[plasma-login-manager] [Bug 521403] New: Sessions started by Plasma Login Manager have no utmp USER_PROCESS record; breaks utmp-based local-user detection (e.g. Cisco Secure Client VPN policy)

[bugzilla_noreply]

https://bugs.kde.org/show_bug.cgi?id=521403

            Bug ID: 521403
           Summary: Sessions started by Plasma Login Manager have no utmp
                    USER_PROCESS record; breaks utmp-based local-user
                    detection (e.g. Cisco Secure Client VPN policy)
    Classification: Plasma
           Product: plasma-login-manager
      Version First 6.6.5
       Reported In:
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: plasma-bugs-n...@kde.org
          Reporter: recast-extras-s...@duck.com
                CC: k...@davidedmundson.co.uk, olib...@outlook.com
  Target Milestone: ---

DESCRIPTION
Graphical sessions started by Plasma Login Manager are not registered in
utmp. Software that determines "is a local user physically present" by
reading utmp therefore concludes that nobody is logged in. Concrete victim:
Cisco Secure Client's LinuxVPNEstablishment=LocalUsersOnly policy, which
classifies the physically present user as remote and refuses the VPN
connection.

STEPS TO REPRODUCE
1. Install Fedora 44 KDE (ships plasmalogin as the default login manager).
2. Log in graphically. Do not log into any text console (TTY).
3. Run: utmpdump /run/utmp

OBSERVED RESULT
No USER_PROCESS (type 7) record exists for the graphical session. The only
type-7 records come from terminal-emulator pseudo-terminals (pts/*):

    $ utmpdump /run/utmp
    [2] ... [reboot ] ...
    [7] ... [user] [pts/0] [:0]
    [7] ... [user] [pts/2] [  ]
    (no record for the graphical session itself)

Note: who(1) DOES list the session on this system. Fedora's who appears to
read systemd-logind rather than utmp; so utmpdump is required to observe
this. A console login (Ctrl+Alt+F3) immediately appears in utmpdump as a
normal type-7 record, confirming utmp itself works.

EXPECTED RESULT
Unclear, hence this report: either PLM should register graphical sessions
in utmp (as console login(1) does, and as graphical sessions traditionally
appeared there), or the omission is intentional under utmp deprecation
in which case a documented statement of that stance would help downstream
triage.

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 44 (KDE Plasma)
KDE Plasma Version: 6.6.5
KDE Frameworks Version: 6.26.0
Qt Version: 6.11.1

ADDITIONAL INFORMATION
plasma-login-manager package: plasma-login-manager-6.6.5-1.fc44.x86_64

Concrete breakage, reproducible on demand: Cisco Secure Client 5.1.16
authenticates and establishes the tunnel, then self-terminates with
"Termination reason code 26: Profile settings do not allow VPN
establishment by a remote user." Logging into one spare TTY (which writes a
classic utmp record) makes the identical connection succeed; logging out of
the TTY makes it fail again. Toggling the TTY login toggles the outcome.

I could not verify SDDM's behavior side-by-side (no SDDM machine
available), so I cannot say whether this is a regression from the SDDM fork
or longstanding Wayland-session behavior.

Related forum thread:
https://discussion.fedoraproject.org/t/fedora-44-kde-cisco-secure-client-vpn-establishment-capability-for-a-remote-user-is-disabled-root-cause-and-workaround/193677

-- 
You are receiving this mail because:
You are watching all bug changes.