Bug 229172 - login(1) needs to poke ConsoleKit
Summary: login(1) needs to poke ConsoleKit
Alias: None
Product: Fedora
Classification: Fedora
Component: ConsoleKit
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: David Zeuthen
QA Contact:
Depends On:
Blocks: FC7Blocker 228110
TreeView+ depends on / blocked
Reported: 2007-02-19 07:45 UTC by James Ralston
Modified: 2013-03-06 03:49 UTC (History)
5 users (show)

Fixed In Version: 2.13-0.50
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-18 00:54:44 UTC
Type: ---

Attachments (Terms of Use)
source code patch (12.88 KB, patch)
2007-02-20 04:33 UTC, David Zeuthen
no flags Details | Diff
spec file patch (1.30 KB, patch)
2007-02-20 04:35 UTC, David Zeuthen
no flags Details | Diff

Description James Ralston 2007-02-19 07:45:03 UTC
I've installed FC7test1 on my laptop (a Dell Latitude D600), and
gnome-power-manager consistently fails to suspend:

Feb 19 02:34:58 example gnome-power-manager: (username) Suspending computer
because the lid has been closed on ac power
Feb 19 02:34:58 example gnome-power-manager: (username) Permission denied: Not
in active session code='30' quark='g-exec-error-quark'
Feb 19 02:34:58 example gnome-power-manager: (username) Resuming computer
Feb 19 02:34:58 example gnome-power-manager: (username) suspend failed

Actual results:

Expected results:

Additional info:

Comment 1 James Ralston 2007-02-19 07:47:57 UTC
Additionally, FC6 (what I was running previously) was able to suspend/resume
just fine.

Comment 2 David Zeuthen 2007-02-19 15:59:06 UTC
Do you login via gdm?

Comment 3 James Ralston 2007-02-19 18:09:41 UTC
Nope.  I boot in runlevel 3, then login on the console and run "startx".

Comment 4 David Zeuthen 2007-02-19 18:20:41 UTC
Yeah, we need to teach login(1) about poking ConsoleKit - see bug 228110 for
details. I'm assigning this to ConsoleKit for the time being as I'm working on a
patch for this. If you login via gdm things will work so you can do that for now
until this is fixed. Thanks.

Comment 5 James Ralston 2007-02-19 20:09:14 UTC
Hmmm, interesting stuff (about ConsoleKit and what not).  I'll use gdm for the
time being.

Comment 6 David Zeuthen 2007-02-20 04:32:36 UTC
Hi Karel,

As you know one of the features we're doing for Fedora 7 is fast user switching.


It means we have a new daemon, ConsoleKit, that tracks session activity and
announces state changes (session add, remove, active_changed) on D-Bus. This
means we can do things like dynamically adding / removing ACL's on device nodes
depending on whether a session is active and, in the future, what seat it
belongs to when we're going to do multi-seat and other interesting things.

ACL management was added to HAL (that now listen for ConsoleKit events) in the
hal-0.5.9-0.git200718.fc7 package and I'm aiming to make this completely replace
pam_console (and it's short comings) in order to do things mentioned in bug
140853 as well as handling user space devices like gphoto2 cameras and SANE
scanners a lot better.

So the major change is that login managers now need to register with ConsoleKit
otherwise users in such sessions don't get access to device files, nor will they
be allowed to invoke non-trivial methods on HAL such as for mounting storage
devices and putting the computer to sleep. In gdm we've have had support for
this for a while and bug 228110 is tracking all relevant login managers.

As such, it would be nice to support login sessions on VT's such that device
access and D-Bus calls are granted for console use and also when people are
using startx). To enable this I've written a patch for login(1) that achieves
this for login sessions on VT's by registering with ConsoleKit! 

Now, I know /bin/login is highly security sensitive code so I've tried to be
careful; the bulk of the code in in a CKConnection class (that is useful for
other login managers such as kdm). Btw, the reason for not doing this in a PAM
module is spelled out in bug 228110 comment 5.

Things about the patch

 - it makes util-linux depend on dbus; we could dlopen libdbus but I'm not
   sure it's worth it - D-Bus is now ABI stable and it's a core part of our
   OS. Anyway, I'm not violently opposed to dlopen() it just seems a bit
   more fragile.

 - needs some work on the build system integration for util-linux

 - ideally I'd like to get this upstream but it sorta depends a bit on
   when we're ready to declare the OpenSessionWithParameters() and
   CloseSession() methods on ConsoleKit ABI stable. I'm working this
   out with Jon (added as Cc)

Thanks for considering this.

