[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SV: MATE 1.8 has now fully arrived in Debian

On 25/06/14 15:43, Svante Signell wrote:
> Regarding mate desktop policykit-1 build-depends on libsystemd-login-dev
> only for linux-any. What functionality is missing for other
> architectures?

The interesting dependency chain is:

policykit-1 Depends libpam-systemd [linux-any] (degraded functionality
                                                on !linux)
libpam-systemd Depends systemd (i.e. systemd binaries are installed)
libpam-systemd Depends systemd-sysv (i.e. systemd is pid 1)
                    or systemd-shim (i.e. systemd-logind runs, but
                                          systemd is probably not pid 1)

Runtime dependencies on systemd support libraries like libsystemd-login0
are harmless for people who don't want to run the systemd-logind daemon,
the same way a dependency on libselinux0 has no effect on people who
don't boot Linux with SELinux enabled.

At a guess, the desired capability here is the ability to have policies
of the form "users may $verb, but only if they are logged-in locally,
not from a remote login or a cron job". $verb might be something like
"suspend the computer", "reconfigure networking" or "use the
microphone/webcam to record the local user of the computer", for
instance; it's fine for a sysadmin to be able to set up users who can do
those things remotely, but the sensible default for all of them is "only
if you're logged-in locally".

In Debian 7, PolicyKit could answer the question "is Svante logged-in
locally?" by asking ConsoleKit. ConsoleKit is no longer maintained
upstream, so in the current version of PolicyKit, the only
implementation of an answer to that question is asking systemd-logind,
which CK's upstream maintainers consider to have superseded CK. In the
absence of systemd (or an actively-maintained ConsoleKit code path), the
best available answer to "is Svante logged-in locally?" is "I have no
idea, assume 'no'".

#751028 (policykit-1's dependency on libpam-systemd, which is the
component that tells systemd-logind that you are logged in locally, and
depends on systemd-logind itself) is marked wontfix. I would guess that
this is because the maintainers of policykit-1 are not willing to deal
with the support burden of users opening bugs of the form "PolicyKit
won't let me $verb" which turn out, after investigation, to be because
they do not have libpam-systemd installed.

In practice, many (most?) of the actions controlled by PK have a default
policy of "only if you're logged-in locally", so the lack of logind is a
significant functionality loss: you'd need to give the root password or
add additional local group-based PK policies to be able to do a lot of
"reasonable desktop things" like suspending, configuring networking,
using audio.

Upstream developers in various projects increasingly oppose group-based
access, because membership of many "desktop stuff" groups essentially
means "can ssh in and do bad things to a local user". For instance,
putting desktop users in group 'audio' or 'video' is no longer a
requirement for access to sound cards on systems with systemd-logind (it
hands out access using temporary ACLs instead) - which is just as well,
because putting those users in a group with permanent rw access to the
sound device or webcam would essentially mean they can ssh in while
someone else is using a computer, and spy on what is said near it.

> What about libselinux for policykit-1, this dependency is
> also linux-any.

The ability to have policies of the form "users may $verb if they do so
from a process in the foo_t SELinux context", presumably.


Reply to: