Re: [gentoo-user] gdm fails to start

2017-05-23 Thread Raffaele Belardi 
On Tue, 2017-05-23 at 17:17 +0200, Hogren wrote:
> 
> On 23/05/2017 14:44, Raffaele Belardi wrote:
> > On Tue, 2017-05-23 at 14:05 +0200, Hogren wrote:
> > > I suppose there is a group in /etc/groups for gdm ?
> > > 
> > > Does your user is associate with this group ?
> > > 
> > > 
> > 
> > Yes, there is a gdm group but my user is not part of it. I will
> > test it
> > later since I cannot logout right now, but where did you find a
> > reference for this?
> 
> Hum, sorry it's possible that it's a mistake.

Anyway, I just tried to add my user to group gdm, no change.

> 
> Other thing, who is the user UID=32 ?
> 
> Why it's him who try to execute systemd ?

It's gdm, by comparison with another system where gdm starts fine it is
normal.

> > 
> > "The only special privilege the "gdm" user requires is the
> > ability to read and write Xauth files to the /run/gdm
> > directory.  The /run/gdm directory should have root:gdm
> > ownership
> > and 1777 permissions."
> > 
> > My /var/run/gdm has different permissions:
> > 
> > drwx--x--x  3 root gdm  60 May 23 10:19 gdm
> > 

I tried to set the /var/lib/gdm permission to 1777, no change.
Finally I cleared the /var/lib/gdm contents, no change.

Going back to the error log:

systemd[356]: user@32.service: Failed at step PAM spawning
/usr/lib/systemd/systemd: Operation not permitted

I believe that systemd is telling me that PAM did not allow spawning a
'/usr/lib/systemd/systemd' for user gdm. Maybe I should try to
understand why PAM is denying it. Anyone expert with PAM?

raffaele

Re: [gentoo-user] gdm fails to start

2017-05-23 Thread Hogren 


On 23/05/2017 14:44, Raffaele Belardi wrote:
> On Tue, 2017-05-23 at 14:05 +0200, Hogren wrote:
>> I suppose there is a group in /etc/groups for gdm ?
>>
>> Does your user is associate with this group ?
>>
>>
> Yes, there is a gdm group but my user is not part of it. I will test it
> later since I cannot logout right now, but where did you find a
> reference for this?
Hum, sorry it's possible that it's a mistake.

Other thing, who is the user UID=32 ?

Why it's him who try to execute systemd ?

>
> Searching for a reference myself, I found this not really related but
> interesting (https://help.gnome.org/admin/gdm/stable/security.html.en):
>
> "The only special privilege the "gdm" user requires is the
> ability to read and write Xauth files to the /run/gdm
> directory.  The /run/gdm directory should have root:gdm ownership
> and 1777 permissions."
>
> My /var/run/gdm has different permissions:
>
> drwx--x--x  3 root gdm  60 May 23 10:19 gdm
>
> I did not change or create this directory so it must be the default
> created by the ebuild. Can anyone confirm that with these permissions
> gdm works correctly?
>
> raffaele
>



Hogren

Re: [gentoo-user] gdm fails to start

2017-05-23 Thread Raffaele Belardi 
On Tue, 2017-05-23 at 14:05 +0200, Hogren wrote:
> I suppose there is a group in /etc/groups for gdm ?
> 
> Does your user is associate with this group ?
> 
> 

Yes, there is a gdm group but my user is not part of it. I will test it
later since I cannot logout right now, but where did you find a
reference for this?

Searching for a reference myself, I found this not really related but
interesting (https://help.gnome.org/admin/gdm/stable/security.html.en):

"The only special privilege the "gdm" user requires is the
ability to read and write Xauth files to the /run/gdm
directory.  The /run/gdm directory should have root:gdm ownership
and 1777 permissions."

My /var/run/gdm has different permissions:

drwx--x--x  3 root gdm  60 May 23 10:19 gdm

I did not change or create this directory so it must be the default
created by the ebuild. Can anyone confirm that with these permissions
gdm works correctly?

raffaele

Re: [gentoo-user] gdm fails to start

2017-05-23 Thread Hogren 
I suppose there is a group in /etc/groups for gdm ?

Does your user is associate with this group ?


