Advisory Text ============= Due the fact that Mageia 2 supports both systemd and sysvinit boot systems, it has not yet been fully transitioned away from the deprecated consolekit system for tracking user sessions. Overall a combination of logind and consolekit tracking is used in different circumstances. udev device ACLs are typically handled by logind. In order to ensure proper ACLs are added to devices, the startx application was modified to ensure it did not switch away from the active VT which would have caused their logind session to become inactive and thus deny the user of any device ACLs. Preventing VT switch means the logind session remains active. This is only needed by the small minority of users starting their graphical environment after logging into a text console. Conversely, polkit only looks for session information in the consolekit database. When used with startx, a new consolekit session would be started, but because only one consolekit session can be active at once, the previous text session would remain active. As a result polkit would only find the inactive consolekit session and typically deny the user access to any policy where allow_active = yes. This includes things like mounting removable media. In order to resolve these issues and still support both systemd and consolekit, the following actions were taken. 1. polkit is now packaged to include both logind and consolekit support. It automatically picks the most appropriate backend depending on whether the system was booted with systemd or sysvinit. 2. startx was modified to only prevent VT switch when booted under systemd. With these two changes, startx now works almost as well as a proper Display Manager for most functions.
SRPM: polkit-0.104-4.1.mga2.src.rpm SRPM: xinit-1.3.2-3.1.mga2.src.rpm Testing Procedure ================= 1. Boot mga2 to KDM and login to KDE. 2. Confirm that inserting a USB stick drive shows up and can be mounted and opened in Dolphin. 3. Reboot and add " 3" to the end of the kernel command line to boot to a text console. 4. Login to the text console and run "startx" 5. Repeat step 2, but note that the mount should fail with a brief "Authorization failed" message. 6. Install the updated packages and repeat steps 3-5 but with a successful outcome. For a complete test you should repeat the same steps but with a sysvinit rather than the default systemd boot, but I have tested a simulation of this and I'm pretty confident this will be fine. Note this change may also fix some similar authorization issues with autologin, but I've not specifically tested this.
Assignee: mageia => qa-bugs
Tested on MGA2 x86_64: Before installing updated packages when X started with startx: $ udisksctl mount -b /dev/sdc1 ==== AUTHENTICATING FOR org.freedesktop.udisks2.filesystem-mount === Authentication is required to mount /dev/sdc1 Authenticating as: root Password: <did not enter password> polkit-agent-helper-1: pam_authenticate failed: Authentication failure ==== AUTHENTICATION FAILED === Error mounting /dev/sdc1: GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorized: Not authorized to perform operation After installing the updated packages with startx it works as expected: $ udisksctl mount -b /dev/sdc1 Mounted /dev/sdc1 at /run/media/... (Did not test with initscripts or X started by a display manager though.)
CC: (none) => balatonWhiteboard: (none) => MGA2-64-OK
I've also now tested some systems using autologin and the problems related to various permissions are resolved there also.
Colin: The validating policy has recently been changed, so as to take packagers testing into account for one architecture, provided they provide a detailed testing procedure. So this one would be good to go from a QA point of view if you tested on MGA2 i586. So, did you? If so, all that's needed would be to check if linking is required and to validate afterwards. I would be happy to do that (unfortunately I couldn't help with testing as I don't have a USB stick around).
CC: (none) => wassi
Sorry for the delay. I did not test MGA2 i586, only x86_64 machines here.
Incidentally, bug #5855 is likely also fixed by this update.
Testing complete on Mageia 2 i586. Thanks for the detailed procedure. Could someone from the sysadmin team push the srpms polkit-0.104-4.1.mga2.src.rpm xinit-1.3.2-3.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Due the fact that Mageia 2 supports both systemd and sysvinit boot systems, it has not yet been fully transitioned away from the deprecated consolekit system for tracking user sessions. Overall a combination of logind and consolekit tracking is used in different circumstances. udev device ACLs are typically handled by logind. In order to ensure proper ACLs are added to devices, the startx application was modified to ensure it did not switch away from the active VT which would have caused their logind session to become inactive and thus deny the user of any device ACLs. Preventing VT switch means the logind session remains active. This is only needed by the small minority of users starting their graphical environment after logging into a text console. Conversely, polkit only looks for session information in the consolekit database. When used with startx, a new consolekit session would be started, but because only one consolekit session can be active at once, the previous text session would remain active. As a result polkit would only find the inactive consolekit session and typically deny the user access to any policy where allow_active = yes. This includes things like mounting removable media. In order to resolve these issues and still support both systemd and consolekit, the following actions were taken. 1. polkit is now packaged to include both logind and consolekit support. It automatically picks the most appropriate backend depending on whether the system was booted with systemd or sysvinit. 2. startx was modified to only prevent VT switch when booted under systemd. With these two changes, startx now works almost as well as a proper Display Manager for most functions. https://bugs.mageia.org/show_bug.cgi?id=7593
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA2-64-OK => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0217
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED