On 8/24/19 4:38 PM, Ken Moffat via blfs-dev wrote:
Assuming that the reply to my earlier post (should I be in the input
group?) is 'no', can somebody please spare some time to explain how
authorisation via polkit (which I think is the intended route to
gaining access to /dev/input/event*) is supposed to work ?
I've built polkit with the patch for elogind. Both dbus and elogind
have been started.
After some discussion, we determined that dbus must be built twice due
to circular dependencies:
dbus
pam
elogind
dbus
...
polkit
First question: should polkitd be running (i.e. visible in ps aux)
or does it only fire up to respond to dbus, and then shut down again
?
There is no boot script for polkit, so something needs to start it. I'm
not sure what does that, but we have polkit as a runtime dependency of
xorg-server.
Second question: how is the user who started xorg authenticated by
polkitd ?
Looking at the man pages, all rules files in /etc/polkit-1/rules.d
and /usr/share/polkit-1/rules.d are processed in lexical order (in
the event of a tie, the file in /etc is processed first). But on
this completed system I only have three files in those two
directories:
I note that /etc/polkit-1/rules.d/50-default.rules has
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
On my system, I am a member of the wheel group, but I didn't add that
recently. It is legacy. Are you a member of the wheel group?
I have not yet built gnome and for me /usr/share/polkit-1/rules.d is empty.
/etc/polkit/rules.d/50-default-rules which seems to be checking if
admin users are in the wheel group, and in
/usr/share/polkit-1/rules.d I have
org.freedesktop.NetworkManager.rules and
org.gtk.vfs.file-operations.rules from building those packages at a
later stage.
I don't see anything that would cause polkitd to grant access to me
via elogind.
At this point, I'm clearly out of my depth, and I will not be
updating further systems (nor reviewing if the kernel config for
elogind is adequate, nor if the mountcgroupfs and elogind
bootscripts are really needed) unless I can understand where my
build/usage of elogind is failing.
I agree that the interaction of applications, elogind, dbus, pam, and
polkit are complicated.
Speaking of pam, in /etc/pam.d/ do you have polkit-1, elogind-user, and
login? Also:
$ cat system-session
# Begin /etc/pam.d/system-session
session required pam_unix.so
# End /etc/pam.d/system-session
# Begin elogind addition
session required pam_loginuid.so
session optional pam_elogind.so
# End elogind addition
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