Hogren


On 23/05/2017 13:53, Raffaele Belardi wrote:
> On Tue, 2017-05-23 at 12:53 +0200, Hogren wrote:
>> On 23/05/2017 10:34, Raffaele Belardi wrote:
>>> On Mon, 2017-05-22 at 16:09 +0200, Hogren wrote:
 Hello,

 Very simple question but did you have "pam" in your global USE
 flag
 or
 Systemd USE flag ?
>>> Yes, I am using the gnome/systemd profile:
>>>
>>> # euse -I pam
>>> global use flags (searching: pam)
>>> 
>>> no matching entries found
>>>
>>> local use flags (searching: pam)
>>> 
>>> [+  D   ] pam (net-dialup/ppp):
>>> Enables PAM (Pluggable Authentication Modules) support
>>>
>>> [+  D   ] pam (sys-apps/util-linux):
>>> build runuser helper
>> There is a "pam" USE flag for systemd.
>> Did you try to add it ?
>> https://packages.gentoo.org/packages/sys-apps/systemd
>>
>> Hogren
>>
> Yes, it is set, I don't know why euse does not show it:
>
> # eix -I sys-apps/systemd
> [I] sys-apps/systemd
>  Available versions:  226-r2(0/2) (~)231(0/2) [M](~)232(0/2) 233-
> r1(0/2) **(0/2) {acl apparmor audit build cryptsetup curl doc
> elfutils (+)gcrypt gnuefi http idn importd +kdbus +kmod +libidn2 +lz4
> lzma nat pam policykit qrcode +seccomp selinux ssl sysv-utils test
> vanilla xkb ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64"
> ABI_X86="32 64 x32"}
>  Installed versions:  233-r1(05:53:09 AM 05/20/2017)(acl gcrypt
> kmod lz4 pam policykit seccomp ssl -apparmor -audit -build -cryptsetup
> -curl -doc -elfutils -gnuefi -http -idn -importd -lzma -nat -qrcode
> -selinux -sysv-utils -test -vanilla -xkb ABI_MIPS="-n32 -n64 -o32"
> ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="32 -64 -x32")
>
>

Re: [gentoo-user] gdm fails to start

2017-05-23 Thread Raffaele Belardi 
On Tue, 2017-05-23 at 12:53 +0200, Hogren wrote:
> 
> On 23/05/2017 10:34, Raffaele Belardi wrote:
> > On Mon, 2017-05-22 at 16:09 +0200, Hogren wrote:
> > > Hello,
> > > 
> > > Very simple question but did you have "pam" in your global USE
> > > flag
> > > or
> > > Systemd USE flag ?
> > 
> > Yes, I am using the gnome/systemd profile:
> > 
> > # euse -I pam
> > global use flags (searching: pam)
> > 
> > no matching entries found
> > 
> > local use flags (searching: pam)
> > 
> > [+  D   ] pam (net-dialup/ppp):
> > Enables PAM (Pluggable Authentication Modules) support
> > 
> > [+  D   ] pam (sys-apps/util-linux):
> > build runuser helper
> 
> There is a "pam" USE flag for systemd.
> Did you try to add it ?
> https://packages.gentoo.org/packages/sys-apps/systemd
> 
> Hogren
> 

Yes, it is set, I don't know why euse does not show it:

# eix -I sys-apps/systemd
[I] sys-apps/systemd
 Available versions:  226-r2(0/2) (~)231(0/2) [M](~)232(0/2) 233-
r1(0/2) **(0/2) {acl apparmor audit build cryptsetup curl doc
elfutils (+)gcrypt gnuefi http idn importd +kdbus +kmod +libidn2 +lz4
lzma nat pam policykit qrcode +seccomp selinux ssl sysv-utils test
vanilla xkb ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64"
ABI_X86="32 64 x32"}
 Installed versions:  233-r1(05:53:09 AM 05/20/2017)(acl gcrypt
kmod lz4 pam policykit seccomp ssl -apparmor -audit -build -cryptsetup
-curl -doc -elfutils -gnuefi -http -idn -importd -lzma -nat -qrcode
-selinux -sysv-utils -test -vanilla -xkb ABI_MIPS="-n32 -n64 -o32"
ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="32 -64 -x32")

