www.cendio.com
Bug 4634 - unable to create sessions on Fedora 19 (pam_loginuid)
: unable to create sessions on Fedora 19 (pam_loginuid)
Status: CLOSED FIXED
: ThinLinc
Server OS
: trunk
: PC Unknown
: P2 Normal
: 4.1.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2013-05-03 14:28 by
Modified: 2013-05-16 11:06 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-05-03 14:28:24
It's impossible to create new thinlinc sessions on Fedora 19. The logs show
this:

2013-05-03 14:24:04 WARNING tl-session: pam_open_session failed: 14 (Cannot
make/remove an entry for the specified session)

and in secure we can find:

May  3 14:24:04 dhcp-254-223 tl-session: pam_loginuid(thinlinc:session):
set_loginuid failed


An strace confirms it:

[pid 10993] open("/proc/self/loginuid", O_WRONLY|O_TRUNC|O_NOFOLLOW) = 3
[pid 10993] write(3, "1001", 4)         = -1 EPERM (Operation not permitted)
[pid 10993] close(3)                    = 0


I don't understand why this is happening though. SELinux is in permissive mode,
and in the same strace we can see that tl-session has both CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL:

[pid 10993] capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0
[pid 10993] capget({_LINUX_CAPABILITY_VERSION_3, 0},
{CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP,
0}) = 0

Disabling pam_loginuid makes it possible to log in though.
------- Comment #1 From cendio 2013-05-03 14:34:53 -------
Reported to Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=959418
------- Comment #2 From cendio 2013-05-03 17:30:56 -------
The problem is systemd (of course). They've changed the way loginuid works, so
you absolutely must be started from systemd. No more running vsmagent (or sshd
for that matter) from a terminal.

This works for Fedora's SysV/LSB scripts as they redirect things via systemctl,
but breaks for any third party stuff.

The suggested "fix" is to source /etc/init.d/functions at the top of the init
scripts. Just sourcing it is sufficient, but it's still hardly LSB compliant.
So I'm hoping upstream can come up with a better suggestion.
------- Comment #3 From cendio 2013-05-03 17:33:14 -------
We could also start shipping a systemd definition, as I believe that trumps any
init script found.
------- Comment #4 From cendio 2013-05-06 09:06:01 -------
(In reply to comment #3)
> We could also start shipping a systemd definition, as I believe that trumps any
> init script found.

https://www.cendio.com/bugzilla/show_bug.cgi?id=4290
------- Comment #5 From cendio 2013-05-14 16:13:52 -------
r27378 adds our own implementation of redirecting things via systemd.
------- Comment #6 From cendio 2013-05-15 13:24:26 -------
Problem starting services on Ubuntu 13.04:

/etc/init.d/vsmagent: 15: /opt/thinlinc/libexec/functions: Syntax error:
redirection unexpected
------- Comment #7 From cendio 2013-05-15 14:19:08 -------
(In reply to comment #6)
> Problem starting services on Ubuntu 13.04:
> 
> /etc/init.d/vsmagent: 15: /opt/thinlinc/libexec/functions: Syntax error:
> redirection unexpected

r27387.
------- Comment #8 From cendio 2013-05-16 11:06:01 -------
Tested also on Fedora 19, starting a Gnome Shell session works fine. Closing.