Bug#932047: lightdm: greeter session support for elogind
Yves-Alexis, On Sat, Oct 22, 2022 at 01:59:33PM +0200, Yves-Alexis Perez wrote: > But if it seems that there is no breakage (and hopefully no bad side effects > we don't see yet) I guess we'll be able to update the pam configuration to > uses includes as well at some point. A gentle reminder this is still unresolved. Early in the Trixie cycle seems a good time to implement it and allow maximum time for testing and resolution of any outstanding issues. Many thanks. Mark
Bug#932047: lightdm: greeter session support for elogind
> "Yves-Alexis" == Yves-Alexis Perez writes: Yves-Alexis> I'm not sure other display managers handle the greeters Yves-Alexis> the same way (running under their own uid and stuff Yves-Alexis> like that), so I'm unsure if we can really compare Yves-Alexis> that. gdm does.
Bug#932047: lightdm: greeter session support for elogind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, 2022-10-16 at 11:49 +0100, Mark Hindley wrote: > > My suspicion is that since this appears to be working for other display > > managers, it's all fine. > > It seems that way to me as well. I'm not sure other display managers handle the greeters the same way (running under their own uid and stuff like that), so I'm unsure if we can really compare that. But if it seems that there is no breakage (and hopefully no bad side effects we don't see yet) I guess we'll be able to update the pam configuration to uses includes as well at some point. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmNT2yYACgkQ3rYcyPpX RFtntAf+PrX+vI64PMhmD05GD1A07Y438fJRf5aMkYIPa8n5X1Yc53//SktpHaow lK07jJurXvyjxQRY3GviHP14ZQfqAgOhln7pDqqIkr+9QKxkNxAZKAJ4W6lKZrGo VAqas/Qxat+ImO694snxyYDUWnCNgZA7DL+3kxtaHsN9GbTbfDj1h2ghQRKUOA6K +yQWPq7owks1YzGgcLgLch0Mj7T9XI82J88tJ04iZXBsl3SMVe7/Xr2aSt2HmzRq sUNAlWlgGJ3RlK7DUPcue3SnSRYc8Y8xChEuAQC3HWS3SmVBCeqQPmOrke1ipk3I HCcdh98sBi44tSAW65/B+jBGTDyGlw== =Rw/9 -END PGP SIGNATURE-
Bug#932047: lightdm: greeter session support for elogind
Sam, Thanks for this, very helpful. I have again tested both approaches and they both work and I can find no breakage. On Tue, Oct 11, 2022 at 03:30:12PM -0600, Sam Hartman wrote: > I think we want something there that allows people to get third-party > packages into the pam config. > If common-session isn't going to be good enough, then I guess we'd need > to create something on the PAM side. > But let's explore whether common-session is good enough, because it does > look like other display managers have similar architecture and manage to > use common-session. Testing with @include common-session: test@debian-sid:~$ ps -Alf|grep lightdm 4 S root 23261 1 0 80 0 - 58787 - 11:04 ?00:00:00 /usr/sbin/lightdm 4 S root 23266 23261 2 80 0 - 80210 - 11:04 tty7 00:00:25 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch 4 S root 23327 23261 0 80 0 - 40649 - 11:05 ?00:00:01 lightdm --session-child 15 26 0 S test 23435 23432 0 80 0 - 1627 - 11:18 pts/100:00:00 grep lightdm > Here are my thoughts on testing common-session in the greeter config: > > * Take a look at how things appear in logind--does the greeter appear as > a session? If so does anything break because of that? (Withd Gnome, > the greeter does not appear to appear in loginctl list-sessions) Neither for lightdm-greeter: test@debian-sid:~$ loginctl list-sessions SESSION UID USER SEAT TTY 1 1000 test seat0 tty1 7 1000 test seat0 2 sessions listed. > * What selinux context do things appear in. This only matters if > selinux is already in your testing structure I am not sure I have quite understood this, which testing structure are you referring to here? SElinux is not in /etc/pam.d/lightddm-greeter, only /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin. > * Does the structure of keyrings look like you expect. > > * Do you end up with a systemd for the greeter user (assuming you are > using systemd). If so, do you want one? No test@debian-sid:~$ ps -Alf | grep systemd 4 S root 1 0 0 80 0 - 42151 - 09:19 ?00:01:04 /lib/systemd/systemd --system --deserialize 37 4 S message+ 342 1 0 80 0 - 2309 - 09:19 ?00:00:09 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 4 S root 345 1 0 80 0 - 3598 - 09:19 ?00:00:05 /lib/systemd/systemd-logind 