30 UTC --- I think this is done by systemd-logind rules, so adding Frederic to the bug. Frederic, can you please check, thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c4 Jiri Slaby changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|jslaby@suse.com | --- Comment #4 from Jiri Slaby 2012-12-10 14:33:56 UTC --- Created an attachment (id=516359) --> (http://bugzilla.novell.com/attachment.cgi?id=516359) loginctl output $ loginctl >/tmp/loginctl $ for aa in c1 c2 c3 c4 c11; do echo =========== >>/tmp/loginctl; loginctl show-session $aa >>/tmp/loginctl;done -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c6 --- Comment #6 from Jiri Slaby 2012-12-10 14:45:32 UTC --- *** Bug 792125 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=792125 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c8 --- Comment #8 from Jiri Slaby 2012-12-10 15:29:41 UTC --- (In reply to comment #7)

how did you became "ku" in the terminals ?

By: su ku -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c10 Frederic Crozat changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|rmilasan@suse.com |kukuk@suse.com --- Comment #10 from Frederic Crozat 2012-12-10 16:00:33 UTC --- so, not related to systemd but to pam. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c12 Jiri Slaby changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|jslaby@suse.com | --- Comment #12 from Jiri Slaby 2012-12-10 16:28:19 UTC --- (In reply to comment #11)

You login new and the new logined user get's access.

I login as xslaby. Do `su ku', suspend, resume and xslaby loses an access to /dev/dvb, ability to suspend and many others. The problem was that the newly installed pam rules were not in the common* files. They were stored as .rpmnew. Removing the .rpmnew suffix fixed the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c14 --- Comment #14 from Jiri Slaby 2012-12-10 16:37:28 UTC --- (In reply to comment #13)

I'm absolute sure that there where no common-*-pc.rpmnew files, as we use pam-config and this files are not under control of RPM.

Right. I did mv common-account.rpmnew common-account-pc for all four and it works now. I have no idea where they came from... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c16 --- Comment #16 from Jiri Slaby 2012-12-10 16:49:28 UTC ---

(In reply to comment #14) Then please provide at least a correct diff. I don't trust the comment that there was only the replacement of pam_unix.so with pam_unix2.so, I'm pretty sure that you removed pam_systemd with this action. The other two PAM modules don't have a session management at all.

Yes, you're right. There is a bug in colordiff which does not recognize wdiff output being over more lines. So I overlooked the change. The wdiff outputs (I don't have -account, but it's irrelevant): # wdiff common-session-pc common-session.rpmnew [-#%PAM-1.0-]# # [-This file is autogenerated by pam-config. All changes # will be overwritten. # # Session-related-] {+/etc/pam.d/common-session - session-related+} modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # [-non-interactive-] {+non-interactive).+} # session required pam_limits.so session required [-pam_unix2.so-] {+pam_unix.so try_first_pass+} session optional pam_umask.so session optional [-pam_systemd.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm-] {+pam_env.so+} # wdiff common-auth-pc common-auth.rpmnew |colordiff [-#%PAM-1.0-]# # [-This file is autogenerated by pam-config. All changes # will be overwritten. # # Authentication-related modules-] {+/etc/pam.d/common-auth - authentication settings+} common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_env.so auth [-optional pam_gnome_keyring.so auth-] required [-pam_unix2.so-] {+pam_unix.so try_first_pass+} # wdiff common-password.rpmnew common-password-pc |colordiff {+#%PAM-1.0+} # # [-/etc/pam.d/common-password - password-related-] {+This file is autogenerated by pam-config. All changes # will be overwritten. # # Password-related+} modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. # [-# The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. #-] password requisite [-pam_cracklib.so-] {+pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok+} -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c18 --- Comment #18 from Jiri Slaby 2012-12-10 16:52:38 UTC --- Adding session optional pam_systemd.so back to common-session-pc indeed causes `su ku' to generate a new session in loginctl output. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c20 --- Comment #20 from Thorsten Kukuk 2012-12-10 17:01:56 UTC --- That renaming the *.rpmnew file solved your problem has nothing to do with that this file exists at all, which we can ignore. What happened: At some point the *.rpmnew file was create, for whatever reason. Afterwards, pam_systemd.so was added with pam-config Renaming back removed pam_systemd.so, which fixes it. I'm pretty sure that the next systemd/pam_systemd update will re-add it again. So the problem is the pam_systemd.so configuration, and here I cannot help. It's not my package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c22 --- Comment #22 from Jiri Slaby 2012-12-10 18:41:52 UTC --- (In reply to comment #21)

- paste here the output of journalctl" when you logged as ku

su[22061]: (to ku) xslaby on /dev/pts/3 su[22061]: pam_unix(su:session): session opened for user ku by xslaby(uid=500) su[22061]: pam_systemd(su:session): Asking logind to create session: uid=502 pid=22061 service=su type=tty class=...ote_host= systemd-logind[1873]: New session c27 of user ku. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c24 --- Comment #24 from Jiri Slaby 2012-12-12 15:08:40 UTC --- (In reply to comment #23)

What is the value of /proc/self/loginuid before you run "su ku" and in the "su ku" session ?

cat: /proc/self/loginuid: No such file or directory I have auditing disabled... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c26 --- Comment #26 from Jiri Slaby 2013-01-01 16:10:12 UTC --- (In reply to comment #25)

could you try to enable it in your kernel ? logind relies on loginuid (not auditd) to identify sessions (and consolekit was also relying on it before IIRC).

Yes, enabling audit support in the kernel (thus exposing loginuid in /proc) creates no more sessions by `su'... Why systemd assumes loginuid to be present (IOW auditing to be turned on)? This requirement is invalid the same as many other assumptions systemd has :/. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c28 --- Comment #28 from Frederic Crozat 2013-03-05 14:25:39 UTC --- FYI, upstream has just modified logind to rely on cgroup instead of audit/loginuid to identify session in pam_systemd. Patch is a bit too fresh to push in 12.3, but this should be fine in Factory for next upstream release of systemd -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.