Bug 19821

Summary: sddm open an user slice that is undifferentiated from any normal users
Product: Mageia Reporter: Chris Denice <eatdirt>
Component: RPM PackagesAssignee: Nicolas Lécureuil <mageia>
Status: NEW --- QA Contact:
Severity: major    
Priority: Normal CC: mageia, ouaurelien
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: sddm-0.18.1-4.mga8.src.rpm CVE:
Status comment:

Description Chris Denice 2016-11-19 18:18:58 CET 
If you are using sddm, I have already reported there:

https://bugs.mageia.org/show_bug.cgi?id=18942

that sddm creates an abandoned session.

But in addition, because it sets itself as the sddm user, it prevents also auto-suspend: https://github.com/sddm/sddm/issues/445


Finally, I am opening this bug, because in addition to all the above sh..., it also starts all systemd user services, which should only be started by normal users (as for instance gpg-agent). Clearly, sddm is not going to encrypt anything and SHOULD NOT get granted the rights and services of a normal user.


Here user-958 is sddm. Look at all the mess is pulling into.


systemctl status

ââuser.slice
           â ââuser-958.slice
           â â ââsession-c1.scope
           â â â ââ2780 dbus-launch --autolaunch dacb524af88b4fb6821f6a8a1a765167 --binary-synt
           â â â ââ2781 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
           â â ââuser@958.service
           â â   ââgpg-agent.service
           â â   â ââ2768 /usr/bin/gpg-agent --daemon --use-standard-socket
           â â   ââinit.scope
           â â     ââ2762 /usr/lib/systemd/systemd --user
           â â     ââ2763 (sd-pam)  


Answer for upstream:
"We do report to pam_systemd that this is a special greeter session as the XDG_SESSION_CLASS"
David Walser 2016-11-21 14:43:59 CET

Assignee: bugsquad => mageia

Comment 1 Chris Denice 2016-11-24 16:39:57 CET 
I have found a workaround for these issues.

As a matter of fact:

https://bugs.mageia.org/show_bug.cgi?id=18942
https://github.com/sddm/sddm/issues/445

also affects all the "newest" display managers@mageia (and other distros as well, if you duckduckgo them), namely: gdm, lxdm, lightdm.


Because they start themselves as a "user", pam_systemd registers an user slice indifferentiated of whether they are real user or greeters. Maybe that's actually a systemd bug?

However, once the real users logs in, the fact that the display manager slice is not closing is due to dbus-launch --autolaunch and dbus-daemon staying there.

There is a way to force systemd to close "closing" sessions instead of keeping them as abandoned: man logind.conf

We should set in /etc/systemd/logind.conf

KillUserProcesses=yes

which as the nasty effect of also killing all real user sessions after logout and renders the command "screen" useless. This side effect can however be prevented by specifying:

KillOnlyUsers=


My proposal is to default systemd logind config on mageia 6 to:

KillUserProcesses=yes
KillOnlyUsers=lightdm gdm sddm

I have tested that locally and it works fine. "screen" commands issued by users are also not killed, so that should be a transparent setting.

Added Colin in CC, in case he has a better idea!

Cheers.

CC: (none) => mageia

Comment 2 Aurelien Oudelet 2020-08-20 11:26:34 CEST 
As of today in Cauldron, sddm version is sddm-0.18.1-4.mga8 and every sddm.user.slice are correctly ended when user log on to desktop env.

loginctl reports:
[aurelien@mageia ~]$ loginctl
SESSION  UID USER     SEAT  TTY
     c2 1000 aurelien seat0

So, no longer exists in Cauldron.