4 S test 437 1 0 80 0 - 3906 - 09:30 ?00:00:08 /lib/systemd/systemd --user 4 S root6919 1 0 80 0 - 12319 - 09:43 ?00:00:16 /lib/systemd/systemd-journald 4 S systemd+ 11560 1 0 80 0 - 22504 - 10:05 ?00:00:02 /lib/systemd/systemd-timesyncd 4 S root 11591 1 0 80 0 - 6236 - 10:05 ?00:00:06 /lib/systemd/systemd-udevd 0 S test 23149 437 0 80 0 - 2278 - 10:54 ?00:00:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 0 S test 23439 23432 0 80 0 - 1627 - 11:18 pts/100:00:00 grep systemd > My suspicion is that since this appears to be working for other display > managers, it's all fine. It seems that way to me as well. > But those are the areas where trouble is most likely to show up. Thanks Best wishes Mark
Bug#932047: lightdm: greeter session support for elogind
> "Yves-Alexis" == Yves-Alexis Perez writes: I think we want something there that allows people to get third-party packages into the pam config. If common-session isn't going to be good enough, then I guess we'd need to create something on the PAM side. But let's explore whether common-session is good enough, because it does look like other display managers have similar architecture and manage to use common-session. Here are my thoughts on testing common-session in the greeter config: * Take a look at how things appear in logind--does the greeter appear as a session? If so does anything break because of that? (Withd Gnome, the greeter does not appear to appear in loginctl list-sessions) * What selinux context do things appear in. This only matters if selinux is already in your testing structure * Does the structure of keyrings look like you expect. * Do you end up with a systemd for the greeter user (assuming you are using systemd). If so, do you want one? My suspicion is that since this appears to be working for other display managers, it's all fine. But those are the areas where trouble is most likely to show up.
Bug#932047: lightdm: greeter session support for elogind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, 2022-10-11 at 10:02 -0600, Sam Hartman wrote: > If including common-session will work, I think that's a good improvement > for everyone. > It is closer to best practice, and it means that as PAM profiles are > added over time, they will work for lightdm as well. Ok, but... > > Whether that works depends on the architecture of the greeter. > If the greeter has one process that does the initial authentication and > then forks off an entire different set of processes not descended from > the greeter that run the session, then including common-session might > not work so well. That's the case. > > I'm kind of confused though because it looks like 1.26.0-8's sources > already include common-session in data/pam/lightdm. Yes, because there are two PAM sessions: - - one for the greeter itself, running as the lightdm user - - one for the logged in user The user session already includes common-session but the greeter itself uses a more stripped PAM configuration since it's only used for the login screen. So I'm unsure if an “interactive user” PAM session is really a good idea here. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmNFtc0ACgkQ3rYcyPpX RFu7BAgAoWJnJlzOocZHXVF1fZpYHPkHytKbvCWlm22qcSuEsdg+sBlKN+UtNK2n xnb1oY4qffVtCORVNicKlwP+3OuL8WsW9vwHpni3V3oLuMoG474dT3iP9YGc2nW8 tgeK1TNpUuYiNGGGwcoUI+NlJY8mqYmbOxNVrbGNz7M7fLnd4jDPNdzCfh00bxMQ W/MR5n/C+DlfXmoG+CQBudKRQpbNqXxl/POm2lphmf4do+oVfpFT7CPekwvzyp/H /eHEV/rkjPTRzDnlsuhKSsLWebK9+ye+gUJfUJLDc6Hrx3RVnr4ZULKrrtbMg5d+ JivFke0rBEELT4xJUhEQukxRUo12Rw== =+dab -END PGP SIGNATURE-
Bug#932047: lightdm: greeter session support for elogind
Hi. If including common-session will work, I think that's a good improvement for everyone. It is closer to best practice, and it means that as PAM profiles are added over time, they will work for lightdm as well. Whether that works depends on the architecture of the greeter. If the greeter has one process that does the initial authentication and then forks off an entire different set of processes not descended from the greeter that run the session, then including common-session might not work so well. I'm kind of confused though because it looks like 1.26.0-8's sources already include common-session in data/pam/lightdm.
