Bug#1072930: libpam-wtmpdb: sessions not closed after systemd-run --user --machine …@.host

[Chris Hofstaedtler]

Control: reassign -1 src:systemd
Control: affects -1 libpam-wtmpdb

Luca,

On Mon, Jun 10, 2024 at 03:26:24PM +0100, Tomas Janousek wrote:
> If I do the following:
> 
> 	$ sudo systemd-run --user -M "$USER"@.host --quiet --wait --collect --pipe echo foo
> 
> then I get an error in the journal:
> 
> 	Jun 10 14:15:08 deb1-wtmpdb systemd[657]: Started run-u7.service - echo foo.
> 	Jun 10 14:15:08 deb1-wtmpdb (sd-pam)[1297]: pam_unix(login:session): session closed for user debian
> 	Jun 10 14:15:08 deb1-wtmpdb (sd-pam)[1297]: pam_wtmpdb(login:session): update_logout: Updating logout time did not return SQLITE_DONE: 8
> 
> and the session stays open:
> 
> 	$ last
> 	debian                                 Mon Jun 10 14:15 - still logged in


I'll need your help/insight here. ISTM systemd is restricting what
PAM is allowed to do, but the libpam-wtmpdb cannot really function
without writing to its file.

How is this supposed to work?
Was there a discussion with wtmpdb upstream?

Chris


> With that older unstable snapshot, there is, however, an error from pam_systemd:
> 	Jun 10 14:13:56 deb2-wtmpdb (sd-pam)[582]: pam_systemd(login:session): Failed to release session: Access denied
> 
> That one was fixed by 
> https://github.com/keszybz/systemd/commit/fc0bb7ccc763ec79efe7a8a58220e9bc80f34f81 
> and perhaps exploring the discussions linked there might be useful when 
> figuring out how to fix this in libpam-wtmpdb.
>