Bug#989719: Backport commit 7820a56ccb ("logind: Restore chvt as non-root user without polkit") to bullseye

Punit Agrawal punitagrawal at gmail.com
Fri Jun 11 11:57:40 BST 2021


I missed your comment in this mail. Response at the end.

Michael Biebl <biebl at debian.org> writes:

> Am 11.06.2021 um 11:49 schrieb Punit Agrawal:
>> Michael Biebl <biebl at debian.org> writes:
>> 
>>> Am 11.06.2021 um 11:07 schrieb Michael Biebl:
>>>> Am 11.06.2021 um 10:55 schrieb Punit Agrawal:
>>>>> Package: systemd
>>>>> Version: 247.3-5
>>>>> Severity: important
>>>>> X-Debbugs-Cc: punit1.agrawal at toshiba.co.jp
>>>>>
>>>>> systemd 245 introduced a bug[0][1] that prevents activating virtual
>>>>> terminal without CAP_SYS_ADMIN when polkit is disabled (as is the case
>>>>> on many embedded systems). One consequence of this is that it prevents
>>>>> running weston from a service as a non-root user.
>>>> But in Debian, PolicyKit support is enabled?
>>>> Can you elaborate why this issue is relevant for Debian?
>>>
>>> To be more specific:
>>> We never reach
>>> https://github.com/systemd/systemd/blob/main/src/login/logind-polkit.c#L19
>>> as this is a compile time switch and the "return 1" is only relevant
>>> for distros which build systemd without PolicyKit support. But Debian
>>> *does* build with PolicyKit support (i.e. ENABLE_POLKIT will be set).
>>>
>>> So, I don't see how this pull request makes any functional difference
>>> for Debian.
>> Without the commit, policykit-1 needs to be installed - as this
>> would be
>> the only reason
>
> This is a compile time check though (the commit you linked).
> I don't see how this is going to make a difference

After staring at the commit some more, I see what you are getting at -
the linked commit isn't really going to help. The issue was introduced
in commit 4acf0cfd2f ("logind: check PolicyKit before allowing VT
switch"). The Debian relevant mitigation is in commit 19bb87fbfac8
("login: allow non-console sessions to change vt") as ENABLE_POLKIT=1.

In the Debian context, the only real solution seems to be to install
policykit-1.

Apologies for the noise. Please close / reject as appropriate.



More information about the Pkg-systemd-maintainers mailing list