[Bug 793657] New: udev: adds permissions to /dev/* for users with no session
https://bugzilla.novell.com/show_bug.cgi?id=793657 https://bugzilla.novell.com/show_bug.cgi?id=793657#c0 Summary: udev: adds permissions to /dev/* for users with no session Classification: openSUSE Product: openSUSE Factory Version: 12.3 Milestone 1 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: rmilasan@suse.com ReportedBy: jslaby@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- I'm logged in as xslaby, but after resume I see: # getfacl /dev/dvb/adapter0/* # file: dev/dvb/adapter0/net0 # owner: root # group: video user::rw- user:ku:rw- group::--- mask::rw- other::--- ... I have several terminals open as ku. The outcome of this is that I cannot watch dvb-t tv in kaffeine due to invalid permissions as can be seen above. I think this is related to suspend-not-allowed problem reported in bug 792125. dbus-send --print-reply --system --dest=org.freedesktop.UPower /org/freedesktop/UPower org.freedesktop.UPower.SuspendAllowed for xslaby returns false, and for ku returns true, why? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c1
--- Comment #1 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c2
Robert Milasan
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c3
Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c4
Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c5
--- Comment #5 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c6
--- Comment #6 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c7
--- Comment #7 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c8
--- Comment #8 from Jiri Slaby
how did you became "ku" in the terminals ?
By: su ku -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c9
--- Comment #9 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c10
Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c11
Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c12
Jiri Slaby
You login new and the new logined user get's access.
I login as xslaby. Do `su ku', suspend, resume and xslaby loses an access to /dev/dvb, ability to suspend and many others. The problem was that the newly installed pam rules were not in the common* files. They were stored as .rpmnew. Removing the .rpmnew suffix fixed the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c13
Thorsten Kukuk
(In reply to comment #11)
You login new and the new logined user get's access.
I login as xslaby. Do `su ku', suspend, resume and xslaby loses an access to /dev/dvb, ability to suspend and many others.
Which is systemd, but not pam itself.
The problem was that the newly installed pam rules were not in the common* files. They were stored as .rpmnew. Removing the .rpmnew suffix fixed the problem.
I'm absolute sure that there where no common-*-pc.rpmnew files, as we use pam-config and this files are not under control of RPM. If somebody messes up in his package with other config files directly: bad for him. Responsible for systemd session management is pam_systemd, and that's coming out of systemd ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c14
--- Comment #14 from Jiri Slaby
I'm absolute sure that there where no common-*-pc.rpmnew files, as we use pam-config and this files are not under control of RPM.
Right. I did mv common-account.rpmnew common-account-pc for all four and it works now. I have no idea where they came from... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c15
--- Comment #15 from Thorsten Kukuk
(In reply to comment #13)
I'm absolute sure that there where no common-*-pc.rpmnew files, as we use pam-config and this files are not under control of RPM.
Right. I did mv common-account.rpmnew common-account-pc for all four and it works now. I have no idea where they came from...
Then please provide at least a correct diff. I don't trust the comment that there was only the replacement of pam_unix.so with pam_unix2.so, I'm pretty sure that you removed pam_systemd with this action. The other two PAM modules don't have a session management at all. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c16
--- Comment #16 from Jiri Slaby
(In reply to comment #14) Then please provide at least a correct diff. I don't trust the comment that there was only the replacement of pam_unix.so with pam_unix2.so, I'm pretty sure that you removed pam_systemd with this action. The other two PAM modules don't have a session management at all.
Yes, you're right. There is a bug in colordiff which does not recognize wdiff output being over more lines. So I overlooked the change. The wdiff outputs (I don't have -account, but it's irrelevant): # wdiff common-session-pc common-session.rpmnew [-#%PAM-1.0-]# # [-This file is autogenerated by pam-config. All changes # will be overwritten. # # Session-related-] {+/etc/pam.d/common-session - session-related+} modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # [-non-interactive-] {+non-interactive).+} # session required pam_limits.so session required [-pam_unix2.so-] {+pam_unix.so try_first_pass+} session optional pam_umask.so session optional [-pam_systemd.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm-] {+pam_env.so+} # wdiff common-auth-pc common-auth.rpmnew |colordiff [-#%PAM-1.0-]# # [-This file is autogenerated by pam-config. All changes # will be overwritten. # # Authentication-related modules-] {+/etc/pam.d/common-auth - authentication settings+} common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_env.so auth [-optional pam_gnome_keyring.so auth-] required [-pam_unix2.so-] {+pam_unix.so try_first_pass+} # wdiff common-password.rpmnew common-password-pc |colordiff {+#%PAM-1.0+} # # [-/etc/pam.d/common-password - password-related-] {+This file is autogenerated by pam-config. All changes # will be overwritten. # # Password-related+} modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. # [-# The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. #-] password requisite [-pam_cracklib.so-] {+pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok+} -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c17
--- Comment #17 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c18
--- Comment #18 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c19
--- Comment #19 from Jiri Slaby
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c20
--- Comment #20 from Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c21
--- Comment #21 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c22
--- Comment #22 from Jiri Slaby
- paste here the output of journalctl" when you logged as ku
su[22061]: (to ku) xslaby on /dev/pts/3 su[22061]: pam_unix(su:session): session opened for user ku by xslaby(uid=500) su[22061]: pam_systemd(su:session): Asking logind to create session: uid=502 pid=22061 service=su type=tty class=...ote_host= systemd-logind[1873]: New session c27 of user ku. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c23
--- Comment #23 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c24
--- Comment #24 from Jiri Slaby
What is the value of /proc/self/loginuid before you run "su ku" and in the "su ku" session ?
cat: /proc/self/loginuid: No such file or directory I have auditing disabled... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c25
--- Comment #25 from Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c26
--- Comment #26 from Jiri Slaby
could you try to enable it in your kernel ? logind relies on loginuid (not auditd) to identify sessions (and consolekit was also relying on it before IIRC).
Yes, enabling audit support in the kernel (thus exposing loginuid in /proc) creates no more sessions by `su'... Why systemd assumes loginuid to be present (IOW auditing to be turned on)? This requirement is invalid the same as many other assumptions systemd has :/. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c27
Frederic Crozat
https://bugzilla.novell.com/show_bug.cgi?id=793657
https://bugzilla.novell.com/show_bug.cgi?id=793657#c28
--- Comment #28 from Frederic Crozat
participants (1)
-
bugzilla_noreply@novell.com