Re: [gentoo-user] gdm fails to start

2017-05-23 Thread Hogren 


On 23/05/2017 10:34, Raffaele Belardi wrote:
> On Mon, 2017-05-22 at 16:09 +0200, Hogren wrote:
>> Hello,
>>
>> Very simple question but did you have "pam" in your global USE flag
>> or
>> Systemd USE flag ?
> Yes, I am using the gnome/systemd profile:
>
> # euse -I pam
> global use flags (searching: pam)
> 
> no matching entries found
>
> local use flags (searching: pam)
> 
> [+  D   ] pam (net-dialup/ppp):
> Enables PAM (Pluggable Authentication Modules) support
>
> [+  D   ] pam (sys-apps/util-linux):
> build runuser helper

There is a "pam" USE flag for systemd.
Did you try to add it ?
https://packages.gentoo.org/packages/sys-apps/systemd

Hogren

Re: [gentoo-user] gdm fails to start

2017-05-23 Thread Raffaele Belardi 
On Mon, 2017-05-22 at 16:09 +0200, Hogren wrote:
> Hello,
> 
> Very simple question but did you have "pam" in your global USE flag
> or
> Systemd USE flag ?

Yes, I am using the gnome/systemd profile:

# euse -I pam
global use flags (searching: pam)

no matching entries found

local use flags (searching: pam)

[+  D   ] pam (net-dialup/ppp):
Enables PAM (Pluggable Authentication Modules) support

[+  D   ] pam (sys-apps/util-linux):
build runuser helper

# euse -I systemd
global use flags (searching: systemd)

No matching entries found

local use flags (searching: systemd)

[+  D   ] systemd (gnome-extra/gnome-system-monitor):
Display sys-apps/systemd metadata, e.g. unit names, for running
processes

[+  D   ] systemd (media-sound/pulseaudio):
Build with sys-apps/systemd support to replace standalone ConsoleKit.

[+  D   ] systemd (sys-apps/accountsservice):
Use sys-apps/systemd instead of sys-auth/consolekit for session
tracking

[+  D   ] systemd (sys-apps/busybox):
Support systemd

[+  D   ] systemd (sys-apps/dbus):
Build with sys-apps/systemd at_console support

[+  D   ] systemd (sys-auth/pambase):
Use pam_systemd module to register user sessions in the systemd control
group hierarchy.

[+  D   ] systemd (sys-auth/polkit):
Use sys-apps/systemd instead of sys-auth/consolekit for session
tracking

[+  D   ] systemd (sys-fs/udisks):
Support sys-apps/systemd's logind

# grep USE= /etc/portage/make.conf 
USE="-bluetooth -cups -cdr -dvd -dvdr -fortran -games -ipv6 -kde -libav
-modemmanager -ppp -qt -qt3 -qt4 -shotwell -wifi"

> 
> If this is on the first, did you compile systemd and may be
> dependencies
> after add it ?

I'm not sure I understood the question: the box was initially
LXDE/OpenRC; I installed and booted into systemd and got the system up
again; then I installed Gnome and removed LXDE.
Out of ideas I also recently did an 'emerge -e world'.

> 
> Did you try that:
> 
> > systemctl reset-failed|
> > For a guy on github, that solve (without explanation) the problem:
> > 
> > https://github.com/coreos/bugs/issues/1498|
> > > 
> 

I just tried it and also the other tip mentioned in the bug
(modification in the /etc/pam.d/systemd-user), no change.

raffaele

Re: [gentoo-user] gdm fails to start

2017-05-22 Thread Hogren 
Hello,

Very simple question but did you have "pam" in your global USE flag or
Systemd USE flag ?

If this is on the first, did you compile systemd and may be dependencies
after add it ?

Did you try that:

|systemctl reset-failed|

|For a guy on github, that solve (without explanation) the problem:
|

|https://github.com/coreos/bugs/issues/1498|
||



Hogren





On 22/05/2017 14:13, Raffaele Belardi wrote:
> On Mon, 2017-05-22 at 13:02 +0300, Alexander Kapshuk wrote:
>> On Mon, May 22, 2017 at 1:00 PM, Raffaele Belardi
>>  wrote:
>>> On Mon, 2017-05-22 at 12:47 +0300, Alexander Kapshuk wrote:
 A Google search found this systemd issue:
 https://github.com/systemd/systemd/issues/4342
 Quote:
 @poettering I see I left no account modules in the bare-bones PAM
 config. Maybe it is pam_acct_mgmt failing then?

