Bug#892302: libpam-systemd: Does not recgonize serial consoles as part of a seat

[Michael Biebl]

On Wed, 07 Mar 2018 19:05:13 -0500 Matthew Gabeler-Lee
<cheetah at fastcat.org> wrote:
> Package: libpam-systemd
> Version: 232-25+deb9u1
> Severity: normal
> 
> Various policykit actions that flag as for "active" or even "inactive", but
> not "any", do not work from serial console sessions.  After much pain, I'm
> fairly sure I've traced this down to libpam-systemd not marking serial
> logins as part of a seat.  This causes policykit to decide that the session
> is not local, and thus its activity state is irrelevant for the
> allow_inactive / allow_active policykit grants.

Are you logging in via serial console as unprivileged user?

> This seems to boil down, finally, to the get_seat_from_display function in
> pam_systemd.c.
> 
> Granted, serial console sessions are not _always_ local, given that I guess
> modems still technically exist and you might have dialup sessions, but this
> basically means that policykit is half-broken on headless systems, and that
> breaks significant bits of systemd, such as systemd-inhibit, which is where
> I began this adventure.
> 
> For headless systems, being able to identify serial consoles that _are_
> local and thus should have a "seat" would be helpful.  The contents of
> /etc/securetty seem like they would be a useful starting place here.

/etc/securetty (pam_securetty) is not really a good idea.


That all said, you should really take this up with upstream at
https://github.com/systemd/systemd/issues
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180308/b4d5eaa4/attachment-0002.sig>