Bug 4634 - unable to create sessions on Fedora 19 (pam_loginuid)
Summary: unable to create sessions on Fedora 19 (pam_loginuid)
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server OS (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.1.0
Assignee: Pierre Ossman
URL:
Keywords: aaron_tester
Depends on:
Blocks:
 
Reported: 2013-05-03 14:28 CEST by Pierre Ossman
Modified: 2013-05-16 11:06 CEST (History)
0 users

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2013-05-03 14:28:24 CEST
It's impossible to create new thinlinc sessions on Fedora 19. The logs show this:

2013-05-03 14:24:04 WARNING tl-session: pam_open_session failed: 14 (Cannot make/remove an entry for the specified session)

and in secure we can find:

May  3 14:24:04 dhcp-254-223 tl-session: pam_loginuid(thinlinc:session): set_loginuid failed


An strace confirms it:

[pid 10993] open("/proc/self/loginuid", O_WRONLY|O_TRUNC|O_NOFOLLOW) = 3
[pid 10993] write(3, "1001", 4)         = -1 EPERM (Operation not permitted)
[pid 10993] close(3)                    = 0


I don't understand why this is happening though. SELinux is in permissive mode, and in the same strace we can see that tl-session has both CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL:

[pid 10993] capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
[pid 10993] capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP, CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP, 0}) = 0

Disabling pam_loginuid makes it possible to log in though.
Comment 1 Pierre Ossman cendio 2013-05-03 14:34:53 CEST
Reported to Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=959418
Comment 2 Pierre Ossman cendio 2013-05-03 17:30:56 CEST
The problem is systemd (of course). They've changed the way loginuid works, so you absolutely must be started from systemd. No more running vsmagent (or sshd for that matter) from a terminal.

This works for Fedora's SysV/LSB scripts as they redirect things via systemctl, but breaks for any third party stuff.

The suggested "fix" is to source /etc/init.d/functions at the top of the init scripts. Just sourcing it is sufficient, but it's still hardly LSB compliant. So I'm hoping upstream can come up with a better suggestion.
Comment 3 Pierre Ossman cendio 2013-05-03 17:33:14 CEST
We could also start shipping a systemd definition, as I believe that trumps any init script found.
Comment 4 Aaron Sowry cendio 2013-05-06 09:06:01 CEST
(In reply to comment #3)
> We could also start shipping a systemd definition, as I believe that trumps any
> init script found.

https://www.cendio.com/bugzilla/show_bug.cgi?id=4290
Comment 5 Pierre Ossman cendio 2013-05-14 16:13:52 CEST
r27378 adds our own implementation of redirecting things via systemd.
Comment 6 Aaron Sowry cendio 2013-05-15 13:24:26 CEST
Problem starting services on Ubuntu 13.04:

/etc/init.d/vsmagent: 15: /opt/thinlinc/libexec/functions: Syntax error: redirection unexpected
Comment 7 Pierre Ossman cendio 2013-05-15 14:19:08 CEST
(In reply to comment #6)
> Problem starting services on Ubuntu 13.04:
> 
> /etc/init.d/vsmagent: 15: /opt/thinlinc/libexec/functions: Syntax error:
> redirection unexpected

r27387.
Comment 8 Aaron Sowry cendio 2013-05-16 11:06:01 CEST
Tested also on Fedora 19, starting a Gnome Shell session works fine. Closing.

Note You need to log in before you can comment on or make changes to this bug.