On Wed, 07 Mar 2018 19:05:13 -0500 Matthew Gabeler-Lee <chee...@fastcat.org> wrote: > Package: libpam-systemd > Version: 232-25+deb9u1 > Severity: normal > > Various policykit actions that flag as for "active" or even "inactive", but > not "any", do not work from serial console sessions. After much pain, I'm > fairly sure I've traced this down to libpam-systemd not marking serial > logins as part of a seat. This causes policykit to decide that the session > is not local, and thus its activity state is irrelevant for the > allow_inactive / allow_active policykit grants.
Are you logging in via serial console as unprivileged user? > This seems to boil down, finally, to the get_seat_from_display function in > pam_systemd.c. > > Granted, serial console sessions are not _always_ local, given that I guess > modems still technically exist and you might have dialup sessions, but this > basically means that policykit is half-broken on headless systems, and that > breaks significant bits of systemd, such as systemd-inhibit, which is where > I began this adventure. > > For headless systems, being able to identify serial consoles that _are_ > local and thus should have a "seat" would be helpful. The contents of > /etc/securetty seem like they would be a useful starting place here. /etc/securetty (pam_securetty) is not really a good idea. That all said, you should really take this up with upstream at https://github.com/systemd/systemd/issues -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Description: OpenPGP digital signature