 @yuwata what happens if you add account required pam_unix.so ?

 @fsateler Thanks. By adding the line, user sessions successfully
 start
 without the error messages. Do you think the line should be added
 to
 the minimal PAM file?

 See if that helps.

>>> Yes, I saw that but the solution is not at all clear to me: which
>>> PAM
>>> config file are they referring to?
>>>
>>> raffaele
>>>
>>>
>> Could it be this one, /etc/pam.d/systemd-user?
>>
> Done then issued 'systemctl daemon-reload' and 'systemctl start gdm',
> no change:
>
> $ cat /etc/pam.d/systemd-user 
> # This file is part of systemd.
> #
> # Used by systemd --user instances.
>
> account include system-auth
> # [RB]
> account required pam_unix.so
> session include system-auth
> session optional pam_keyinit.so force revoke
> session optional pam_systemd.so
>
> #journalctl -b
> ...
> systemd[1]: Created slice User Slice of gdm.
> systemd[1]: Starting User Manager for UID 32...
> systemd[1]: Started Session c519 of user gdm.
> systemd-logind[173]: New session c519 of user gdm.
> systemd[15240]: user@32.service: Failed at step PAM spawning
> /usr/lib/systemd/systemd: Operation not permitted
> systemd[1]: Failed to start User Manager for UID 32.
> systemd[1]: user@32.service: Unit entered failed state.
> systemd[1]: user@32.service: Failed with result 'protocol'.
> gdm-launch-environment][15237]: pam_systemd(gdm-launch-
> environment:session): Failed to create session: Start job for unit user
> @32.service failed with 'failed'
> systemd-logind[173]: Removed session c519.
>

Re: [gentoo-user] gdm fails to start

2017-05-22 Thread Raffaele Belardi 
On Mon, 2017-05-22 at 13:02 +0300, Alexander Kapshuk wrote:
> On Mon, May 22, 2017 at 1:00 PM, Raffaele Belardi
>  wrote:
> > On Mon, 2017-05-22 at 12:47 +0300, Alexander Kapshuk wrote:
> > > 
> > > A Google search found this systemd issue:
> > > https://github.com/systemd/systemd/issues/4342
> > > Quote:
> > > @poettering I see I left no account modules in the bare-bones PAM
> > > config. Maybe it is pam_acct_mgmt failing then?
> > > 
> > > @yuwata what happens if you add account required pam_unix.so ?
> > > 
> > > @fsateler Thanks. By adding the line, user sessions successfully
> > > start
> > > without the error messages. Do you think the line should be added
> > > to
> > > the minimal PAM file?
> > > 
> > > See if that helps.
> > > 
> > 
> > Yes, I saw that but the solution is not at all clear to me: which
> > PAM
> > config file are they referring to?
> > 
> > raffaele
> > 
> > 
> 
> Could it be this one, /etc/pam.d/systemd-user?
> 

Done then issued 'systemctl daemon-reload' and 'systemctl start gdm',
no change:

$ cat /etc/pam.d/systemd-user 
# This file is part of systemd.
#
# Used by systemd --user instances.

account include system-auth
# [RB]
account required pam_unix.so
session include system-auth
session optional pam_keyinit.so force revoke
session optional pam_systemd.so

#journalctl -b
...
systemd[1]: Created slice User Slice of gdm.
systemd[1]: Starting User Manager for UID 32...
systemd[1]: Started Session c519 of user gdm.
systemd-logind[173]: New session c519 of user gdm.
systemd[15240]: user@32.service: Failed at step PAM spawning
/usr/lib/systemd/systemd: Operation not permitted
systemd[1]: Failed to start User Manager for UID 32.
systemd[1]: user@32.service: Unit entered failed state.
systemd[1]: user@32.service: Failed with result 'protocol'.
gdm-launch-environment][15237]: pam_systemd(gdm-launch-
environment:session): Failed to create session: Start job for unit user
@32.service failed with 'failed'
systemd-logind[173]: Removed session c519.

