On Wed, 07 Mar 2018 19:05:13 -0500 Matthew Gabeler-Lee
<chee...@fastcat.org> wrote:
> Package: libpam-systemd
> Version: 232-25+deb9u1
> Severity: normal
> Various policykit actions that flag as for "active" or even "inactive", but
> not "any", do not work from serial console sessions.  After much pain, I'm
> fairly sure I've traced this down to libpam-systemd not marking serial
> logins as part of a seat.  This causes policykit to decide that the session
> is not local, and thus its activity state is irrelevant for the
> allow_inactive / allow_active policykit grants.

Are you logging in via serial console as unprivileged user?

> This seems to boil down, finally, to the get_seat_from_display function in
> pam_systemd.c.
> Granted, serial console sessions are not _always_ local, given that I guess
> modems still technically exist and you might have dialup sessions, but this
> basically means that policykit is half-broken on headless systems, and that
> breaks significant bits of systemd, such as systemd-inhibit, which is where
> I began this adventure.
> For headless systems, being able to identify serial consoles that _are_
> local and thus should have a "seat" would be helpful.  The contents of
> /etc/securetty seem like they would be a useful starting place here.

/etc/securetty (pam_securetty) is not really a good idea.

That all said, you should really take this up with upstream at
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to