But it is right some "normal user" services are launched:

sddm-helper[1944]: pam_unix(sddm-greeter:session): session opened for user sddm by (uid=0)
août 20 08:33:22 systemd[1]: Created slice User Slice of UID 988.
août 20 08:33:22 systemd[1]: Starting User Runtime Directory /run/user/988...
août 20 08:33:22 systemd-logind[948]: New session c1 of user sddm.
août 20 08:33:22 systemd[1]: Finished User Runtime Directory /run/user/988.
août 20 08:33:22 systemd[1]: Starting User Manager for UID 988...
août 20 08:33:22 systemd[1961]: kde-systemd-start-condition not found: No such file or directory
août 20 08:33:22 systemd[1961]: kde-systemd-start-condition not found: No such file or directory
août 20 08:33:22 systemd[1961]: Not generating service for XDG autostart app-xdg\x2duser\x2ddirs-autostart.service, startup phases are not supported.
août 20 08:33:22 systemd[1961]: Not generating service for XDG autostart app-at\x2dspi\x2ddbus\x2dbus-autostart.service, startup phases are not supported.
août 20 08:33:22 systemd[1961]: kde-systemd-start-condition not found: No such file or directory
août 20 08:33:22 systemd[1961]: kde-systemd-start-condition not found: No such file or directory
août 20 08:33:22 systemd[1961]: Not generating service for XDG autostart app-pulseaudio-autostart.service, startup phases are not supported.
août 20 08:33:22 systemd[1961]: Not generating service for XDG autostart app-kaccess-autostart.service, only Type=Application is supported.
août 20 08:33:22 systemd[1961]: Not generating service for XDG autostart app-gsettings\x2ddata\x2dconvert-autostart.service, startup phases are not supported.
août 20 08:33:22 systemd[1961]: Not generating service for XDG autostart app-powerdevil-autostart.service, only Type=Application is supported.
août 20 08:33:22 systemd[1961]: kde-systemd-start-condition not found: No such file or directory
août 20 08:33:22 systemd[1950]: Queued start job for default target Main User Target.
août 20 08:33:22 systemd[1950]: Reached target Paths.
août 20 08:33:22 systemd[1950]: Reached target Timers.
août 20 08:33:22 systemd[1950]: Starting D-Bus User Message Bus Socket.
août 20 08:33:22 systemd[1950]: Listening on Multimedia System.
août 20 08:33:22 systemd[1950]: Listening on Sound System.
août 20 08:33:22 systemd[1950]: Listening on D-Bus User Message Bus Socket.
août 20 08:33:22 systemd[1950]: Reached target Sockets.
août 20 08:33:22 systemd[1950]: Reached target Basic System.
août 20 08:33:22 systemd[1]: Started User Manager for UID 988.
août 20 08:33:22 systemd[1]: Started Session c1 of user sddm.
août 20 08:33:22 systemd[1950]: Starting GnuPG private key agent...
août 20 08:33:22 systemd[1950]: Started GnuPG private key agent.
août 20 08:33:22 systemd[1950]: Reached target Main User Target.
août 20 08:33:22 systemd[1950]: Startup finished in 153ms.
août 20 08:33:22 systemd[1950]: Starting D-Bus User Message Bus...
août 20 08:33:22 systemd[1950]: Started D-Bus User Message Bus.
août 20 08:33:22 sddm-greeter[1966]: Loading file:///usr/share/sddm/themes/breeze/Main.qml...
août 20 08:33:30 sddm-helper[1973]: pam_succeed_if(sddm:auth): requirement "user ingroup nopasswdlogin" not met by user "aurelien"
août 20 08:33:30 sddm-helper[1973]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
août 20 08:33:30 sddm-helper[1973]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
août 20 08:33:30 systemd[1]: Created slice User Slice of UID 1000.
août 20 08:33:30 systemd[1]: Starting User Runtime Directory /run/user/1000...
août 20 08:33:30 systemd-logind[948]: New session c2 of user aurelien.
août 20 08:33:30 systemd[1]: Finished User Runtime Directory /run/user/1000.
août 20 08:33:30 systemd[1]: Starting User Manager for UID 1000...

Such behavior is reported upstream, already writed above.

But there is no longer "abandoned" session for sddm as it gets closed properly after usere logon.

CC: (none) => ouaurelien
Source RPM: sddm-0.14.0-10.mga6.src.rpm => sddm-0.18.1-4.mga8.src.rpm