pam_ck_connector.so is called for non-login sessions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| gdm |
Fix Released
|
Low
|
||
| consolekit (Ubuntu) |
Low
|
Unassigned | ||
| gdm (Ubuntu) |
Low
|
Unassigned |
Bug Description
Binary package hint: gdm
I have kerneloops installed and with new gdm from karmic the kernoops user is listed as real user in the gdm greeter.
from /etc/passwd
kernoops:
kerneloops version is 0.12-0ubuntu5
ProblemType: Bug
Architecture: i386
Date: Fri Jul 3 20:48:24 2009
DistroRelease: Ubuntu 9.10
Package: gdm 2.26.1-0ubuntu1
ProcEnviron:
PATH=(custom, user)
LANG=fr_FR.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: gdm
Uname: Linux 2.6.31-1-generic i686
summary: |
- kernoops user is listed as real user in gdm 2.26.x + gdm 2.26 criteria for which users shown in greeter list are bad |
Max Bowsher (maxb) wrote : | #3 |
On one of my machines, the only interactive user is *not* displayed in the selection box. It sounds as if the criteria for user filtering need to be refined in both directions.
James Westby (james-w) wrote : Re: gdm 2.26 criteria for which users shown in greeter list are bad | #4 |
gdm uses ck-history to find recent users that had ck sessions. We currently
end up with ck sessions for some system users, so they can appear here, which
should probably be fixed independently.
gdm then parses this and removes some users based on a hard-coded exclude
list, which doesn't include a lot of system users.
It also filters users based on a minimum UID that is lower than the min UID
for non-system users, so if someone has a lot of system users they will show
up based on that.
Suggested fix:
* Increase the min UID
* As users from /etc/passwd are excluded by the checks before the exclude
check, add them to the exclude hash so that they don't enter the list via
ck.
Thanks,
James
James Westby (james-w) wrote : | #5 |
Also, the ck-history code could not add users, but just update the frequency of
existing users, avoiding this in that manner as well.
Thanks,
James
Changed in gdm (Ubuntu): | |
assignee: | nobody → Ubuntu Desktop Bugs (desktop-bugs) |
importance: | Undecided → Low |
status: | New → Triaged |
Changed in gdm: | |
status: | Unknown → New |
Max Bowsher (maxb) wrote : | #6 |
It appears that the reason I saw no users was because some consolekit related thing was taking lots of time to process, blocking the list population. On a second boot, the list initially appeared unpopulated, but was populated with relevant users after about 5 seconds. (Point of interest: ck-history was still running and consuming lots of CPU for several seconds *after* login.)
Changed in gdm (Ubuntu): | |
assignee: | Ubuntu Desktop Bugs (desktop-bugs) → Martin Pitt (pitti) |
Changed in gdm (Ubuntu): | |
status: | Triaged → Fix Committed |
Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package gdm - 2.26.1-0ubuntu3
---------------
gdm (2.26.1-0ubuntu3) karmic; urgency=low
* Add 03_hide_
users" list. (LP: #395281)
* debian/rules: Call dh_installinit with --no-scripts, to avoid restarting
gdm (and killing your X session) during upgrade. The prerm/postinst
scripts already have code to reload gdm if appropriate. Unfortunately this
doesn't help to fix the upgrade from 0ubuntu2, its prerm already kills it.
(LP: #395302) This also fixes the "locks session and spawns a second X
server" issue on upgrades from Jaunty. (LP: #395313)
* Drop 16_correct_
and installs /etc/gdm/
debian/
(LP: #395861)
* 02_dont_
get_
when setting $GDM_KEYBOARD_
check. (LP: #395595)
-- Martin Pitt <email address hidden> Mon, 06 Jul 2009 16:04:25 +0200
Changed in gdm (Ubuntu): | |
status: | Fix Committed → Fix Released |
Id2ndR (id2ndr) wrote : | #8 |
I'm not sure to understand correctly of the information above so here is my question : is it possible to customise the user that should not be shown in karmic without changing their uid to a value lower than 1000 ?
Id2ndR (id2ndr) wrote : | #9 |
I think I have the answer : this is the following debian bug http://
Changed in gdm: | |
importance: | Unknown → Low |
Changed in gdm: | |
status: | New → Fix Released |
Chad Miller (cmiller) wrote : | #10 |
I can't seem to open/Confirm this for Natty only.
I suspect it's the same problem, for 2.32.0-0ubuntu1 in Natty.
Changed in gdm (Ubuntu): | |
status: | Fix Released → Confirmed |
Chad Miller (cmiller) wrote : | #11 |
My /etc/gdm/
[greeter]
DefaultFace=
GlobalFaceDir=
EOF
My gdm.conf.dpkg-bak has "MinimalUID=1000" in it's [greeter] section, FWIW.
Daemon users showing up are rabbitmq (uid 133) and couchdb (uid 127).
Chad Miller (cmiller) wrote : | #12 |
$ ck-history --frequent
cmiller 279
rabbitmq 60
nobody 55
maryelle 34
gdm 33
couchdb 27
guest 3
root 1
Martin Pitt (pitti) wrote : | #13 |
This is really a bug in the libpam-ck-connector PAM integration. It shouldn't be in common-session, but in /etc/pam.d/login only.
/usr/share/
If pam-auth-update can't put stuff into /etc/pam.d/login, then we need to work around this in consolekit itself and filter out system users.
affects: | kerneloops (Ubuntu) → consolekit (Ubuntu) |
Changed in consolekit (Ubuntu): | |
status: | Invalid → Triaged |
Martin Pitt (pitti) wrote : | #14 |
Let's not continue to hack around this in gdm any more, it's just wrong, and a waste of IO, cycles, and power to always run consolekit on every cron or at session.
