The sleep in polkit-read-auth-helper is critical in changing the behaviour of hal-acl-tool. (Looking into the strace of hal-acl-tool, I wonder if this is due to hal-acl-tool using real-time signals, e.g. SIGRTMIN, and thus requiring that polkit-read-auth-helper respond quickly?) If I rename polkit-read-auth-helper to polkit-ian and replace it with this C program: int main(int argc, char **argv) { execv("/usr/lib/policykit/polkit-ian",argv); } nothing changes - the load average stays way up and I see the looping of thousands of polkit-ian called by hal-acl-tool. # lastcomm [...] polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 hal-acl-tool S root ?? 0.13 secs Thu Apr 16 07:00 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 [...] An inotify watch shows this repeated over and over: # inotifywait -m -r /var/run/hald/ Setting up watches. Beware: since -r was given, this may take a while! Watches established. /var/run/hald/ CREATE acl-list.7AAKSU /var/run/hald/ OPEN acl-list.7AAKSU /var/run/hald/ MODIFY acl-list.7AAKSU /var/run/hald/ CLOSE_WRITE,CLOSE acl-list.7AAKSU /var/run/hald/ MOVED_FROM acl-list.7AAKSU /var/run/hald/ MOVED_TO acl-list /var/run/hald/ CLOSE_WRITE,CLOSE acl-list /var/run/hald/ CREATE acl-list.D908RU /var/run/hald/ OPEN acl-list.D908RU /var/run/hald/ MODIFY acl-list.D908RU /var/run/hald/ CLOSE_WRITE,CLOSE acl-list.D908RU /var/run/hald/ MOVED_FROM acl-list.D908RU /var/run/hald/ MOVED_TO acl-list /var/run/hald/ CLOSE_WRITE,CLOSE acl-list [... about 50 lines of output every 10 seconds ...] # cat /var/run/hald/acl-list /dev/kvm /org/freedesktop/Hal/devices/kvm u 777 /dev/scd0 /org/freedesktop/Hal/devices/storage_model_CD_ROM_DRIVE_466 u 777 /dev/scd1 /org/freedesktop/Hal/devices/storage_model_CD_RW_GCE_8525B u 777 If I insert "sleep(1);" in front of the execv in the C program, the load average drops and hal-acl-tool starts exiting badly ("X"): [...] polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 hal-acl-tool X root ?? 0.10 secs Thu Apr 16 07:01 polkit-ian root ?? 0.00 secs Thu Apr 16 07:01 [...] and everything changes in the inotify watch: # inotifywait -m -r /var/run/hald/ Setting up watches. Beware: since -r was given, this may take a while! Watches established. /var/run/hald/ CLOSE_WRITE,CLOSE acl-list /var/run/hald/ OPEN acl-list /var/run/hald/ CLOSE_WRITE,CLOSE acl-list /var/run/hald/ OPEN acl-list /var/run/hald/ CLOSE_WRITE,CLOSE acl-list /var/run/hald/ OPEN acl-list /var/run/hald/ CLOSE_WRITE,CLOSE acl-list /var/run/hald/ OPEN acl-list /var/run/hald/ CLOSE_WRITE,CLOSE acl-list /var/run/hald/ OPEN acl-list [... repeats every 20 seconds ...] Changing sleep(1) to sleep(10) didn't lengthen the 20-second cycle. I presume hal-acl-tool has some real-time response requirements that the sleep(1) defeats, causing it to give up waiting for polkit-ian. I ran some strace's of both programs, but I think that misbehaves due to strace not preserving the exit status of the program it calls. Here's some of the interesting strace output: In two straces of polkit-read-auth-helper I see it checking for PolicyKit entries for idallen and root (neither exist): ********************************************************************* *** excerpts from one strace of polkit-read-auth-helper: ********************************************************************* open("/etc/group", O_RDONLY|0x80000 /* O_??? */) = 3 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 3 open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 3 stat64("/var/run/PolicyKit/user-idallen.auths", 0xbfeab4a8) = -1 ENOENT (No such file or directory) open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 3 stat64("/var/lib/PolicyKit/user-idallen.auths", 0xbfeab4a8) = -1 ENOENT (No such file or directory) ********************************************************************* *** excerpts from another strace of polkit-read-auth-helper: ********************************************************************* open("/etc/group", O_RDONLY|0x80000 /* O_??? */) = 3 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 3 open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 3 stat64("/var/run/PolicyKit/user-root.auths", 0xbfd52b48) = -1 ENOENT (No such file or directory) open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 3 stat64("/var/lib/PolicyKit/user-root.auths", 