Comment 7 David Zeuthen 2007-02-20 04:33:45 UTC
Created attachment 148400 [details]
source code patch

Comment 8 David Zeuthen 2007-02-20 04:35:12 UTC
Created attachment 148401 [details]
spec file patch

Comment 9 David Zeuthen 2007-02-20 04:36:41 UTC
RPM and SRPM for Rawhide here


Karel, sorry, I forgot to reassign to owner. Please see comment 6. Thanks!

Comment 10 David Zeuthen 2007-02-20 04:41:24 UTC
(Also, startx don't entirely works with this setup yet. The problem is that the
X server allocates a new VT (it can do this only because it's setuid root) so
ConsoleKit most probably needs to be poked by the X server such that CK can mark
the session as active both when, say, VT1 and VT8 is active. I talked to ajax,
our X.org guy, about this on IRC and he's fine with this approach. I'll look
into writing a patch for X about this after I've discussed this with Jon. Thanks.)

Comment 11 Patrice Dumas 2007-02-20 08:23:11 UTC
(In reply to comment #7)
> Created an attachment (id=148400) [edit]
> source code patch

Why can't this be done in pam instead? In session?
ckc_new and ckc_create_local_session would be called by the session
function, then pam_putenv would be used to set the 
XDG_SESSION_COOKIE environment variable. Why wouldn't that

Comment 12 David Zeuthen 2007-02-20 08:33:49 UTC
(In reply to comment #11)
> Why can't this be done in pam instead? 

Please see bug 228110 comment 5 why a PAM module in general cannot be used. Thanks.

Comment 13 David Zeuthen 2007-02-28 05:53:02 UTC
OK, so we now have a PAM module. So all we need to do is

 - make util-linux Requires: ConsoleKit-libs
 - add "session optional pam_ck_connector.so" to /etc/pam.d/login

Karel, is this OK with you? If so, can I make this change in pkg cvs once
ConsoleKit-libs is in Rawhide? Thanks.

Comment 14 Karel Zak 2007-02-28 09:23:35 UTC
David, cool news. Thanks. Go ahead!

Comment 15 David Zeuthen 2007-03-03 20:52:39 UTC
Awesome. I'm now building 2.13-0.50 which should have this change. Thanks!

Comment 16 James Ralston 2007-03-20 19:35:57 UTC
This still isn't working for me, and I'm up-to-date with Rawhide as of yesterday:

$ rpm -q util-linux ConsoleKit

If I login on the console, run startx, and then attempt to suspend, the error
messages are the same:

Mar 20 15:26:48 example gnome-power-manager: (username) Suspending computer
because the lid has been closed on ac power
Mar 20 15:26:48 example gnome-power-manager: (username) Permission denied: Not
in active session code='30' quark='g-exec-error-quark'
Mar 20 15:26:48 example gnome-power-manager: (username) Resuming computer
Mar 20 15:26:48 example gnome-power-manager: (username) suspend failed

Something that might be related: when I login on the console now, I consistently
receive this error message (before my .bash_profile executes):

** (console-kit-daemon:3492): WARNING **: Couldn't read /proc/3491/environ:
Failed to open file '/proc/3491/environ': No such file or directory

Comment 17 David Zeuthen 2007-03-20 19:56:46 UTC
This should work with ConsoleKit-0.2.0-2 (hit Rawhide today) otherwise please
reopen. Thanks.

Comment 18 David Zeuthen 2007-03-20 20:00:50 UTC
Btw, the startx problem is separate from /bin/login. For the former I just filed
bug 233183.

Comment 19 David Woodhouse 2007-03-22 13:04:15 UTC
The requirement should be for ConsoleKit-libs of the _same_ architecture as the
util-linux package, to make sure it works with multilib environments (I just saw
the rawhide installer install 32-bit util-linux, correctly, and 64-bit

Since RPM doesn't let us specify archiecture in Requires, an alternative would
be to change this to a file requirement on %_lib/security/pam_ck_connector.so

Comment 20 Karel Zak 2007-04-06 10:38:56 UTC
(In reply to comment #19)

> Since RPM doesn't let us specify archiecture in Requires, an alternative would
> be to change this to a file requirement on %_lib/security/pam_ck_connector.so

I don't think so. See the PAM package. You need to install to /lib/security as
well as to /lib64/security.

Requires: %_lib/security/... sounds pretty exotically and odd.

Comment 21 Karel Zak 2007-04-06 11:10:02 UTC
Note, I mean the ConsoleKit-libs must be multilib package same as pam and other
packages containing PAM modules.

Comment 22 Matthias Clasen 2007-04-17 22:39:08 UTC
David, do you want to close this ? Or moved to rpm for the remaining multilib
issues ?

Comment 23 David Zeuthen 2007-04-18 00:54:44 UTC
Yeah, agreed - David Woodhouse; please open a separate bug / clone this bug for
the multilib issues. Thanks.

Note You need to log in before you can comment on or make changes to this bug.