From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9DC9B138CE3 for ; Mon, 10 Feb 2014 10:53:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9819FE0A10; Mon, 10 Feb 2014 10:53:20 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 864FEE0949 for ; Mon, 10 Feb 2014 10:53:19 +0000 (UTC) Received: from [10.181.209.221] (85-76-115-128-nat.elisa-mobile.fi [85.76.115.128]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ssuominen) by smtp.gentoo.org (Postfix) with ESMTPSA id 2DF5533F6A8 for ; Mon, 10 Feb 2014 10:53:17 +0000 (UTC) Message-ID: <52F8AF52.1010100@gentoo.org> Date: Mon, 10 Feb 2014 12:52:02 +0200 From: Samuli Suominen User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] [poll] What is your session state? References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 1e21e959-7e9b-48fe-b567-5440be71b00d X-Archives-Hash: f7a59b86d994d41e6b066d6390f7c5ce On 10/02/14 00:43, walt wrote: > Recent threads about consolekit vs logind(systemd) have made me curious, so > I've been studying... > > A few of us have had recent problems with things like plugging USB sticks, > which once worked transparently but now require root privileges. > > I've discovered that my own such problems are caused by this: > > $loginctl show-session 1 (I have only one session, cleverly named '1') > > Id=1 > Timestamp=Sun 2014-02-09 07:18:32 PST > TimestampMonotonic=389744251 > VTNr=1 > TTY=/dev/tty1 > Remote=no > Service=login > Scope=session-1.scope > Leader=426 > Audit=1 > Type=tty > Class=user > Active=no <========================= should be 'yes' > State=online <======================= should be 'active' > > Users of consolekit, don't feel neglected. You should try this instead: > > $ck-list-sessions > Session1: > unix-user = '1001' > realname = '(null)' > seat = 'Seat2' > session-type = '' > active = FALSE (correct because I'm ssh'd into a remote box) > x11-display = ':0' > x11-display-device = '/dev/tty2' > display-device = '/dev/tty1' > remote-host-name = '' > is-local = FALSE > on-since = '2014-02-09T22:00:10.750312Z' > login-session-id = '1' > > Canek explained that the reason my session is not 'active' is that I'm > not using a Display Manager (gdm kdm lightdm), which talks to logind or > consolekit and vouches for my physical presence at the local keyboard. > > However, when I do the same thing on arch linux (as a virtualbox guest) > I see that my session (running gnome) is 'active' and I have no trouble > powering off the virtual machine as an unprivileged user. > > Any ideas how I can fix it? > > BTW, this helped me to understand some of the buzzwords I used above: > > http://www.freedesktop.org/wiki/Software/systemd/multiseat/ > > sys-auth/pambase with USE="consolekit" or USE="systemd" brings in pam_ck_connector.so (ConsoleKit) or pam_systemd.so (systemd) is required in login to get the initial active session: ConsoleKit or systemd-logind starts during boot -> user logins to tty1 -> PAM triggers pam_ck_connector.so or pam_systemd.so -> and now you have one initial session, second one is started after 'startx' and the login-session-id is the key knowing it's the same user now in X11, instead of console since it changes the first session inactive (since it knows you now started X11 and are no longer in console) and activates the newly started one in X11 however display managers with *built-in* CK or logind support are special, and more straightforward and directly talk to CK or logind, and thus, work somewhat more easily by skipping many possible problems maybe you can somehow do it with GDM so that remote session shows active, i don't know about that, but what you can do is write your own polkit rules like: Put the following content to file: /etc/polkit-1/rules.d/51-local.rules polkit.addAdminRule(function(action, subject) { return ["unix-group:wheel"]; }); Now users in group "wheel" should be able to do anything, this is also in "man 8 polkit"