Bug#1076728: elogind: privileged operation with polkit fails
Andrew Bower
andrew at bower.uk
Mon Dec 16 21:41:31 GMT 2024
Hi Mark,
On Mon, Dec 16, 2024 at 05:41:57PM +0000, Mark Hindley wrote:
> I am afraid I still can't reproduce this.
Thank you so much for following up!
> Check some basics please. I have the following installed:
>
> test at DebianUnstable:~$ dpkg -l|grep -E 'polkit|elogind|systemd'|grep ^ii
> ii elogind 255.5-1debian3 amd64 user, seat and session management daemon
> ii libpam-elogind:amd64 255.5-1debian3 amd64 elogind PAM module
> ii libpam-elogind-compat:amd64 1.3 amd64 Compatibility package for testing integration of libpam-elogind into Debian
> ii libpolkit-agent-1-0:amd64 125-2 amd64 polkit Authentication Agent API
> ii libpolkit-gobject-1-0:amd64 125-2 amd64 polkit Authorization API
> ii polkitd 125-2 amd64 framework for managing administrative policies and privileges
> ii libsystemd0:amd64 257-2 amd64 systemd utility library
I have some additional packages, but otherwise the same
(libpam-elogind-compat virtual package does not seem to be available to
install - I didn't look into it further):
-------- ✂ --------
$ dpkg -l|grep -E 'polkit|elogind|systemd'|grep ^ii
ii elogind 255.5-1debian3 amd64 user, seat and session management daemon
ii gir1.2-polkit-1.0 125-2 amd64 GObject introspection data for polkit
ii libpam-elogind:amd64 255.5-1debian3 amd64 elogind PAM module
ii libpolkit-agent-1-0:amd64 125-2 amd64 polkit Authentication Agent API
ii libpolkit-gobject-1-0:amd64 125-2 amd64 polkit Authorization API
ii libpolkit-gobject-1-dev 125-2 amd64 polkit Authorization API - development files
ii libsystemd-dev:amd64 257-2 amd64 systemd utility library - development files
ii libsystemd-shared:amd64 257-2 amd64 systemd shared private library
ii libsystemd0:amd64 257-2 amd64 systemd utility library
ii pkexec 125-2 amd64 run commands as another user with polkit authorization
ii polkitd 125-2 amd64 framework for managing administrative policies and privileges
ii runit-run 2.1.2-60 all service supervision (systemd and sysv integration)
ii systemctl 1.4.4181-1.1 all daemonless "systemctl" command to manage services without systemd
ii systemd-dev 257-2 all systemd development files
ii systemd-standalone-sysusers 257-2 amd64 standalone sysusers binary for use in non-systemd systems
-------- ✂ --------
> All lightdm* PAM configs should include common-session:
>
> test at DebianUnstable:~$ grep common-session /etc/pam.d/lightdm*
> /etc/pam.d/lightdm:@include common-session
> /etc/pam.d/lightdm-autologin:@include common-session
> /etc/pam.d/lightdm-greeter:@include common-session
>
> PAM common-session should include pam_elogind.so:
>
> test at DebianUnstable:~$ grep elogind /etc/pam.d/common-session
> session optional pam_elogind.so
>
> With that, when you login you should have a valid session:
>
> test at DebianUnstable:~$ loginctl
> SESSION UID USER SEAT TTY STATE IDLE SINCE
> 1 1000 test seat0 - active no -
> c1 105 lightdm seat0 - closing no -
>
> 2 sessions listed.
>
> and that session can be used to gain privs (you might need to install pkexec)
>
> test at DebianUnstable:~$ pkexec id
> ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
> Authentication is needed to run `/usr/bin/id' as the super user
> Authenticating as: Test User,,, (test)
> Password:
> ==== AUTHENTICATION COMPLETE ====
> uid=0(root) gid=0(root) groups=0(root)
>
> All lightdm and xfce hibernate/restart/shutdown options are available and functional.
>
> Which steps give you different results?
The other steps produced no difference:
-------- ✂ --------
$ grep common-session /etc/pam.d/lightdm*
/etc/pam.d/lightdm:@include common-session
/etc/pam.d/lightdm-autologin:@include common-session
/etc/pam.d/lightdm-greeter:@include common-session
$ grep elogind /etc/pam.d/common-session
session optional pam_elogind.so
$ loginctl
SESSION UID USER SEAT TTY STATE IDLE SINCE
1 1000 andy seat0 - active no -
c1 108 lightdm seat0 - closing no -
2 sessions listed.
$ pkexec id
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/id' as the super user
Authenticating as: Andrew Bower,,, (andy)
Password:
==== AUTHENTICATION COMPLETE ====
uid=0(root) gid=0(root) groups=0(root)
-------- ✂ --------
I have another desktop system which also reproduces this and two that
don't:
+-----------+---------------------+------------------+---------+--------+
| # | arch | Installation | Current | DM | Result |
| | | OS | init | OS | init | DE | |
+===+=======+=====================+==================+=========+========+
| A | amd64 | debian/ | systemd | debian/ | sysv | lightdm | FAIL |
| | | unstable | | unstable | | xfce4 | |
+---+-------+---------------------+------------------+---------+--------+
| B | i386 | debian/ | systemd | debian/ | sysv | lightdm | FAIL |
| | | unstable | | unstable | | xfce4 | |
+---+-------+---------------------+------------------+---------+--------+
| C | amd64 | debian/ | systemd | debian/ | runit | slim | PASS |
| | | bookworm | then sysv| unstable | | xfce4 | |
+---+-------+---------------------+------------------+---------+--------+
| D | amd64 | devuan/ | runit | devuan/ | runit | slim | PASS |
| | amd64 | testing | | unstable | | xfce4 | |
+-----------+---------------------+------------------+---------+--------+
Another feature that fails due to this issue is access to smartcard via
pscd, which reports:
2024-12-16T14:37:57.756789+00:00 shenstone pcscd: ../src/auth.c:145:IsClientAuthorized() Process 3349 (user: 1000) is NOT authorized for action: access_pcsc
2024-12-16T14:37:57.756838+00:00 shenstone pcscd: ../src/winscard_svc.c:357:ContextThread() Rejected unauthorized PC/SC client
More information about the Debian-init-diversity
mailing list