0xbfd52b48) = -1 ENOENT (No such file or directory) ********************************************************************* ********************************************************************* The straces of hal-acl-tool were more exciting. Some executions of this program blocked on an flock(). Those that didn't looped like crazy. Some finished after looping for a while, some didn't. ********************************************************************* *** excerpts from one incomplete (killed?) strace of hal-acl-tool: ********************************************************************* futex(0xbfde1ed0, 0x81 /* FUTEX_??? */, 1) = 0 rt_sigaction(SIGRTMIN, {0xb7cee280, [], SA_SIGINFO}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0xb7cee680, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 uname({sys="Linux", node="idallen-oak.home.idallen.ca", ...}) = 0 fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfde1694) = -1 ENOTTY (Inappropriate ioctl for device) mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc5000 open("/var/run/hald/acl-list", O_RDWR|O_CREAT, 0644) = 3 flock(3, LOCK_EX ********************************************************************* *** excerpts from another strace of hal-acl-tool: ********************************************************************* [...] futex(0xbfc64d50, 0x81 /* FUTEX_??? */, 1) = 0 rt_sigaction(SIGRTMIN, {0xb7c71280, [], SA_SIGINFO}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0xb7c71680, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 uname({sys="Linux", node="idallen-oak.home.idallen.ca", ...}) = 0 fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfc64514) = -1 ENOTTY (Inappropriate ioctl for device) mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000 open("/var/run/hald/acl-list", O_RDWR|O_CREAT, 0644) = 3 flock(3, LOCK_EX) = 0 brk(0) = 0x96b9000 brk(0x96da000) = 0x96da000 socket(PF_FILE, SOCK_STREAM, 0) = 4 connect(4, {sa_family=AF_FILE, path=@/var/run/hald/dbus-Y8HN7SGUxI}, 32) = 0 fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(4, F_GETFD) = 0 fcntl64(4, F_SETFD, FD_CLOEXEC) = 0 geteuid32() = 0 rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0 poll([{fd=4, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1 write(4, "\0", 1) = 1 write(4, "AUTH EXTERNAL 30\r\n", 18) = 18 poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, -1) = 1 read(4, "OK 96277e4797f9a54ffbfef5d649e2c3c9\r\n", 2048) = 37 poll([{fd=4, events=POLLOUT, revents=POLLOUT}], 1, -1) = 1 write(4, "BEGIN\r\n", 7) = 7 poll([{fd=4, events=POLLIN|POLLOUT, revents=POLLOUT}], 1, -1) = 1 [...] read(4, 0x96bf278, 2048) = -1 EAGAIN (Resource temporarily unavai lable) open("/etc/PolicyKit/PolicyKit.conf", O_RDONLY|O_LARGEFILE) = 5 [...] read(5, "", 4096) = 0 close(5) = 0 open("/usr/share/PolicyKit/policy", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|0x80000) = 5 fstat64(5, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 fcntl64(5, F_GETFD) = 0x1 (flags FD_CLOEXEC) getdents64(5, /* 20 entries */, 4096) = 1088 stat64("/usr/share/PolicyKit/policy/com.ubuntu.devicedriver.policy", {st_mode=S_IFREG|0644, st_size=2687, ...}) = 0 open("/usr/share/PolicyKit/policy/com.ubuntu.devicedriver.policy", O_RDONLY|O_LARGEFILE) = 6 [...] close(6) = 0 open("/var/lib/PolicyKit-public/com.ubuntu.devicedriver.info.defaults-override", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/var/lib/PolicyKit-public/com.ubuntu.devicedriver.check.defaults-override", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/var/lib/PolicyKit-public/com.ubuntu.devicedriver.update.defaults-override", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/var/lib/PolicyKit-public/com.ubuntu.devicedriver.install.defaults-override", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) stat64("/usr/share/PolicyKit/policy/com.ubuntu.systemservice.policy", {st_mode=S_IFREG|0644, st_size=1899, ...}) = 0 open("/usr/share/PolicyKit/policy/com.ubuntu.systemservice.policy", O_RDONLY|O_LARGEFILE) = 6 [...repeat reading lots of PolicyKit files, then it starts looping...] open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 5 fcntl64(5, F_GETFD) = 0x1 (flags FD_CLOEXEC) _llseek(5, 0, [0], SEEK_CUR) = 0 fstat64(5, {st_mode=S_IFREG|0644, st_size=2504, ...