Bug#1077676: pcscd: unprivileged users not authorised to access OpenPGP smart cards

Thorsten Glaser t.glaser at qvest-digital.com
Thu Aug 1 11:10:38 BST 2024 

On Thu, 1 Aug 2024, Mark Hindley wrote:

>On Thu, Aug 01, 2024 at 09:02:07AM +0200, Gian Piero Carrubba wrote:

>> The problem is registering an xdm-initiated session with elogind.
>> /etc/pam.d/xdm includes /etc/pam.d/common-session that calls
>> libpam-elogind, so in this sense xdm uses elogind.

That’s… very convoluted and doubly indirected, and xdm does not
itself provide /etc/pam.d/common-session, so I’d categorically
refute this statement (not that that’s grounds to not try and
fix this, but I want to make this point clear first.

>> So, if the $x-display-manager is standardized by the Debian Policy
>> (i.e., all the display managers define the facility)
>
>I think most do, but it is no longer policy.

This ought to suffice.

>> tested), the solution should be for elogind to include
>> 
>>  # X-Start-Before: $x-display-manager

Yes.

>I am not averse to this, but I am not sure it addresses all cases. In
>particular non-graphical login to a console.

The getty(8)s are only started after the run commands have
all finished, so console login is anyway only possible after
that.

I always found it weird that Debian started the graphical
login managers “too early” and had problems with that in
the lenny/hardy time myself, so I tended to wait for a few
minutes or did a quick Ctrl-Alt-F1 to see if rc was finished
then Ctrl-Alt-F7, on the work desktops.

I remember this was introduced in a time when the operating
systems raced for quick boot times (a time that spawned much
bad design and decisions); Microsoft cheated, too, by making
the user able to login before half their background services
were started just to be able to prove their assumed superiority
(that the system was laggy and barely usable the first minutes
after login was carefully not mentioned), and I guess that the
“modern” GNU/Linux desktop crowd just followed suit.

Given how the latter are now using systemd anyway, I think it
prudent to make sure that any graphical login manager is ran
as late as possible in the boot sequence, if not last, always.
People using sysvinit and consorts tend to have reliability as
of a higher worth than perceived speed so are unlikely to com‐
plain, anyway. (I know I revert sysvinit to sequential boot on
a̲n̲y̲ ̲a̲n̲d̲ ̲a̲l̲l̲ systems.)

bye,
//mirabilos
-- 
Infrastrukturexperte • Qvest Digital AG
Am Dickobskreuz 10, D-53121 Bonn • https://www.qvest-digital.com/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 18196 • USt-ID (VAT): DE274355441
Vorstand: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Vorsitzender Aufsichtsrat: Peter Nöthen

More information about the Debian-init-diversity mailing list