Re: [gentoo-user] gdm fails to start

2017-05-22 Thread Alexander Kapshuk 
On Mon, May 22, 2017 at 1:00 PM, Raffaele Belardi
 wrote:
> On Mon, 2017-05-22 at 12:47 +0300, Alexander Kapshuk wrote:
>>
>> A Google search found this systemd issue:
>> https://github.com/systemd/systemd/issues/4342
>> Quote:
>> @poettering I see I left no account modules in the bare-bones PAM
>> config. Maybe it is pam_acct_mgmt failing then?
>>
>> @yuwata what happens if you add account required pam_unix.so ?
>>
>> @fsateler Thanks. By adding the line, user sessions successfully
>> start
>> without the error messages. Do you think the line should be added to
>> the minimal PAM file?
>>
>> See if that helps.
>>
>
> Yes, I saw that but the solution is not at all clear to me: which PAM
> config file are they referring to?
>
> raffaele
>
>
>
Could it be this one, /etc/pam.d/systemd-user?

Re: [gentoo-user] gdm fails to start

2017-05-22 Thread Raffaele Belardi 
On Mon, 2017-05-22 at 12:47 +0300, Alexander Kapshuk wrote:
> 
> A Google search found this systemd issue:
> https://github.com/systemd/systemd/issues/4342
> Quote:
> @poettering I see I left no account modules in the bare-bones PAM
> config. Maybe it is pam_acct_mgmt failing then?
> 
> @yuwata what happens if you add account required pam_unix.so ?
> 
> @fsateler Thanks. By adding the line, user sessions successfully
> start
> without the error messages. Do you think the line should be added to
> the minimal PAM file?
> 
> See if that helps.
> 

Yes, I saw that but the solution is not at all clear to me: which PAM
config file are they referring to?

raffaele

Re: [gentoo-user] gdm fails to start

2017-05-22 Thread Alexander Kapshuk 
On Mon, May 22, 2017 at 11:16 AM, Raffaele Belardi
 wrote:
> I'm unable to start the gdm service on a recently installed gnome
> desktop (~x86): the service continuously fails and restarts with the
> errors below. If I disable the service and login into a text console,
> startx works fine but the Gnome session misses some features (e.g.
> screen lock). I enabled debug logging on gdm but nothing significant
> appears.
>
> Any suggestions?
>
> thanks,
>
> raffaele
>
>
> systemd[356]: user@32.service: Failed at step PAM spawning
> /usr/lib/systemd/systemd: Operation not permitted
> systemd[1]: Failed to start User Manager for UID 32.
> gdm-launch-environment][310]: pam_systemd(gdm-launch-
> environment:session): Failed to create session: Start job for unit user
> @32.service failed with 'failed'
> systemd[1]: user@32.service: Unit entered failed state.
> systemd[1]: user@32.service: Failed with result 'protocol'.
>
> ...
>
> /usr/libexec/gdm-x-session[359]: Activated service
> 'org.freedesktop.systemd1' failed: Process org.freedesktop.systemd1
> exited with stat
> /usr/libexec/gdm-x-session[359]: Unable to register display with
> display manager
>
>  # grep 32 /etc/passwd
> gdm:x:32:32:GDM:/var/lib/gdm:/bin/false
>
> # eselect profile list
> Available profile symlink targets:
>   [1]   default/linux/x86/13.0
>   [2]   default/linux/x86/13.0/selinux
>   [3]   default/linux/x86/13.0/desktop
>   [4]   default/linux/x86/13.0/desktop/gnome
>   [5]   default/linux/x86/13.0/desktop/gnome/systemd *
>   [6]   default/linux/x86/13.0/desktop/plasma
>   [7]   default/linux/x86/13.0/desktop/plasma/systemd
>   [8]   default/linux/x86/13.0/developer
>   [9]   default/linux/x86/13.0/systemd
>   [10]  hardened/linux/x86
>   [11]  hardened/linux/x86/selinux
>   [12]  hardened/linux/musl/x86
>   [13]  default/linux/uclibc/x86
>   [14]  hardened/linux/uclibc/x86
>

A Google search found this systemd issue:
https://github.com/systemd/systemd/issues/4342
Quote:
@poettering I see I left no account modules in the bare-bones PAM
config. Maybe it is pam_acct_mgmt failing then?

@yuwata what happens if you add account required pam_unix.so ?

@fsateler Thanks. By adding the line, user sessions successfully start
without the error messages. Do you think the line should be added to
the minimal PAM file?

See if that helps.