Re: [gdm-list] PAM_TTY / console ownership
- From: "William Jon McCann" <mccann jhu edu>
- To: "Ray Strode" <halfline gmail com>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] PAM_TTY / console ownership
- Date: Sat, 27 Oct 2007 02:19:47 -0400
On 10/26/07, Ray Strode <halfline gmail com> wrote:
> Hi,
>
> So things don't work perfectly in fedora right now with the new GDM.
>
> By default we have a PAM module called pam_console that gives local
> (at console) users special privileges. In particular, dbus uses these
> privileges to allow the user to suspend the system (with
> gnome-power-manager) or set up the network (with NetworkManager).
>
> One of the factors pam_console uses in determining if a user is at the
> console is the value of PAM_TTY. It needs to match a regex specified
> in
>
> /etc/security/console.handlers
>
> By default the regex is
>
> tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
>
> and the current code uses "/dev/console"
>
> anyway, the regex fails and so log ins with the new gdm are fairly
> restricted in what they can do (no network manager, no
> gnome-power-manager, no usb stick automounting etc etc).
>
> Long term dbus should be fixed to use ConsoleKit (or maybe PolicyKit
> with more fine grained control over what actions a user should be able
> to do), but right now it still depends on pam_console.
>
> The attached patch makes things closer to on par with the old gdm. On
> linux it uses the display name, and on solaris it uses the display tty
> as gotten from consolekit. We may want to use the display tty on both
> OS's, although we'd have to strip the "/dev/" on Fedora for it to pass
> the regex above (or fix the regex).
>
> one thing it doesn't get right is remote display. I'm not sure what
> to do on that front, although I'm thinking it since ConsoleKit already
> knows about remote sessions, it may make sense to have it give us the
> value. Not sure, just like it does for local displays with
> ck-get-x11-display-device
So it isn't at all clear to me how we can fix this problem in
ProductSlave cleanly. At the time we initialize PAM we don't even
have an X Server for the session. We only create the server in
response to user-verified.
This is a problem for pam-console. ConsoleKit will be fine since it
doesn't run in the PAM stack (for GDM at least).
Jon
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]