Changed in consolekit (Ubuntu): | |
status: | Triaged → Won't Fix |
status: | Won't Fix → Triaged |
Changed in gdm (Ubuntu): | |
status: | Confirmed → Won't Fix |
Changed in consolekit (Ubuntu): | |
assignee: | nobody → Martin Pitt (pitti) |
Changed in gdm (Ubuntu): | |
assignee: | Martin Pitt (pitti) → nobody |
summary: |
- gdm 2.26 criteria for which users shown in greeter list are bad + pam_ck_connector.so is called for non-login sessions |
Steve Langasek (vorlon) wrote : Re: [Bug 395281] Re: gdm 2.26 criteria for which users shown in greeter list are bad | #15 |
8On Fri, Dec 10, 2010 at 03:27:36PM -0000, Martin Pitt wrote:
> This is really a bug in the libpam-ck-connector PAM integration. It shouldn't be in common-session, but in /etc/pam.d/login only.
> /usr/share/
> yes", so pam-auth-update shoudln't put it in common-session in the first
> place (as this is also called for cron and the like)?
No, common-session is the file for "interactive" services; "noninteractive"
services need to include common-
common-session, and any noninteractive service that is including
common-session is buggy.
> If pam-auth-update can't put stuff into /etc/pam.d/login
It does not, no. But that should be immaterial; if these extra entries are
coming from cron, that was fixed in karmic.
OTOH, if they're coming from an init script that's calling 'su', that's a
buggy init script; init scripts should use start-stop-daemon, not su.
Maybe login is the *only* service that pam_ck_connector should be applied
to for other reasons because the distinction between login and non-login
*interactive* sessions matters, but I don't think ck-history should be a
reason for that.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://
<email address hidden> <email address hidden>
Martin Pitt (pitti) wrote : | #16 |
Steve,
thanks for the clarification. So it seems rabbitmq and couchdb are cases of using "su". I'm a bit undecided whether "login" should really be the only service for pam-ck. It's the main use case for e. g. giving you access to your sound card if you login through a VT, but it's also nice to get that if you do su - otheruser. Ideally we'd only count this as an user session if this actually called the login shell, but that's outside of PAM.
So I think the best course of action is to fix CK to ignore system users and also fix the couchdb/rabbitmq init scripts to not use su.
Chad Miller (cmiller) wrote : | #17 |
Also in my /etc/init.d are ejabberd and pgbouncer using "su".
Max Bowsher (maxb) wrote : | #18 |
It's far from uncommon to use su in startup scripts - even ones crafted by local sysadmins. I don't think defining 'su' to start a CK session is the right thing to do.
Case in point: I crafted a local upstart job to run a java rmiregistry on my machine, and I su-ed it because it has no need to run as root, and no user-changing capability of its own. Later, I started getting spurious "there is another user logged in" warnings when shutting down my computer. It took some considerable head-scratching before I realized the non-obvious linkage here, and then only because I had some small prior experience with CK oddities.
Steve Langasek (vorlon) wrote : Re: [Bug 395281] Re: pam_ck_connector.so is called for non-login sessions | #19 |
On Tue, Dec 14, 2010 at 01:22:22AM -0000, Max Bowsher wrote:
> It's far from uncommon to use su in startup scripts - even ones crafted
> by local sysadmins. I don't think defining 'su' to start a CK session is
> the right thing to do.
su *is* the wrong tool to use for starting services, because su *is* defined
to start PAM sessions. pam_ck_connector is not the only PAM module that may
get called by su that shouldn't be called when starting a service - such as
pam_limits, to pick one commented out example from /etc/pam.d/su itself.
That local sysadmins *may* make uninformed choices when writing their init
scripts doesn't change the fact that you don't want to start a PAM session
from an init script, and the adverse interactions with pam_ck_connect are
only one symptom of this.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://
<email address hidden> <email address hidden>
Changed in gdm: | |
status: | Fix Released → Confirmed |
Sebastien Bacher (seb128) wrote : | #20 |
that's still an issue, see bug #699930
Changed in gdm: | |
status: | Confirmed → Fix Released |
Sampo Savolainen (v2) wrote : | #21 |
This bug affects 11.10 and rabbitmq. The computer will not shutdown via lightdm or gnome session because lightdm thinks rabbitmq is still running. It's worth noting I don't use the ubuntu provided rabbitmq packages. Instead I use the packages from rabbitmq.com . I haven't tested this issue with the ubuntu rabbitmq package.
Simon MacMullen (simon-macmullen) wrote : | #22 |
Steve Langasek said:
> su *is* the wrong tool to use for starting services, because su *is* defined
> to start PAM sessions.
Gosh, I wish I'd seen that a year ago :)
I hope this is a reasonable place to ask the following question:
So if I can't use su, what can I use? I want to start the rabbit process as the "rabbitmq" user, and Erlang programs can't easily setuid(3). I'm not aware of an alternative to su, but I could well be ignorant.
Simon MacMullen (simon-macmullen) wrote : | #23 |
Gah, I can't read. start-stop-daemon.
Martin Pitt (pitti) wrote : | #24 |
Simon MacMullen [2011-12-05 10:58 -0000]:
> So if I can't use su, what can I use? I want to start the rabbit process
> as the "rabbitmq" user, and Erlang programs can't easily setuid(3). I'm
> not aware of an alternative to su, but I could well be ignorant.
In the Debian world we use start-stop-daemon with the -c/-g options,
see the manpage.
Thanks, Martin
--
Martin Pitt | http://
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Changed in consolekit (Ubuntu): | |
assignee: | Martin Pitt (pitti) → nobody |
importance: | Undecided → Low |
The kerneloops package correctly creates the user as a system user,
so this seems to be a GDM issue.
I can't see what is different about the kernoops user that makes it
show up, is the only system user listed?
Thanks,
James