Bug#932047: lightdm: greeter session support for elogind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, 2022-10-09 at 13:22 +0100, Mark Hindley wrote: > > It might be nice to have them chime in. Also not sure how this thing is > > handled on other DM, any idea? > > A quick look shows most use '@include common-session'. AFAICS that is the > case for > > gdm3: /etc/pam.d/gdm-password > sddm: /etc/pam.d/sddm-greeter > xdm: /etc/pam.d/xdm > slim: /etc/pam.d/slim (although it doesn't use logind interfaces) > > AFAICS lxdm doesn't use logind at all. Thanks. I seem to recall that our pam configuration comes from gdm3 but maybe it evolved since them or maybe there's a discrepancy between the greeter and the user configurations. In any case, let's check what PAM people reply, but I think we might end up with the @include common-session part (I'm unsure if the *greeter* should have a common configuration but maybe it's ok). Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmNEItYACgkQ3rYcyPpX RFupawf+NinPdWdmpZUHKAnKYbyZQ73AkxYkWa7hbQO39tplye6OZrCQPjAhUnUS ODOfUhDJ8K+2lqV1Imhj4P7mQ568YuufZNDFtvsSugOQDHDylKgnI74E4pm8xpb2 lm1Pqfr6PeE3VrsiQkkiJfyqlyxwRLhjFnAXsLkSVWFsnegjwlgnAfcvpCDiIEta h7JOjzMsWvhaH4FYZoFHvalQ6vQooRJe6BSsZ5AFfp2UNy6XXmHVVlXVk7PYp5sV yRz/d0EZqjSWNCsnROL0AwWCtW0O3hKDHLo7VW3QFaJOC9m0abxsOIstW7ngxodu v182m8DY2wjlUIKlL5MquYhv0kCaxg== =1RY6 -END PGP SIGNATURE-
Bug#932047: lightdm: greeter session support for elogind
Yves-Alexis, On Sun, Oct 09, 2022 at 01:46:56PM +0200, Yves-Alexis Perez wrote: > for some reason it seems I never actually replied to this bug, sorry. No worries. > I might have replied on different bugs, but I'm not really keen on modifying > pam files, especially for specific / non-default stuff. Yes, I remember that from our previous discussions. > Do you know what are the opinion of PAM people and systemd-logind people on > that? Added to CC: Dear Steve and Sam as PAM maintainers, I am wanting to add libpam-elogind support to lightdm-greeter. Currently /etc/pam.d/lightdm-greeter hooks logind directly with session optional pam_systemd.so I have proposed two patches: either to add session optional pam_elogind.so or replace both with @include common-session Yves-Alexis is understandably cautious about changing the PAM configuration. Do you have any thoughts, advice or comments on which might be the most appropriate? Thanks > It might be nice to have them chime in. Also not sure how this thing is > handled on other DM, any idea? A quick look shows most use '@include common-session'. AFAICS that is the case for gdm3: /etc/pam.d/gdm-password sddm: /etc/pam.d/sddm-greeter xdm: /etc/pam.d/xdm slim: /etc/pam.d/slim (although it doesn't use logind interfaces) AFAICS lxdm doesn't use logind at all. HTH. Best wishes Mark
Bug#932047: lightdm: greeter session support for elogind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, 2022-10-09 at 10:03 +0100, Mark Hindley wrote: > Hi Yves-Alexis, > > With another user bumping into this issue, I am keen to have it resolved in > bookworm. > > I think adding > > session optional pam_elogind.so > > to /etc/pam.d/lighdm-greeter is the best and correct fix. > > I know you have been reluctant in the past, but would you consider it again. Hi Mark, for some reason it seems I never actually replied to this bug, sorry. I might have replied on different bugs, but I'm not really keen on modifying pam files, especially for specific / non-default stuff. Do you know what are the opinion of PAM people and systemd-logind people on that? It might be nice to have them chime in. Also not sure how this thing is handled on other DM, any idea? > > Alternatively, I am happy to offer an NMU? Please refrain for now. Regards, - -- Yves-Alexis -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmNCtLAACgkQ3rYcyPpX RFuVzgf/ZUcNnSJTge42ZSCEvgRnwwjlCZw595S3MlZlSjQfRjPZfU2mitNvfs7u WZqXUEF1H+KoFeGF5IUEwoWYAK62KXz/9aTmO44kz6kTJKVy4JT8Lv/XWer7jkXN Ku1q62VcPxwilWYgiOyX4YVPfWgFrD7N/DJ+/04lpZHASqvPh+hrjR6wK4SIl1OH +WCoRTtgaRw/bRaXL0STpPFi2BhzBsXRyQTcNgbjFRrXLOU2u4fBAb3g60V0aGxP ZU0FdjYbwsTkI875rd2t0fN6uURU6AtrFE+L0vaAfpbxCWtdkG41RlotvfiNzJ6L F42WnwLeOsWT4uQ6/MeEWm8+JcLXKA== =YNpO -END PGP SIGNATURE-
