Re: [gdm-list] PAM_TTY / console ownership
- From: "William Jon McCann" <mccann jhu edu>
- To: "Ray Strode" <halfline gmail com>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] PAM_TTY / console ownership
- Date: Sat, 27 Oct 2007 02:19:47 -0400
On 10/26/07, Ray Strode <halfline gmail com> wrote:
> So things don't work perfectly in fedora right now with the new GDM.
> By default we have a PAM module called pam_console that gives local
> (at console) users special privileges. In particular, dbus uses these
> privileges to allow the user to suspend the system (with
> gnome-power-manager) or set up the network (with NetworkManager).
> One of the factors pam_console uses in determining if a user is at the
> console is the value of PAM_TTY. It needs to match a regex specified
> By default the regex is
> tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
> and the current code uses "/dev/console"
> anyway, the regex fails and so log ins with the new gdm are fairly
> restricted in what they can do (no network manager, no
> gnome-power-manager, no usb stick automounting etc etc).
> Long term dbus should be fixed to use ConsoleKit (or maybe PolicyKit
> with more fine grained control over what actions a user should be able
> to do), but right now it still depends on pam_console.
> The attached patch makes things closer to on par with the old gdm. On
> linux it uses the display name, and on solaris it uses the display tty
> as gotten from consolekit. We may want to use the display tty on both
> OS's, although we'd have to strip the "/dev/" on Fedora for it to pass
> the regex above (or fix the regex).
> one thing it doesn't get right is remote display. I'm not sure what
> to do on that front, although I'm thinking it since ConsoleKit already
> knows about remote sessions, it may make sense to have it give us the
> value. Not sure, just like it does for local displays with
So it isn't at all clear to me how we can fix this problem in
ProductSlave cleanly. At the time we initialize PAM we don't even
have an X Server for the session. We only create the server in
response to user-verified.
This is a problem for pam-console. ConsoleKit will be fine since it
doesn't run in the PAM stack (for GDM at least).
] [Thread Prev