}) = 0 mmap2(NULL, 2504, PROT_READ, MAP_SHARED, 5, 0) = 0xb7f34000 _llseek(5, 2504, [2504], SEEK_SET) = 0 munmap(0xb7f34000, 2504) = 0 close(5) = 0 pipe([5, 6]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7c6c6f8) = 11608 --- SIGCHLD (Child exited) @ 0 (0) --- close(6) = 0 select(6, [5], [], NULL, NULL) = 1 (in [5]) read(5, "", 4095) = 0 close(5) = 0 waitpid(11608, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 11608 open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 5 _llseek(5, 0, [0], SEEK_CUR) = 0 fstat64(5, {st_mode=S_IFREG|0644, st_size=2504, ...}) = 0 mmap2(NULL, 2504, PROT_READ, MAP_SHARED, 5, 0) = 0xb7f34000 _llseek(5, 2504, [2504], SEEK_SET) = 0 munmap(0xb7f34000, 2504) = 0 close(5) = 0 pipe([5, 6]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7c6c6f8) = 11609 close(6) = 0 select(6, [5], [], NULL, NULL) = 1 (in [5]) --- SIGCHLD (Child exited) @ 0 (0) --- read(5, "", 4095) = 0 close(5) = 0 waitpid(11609, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 11609 [... repeat 508 more times opening /etc/passwd and cloning until finally: ...] --- SIGCHLD (Child exited) @ 0 (0) --- read(5, "", 4095) = 0 close(5) = 0 waitpid(12124, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 12124 open("/var/run/hald/acl-list", O_RDONLY) = 5 fstat64(5, {st_mode=S_IFREG|0644, st_size=199, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f34000 read(5, "/dev/kvm\t/org/freedesktop/Hal/devices/kvm\tu\t777\n/dev/scd0\t/org/freedesktop/Hal/devices/storage_model_CD_ROM_DRIVE_466\tu\t777\n/dev/scd1\t/org/freedesktop/Hal/devices/storage_model_CD_RW_GCE_8525B\tu\t777\n", 4096) = 199 read(5, "", 4096) = 0 close(5) = 0 munmap(0xb7f34000, 4096) = 0 gettimeofday({1239877992, 5111}, NULL) = 0 open("/var/run/hald/acl-list.1N9GSU", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0666) = 5 open("/usr/lib/charset.alias", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) fcntl64(5, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) fstat64(5, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f34000 _llseek(5, 0, [0], SEEK_CUR) = 0 write(5, "/dev/kvm\t/org/freedesktop/Hal/devices/kvm\tu\t777\n/dev/scd0\t/org/freedesktop/Hal/devices/storage_model_CD_ROM_DRIVE_466\tu\t777\n/dev/scd1\t/org/freedesktop/Hal/devices/storage_model_CD_RW_GCE_8525B\tu\t777\n", 199) = 199 close(5) = 0 munmap(0xb7f34000, 4096) = 0 rename("/var/run/hald/acl-list.1N9GSU", "/var/run/hald/acl-list") = 0 flock(3, LOCK_UN) = 0 close(3) = 0 write(1, "11604: attempting to get lock on /var/run/hald/acl-list\n\n****************************************************\n11604: got lock on /var/run/hald/acl-list\n11604: reconfiguring all ACL\'s\n\n****************************************************\n11604: releasing lock on /var/run/hald/acl-list\n", 285) = 285 exit_group(0) = ? ********************************************************************* *** excerpts from another incomplete strace of hal-acl-tool: ********************************************************************* open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 5 fcntl64(5, F_GETFD) = 0x1 (flags FD_CLOEXEC) _llseek(5, 0, [0], SEEK_CUR) = 0 fstat64(5, {st_mode=S_IFREG|0644, st_size=2504, ...}) = 0 mmap2(NULL, 2504, PROT_READ, MAP_SHARED, 5, 0) = 0xb7ef7000 _llseek(5, 2504, [2504], SEEK_SET) = 0 munmap(0xb7ef7000, 2504) = 0 close(5) = 0 pipe([5, 6]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7c2f6f8) = 12127 --- SIGCHLD (Child exited) @ 0 (0) --- close(6) = 0 select(6, [5], [], NULL, NULL) = 1 (in [5]) read(5, "", 4095) = 0 close(5) = 0 waitpid(12127, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 12127 open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 5 _llseek(5, 0, [0], SEEK_CUR) = 0 fstat64(5, {st_mode=S_IFREG|0644, st_size=2504, ...}) = 0 mmap2(NULL, 2504, PROT_READ, MAP_SHARED, 5, 0) = 0xb7ef7000 _llseek(5, 2504, [2504], SEEK_SET) = 0 munmap(0xb7ef7000, 2504) = 0 close(5) = 0 pipe([5, 6]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7c2f6f8) = 12128 close(6) = 0 select(6, [5], [], NULL, NULL) = 1 (in [5]) --- SIGCHLD (Child exited) @ 0 (0) --- read(5, "", 4095) = 0 close(5) = 0 waitpid(12128, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 12128 [... repeat 473 times until killed ...] In general, the straces of hal-acl-tool showed it looping creating new processes at a huge rate. (I presume these to be polkit-read-auth-helper.)