Bug#932047: lightdm: greeter session support for elogind
Hi Yves-Alexis, With another user bumping into this issue, I am keen to have it resolved in bookworm. I think adding session optional pam_elogind.so to /etc/pam.d/lighdm-greeter is the best and correct fix. I know you have been reluctant in the past, but would you consider it again. Alternatively, I am happy to offer an NMU? Best wishes and thanks. Mark
Bug#932047: lightdm: greeter session support for elogind
Hey there, I highly agree with Mark on this suggestion, since I ran into the exact same problem after the installation of an alternative init system on Debian Bullseye via the chroot method using d-i (first sysvinit, then OpenRC). After adding the proposed line to /etc/pam.d/lightdm-greeter (and commenting out the pam_systemd one), everything worked fine. Best regards, Fabian On Sun, 14 Jul 2019 12:59:32 +0100 Mark Hindley wrote: > Package: lightdm > Severity: normal > Tags: patch > > Yves-Alexis, > > Many thanks for updating lightdm's dependencies to use the new logind virtual > packages in closing #922160. > > However, the necessary adjustments to the PAM configuration for lightdm-greeter > are still outstanding. > > My testing indicates that in order for lightdm greeter's Suspend, Hibernate, > Restart and Shut Down buttons to be enabled, the greeter itself needs to > register a logind session. > > For elogind based systems this could be implemented by adding > > session optional pam_elogind.so > > to /etc/pam.d/lightdm-greeter > > Or, alternatively and perhaps better for the future, whichever logind > implementation is enabled through pam-auth could be used by sourcing the PAM > common-session. > > Patches implementing both of these approaches are attached. > > Many thanks, > > Mark
Bug#932047: lightdm: greeter session support for elogind
Hello, Just a gentle nudge on this. On Sun, 14 Jul 2019 12:59:32 +0100 Mark Hindley wrote: > Patches implementing both of these approaches are attached. I would be grateful if you could adopt one or other of these so that they can be more widely tested well in advance of the freeze. Thanks Mark
Bug#932047: lightdm: greeter session support for elogind
Package: lightdm Severity: normal Tags: patch Yves-Alexis, Many thanks for updating lightdm's dependencies to use the new logind virtual packages in closing #922160. However, the necessary adjustments to the PAM configuration for lightdm-greeter are still outstanding. My testing indicates that in order for lightdm greeter's Suspend, Hibernate, Restart and Shut Down buttons to be enabled, the greeter itself needs to register a logind session. For elogind based systems this could be implemented by adding session optional pam_elogind.so to /etc/pam.d/lightdm-greeter Or, alternatively and perhaps better for the future, whichever logind implementation is enabled through pam-auth could be used by sourcing the PAM common-session. Patches implementing both of these approaches are attached. Many thanks, Mark 1 file changed, 5 insertions(+) debian/patches/05_debianize-pam-files.patch | 5 + modified debian/patches/05_debianize-pam-files.patch @@ -60,6 +60,11 @@ # Always let the greeter start without authentication auth required pam_permit.so +@@ -15,3 +16,4 @@ + # Setup session + session required pam_unix.so + session optional pam_systemd.so ++session optional pam_elogind.so --- a/data/pam/lightdm-autologin +++ b/data/pam/lightdm-autologin @@ -1,20 +1,37 @@ [back] 1 file changed, 7 insertions(+) debian/patches/05_debianize-pam-files.patch | 7 +++ modified debian/patches/05_debianize-pam-files.patch @@ -60,6 +60,13 @@ # Always let the greeter start without authentication auth required pam_permit.so +@@ -13,5 +14,4 @@ + password required pam_deny.so + + # Setup session +-session required pam_unix.so +-session optional pam_systemd.so ++@include common-session --- a/data/pam/lightdm-autologin +++ b/data/pam/lightdm-autologin @@ -1,20 +1,37 @@ [back]