[Mageia-dev] systemd + ACL: Why it is broken.

Colin Guthrie mageia at colin.guthr.ie
Sat Aug 27 16:40:43 CEST 2011

[As stated on another thread: just reposting here for future contextual

OK, executive decision for now:

I've just added the line:

-session    optional      pam_systemd.so

to /etc/pam.d/system-auth in the pam package.

This change is quite safe:
 1. The leading - on the line means that if pam_systemd.so does not
exist, it will be ignored.
 2. pamd_systemd.so itself is clever and if systemd is not running, it
is a noop.

So for all scenarios, this change is safe.

If we want to do more with e.g. authconfig later, this can be done, but
it's not strictly speaking needed for now.


'Twas brillig, and Colin Guthrie at 25/08/11 15:26 did gyre and gimble:
> Ping!
> Any thoughts on the below email?
> Seeing as udev 173 has landed which removes supoprt for udev-acl, we
> need to either back out 173 (or rebuild with udev-acl support) or we
> need to use systemd with the below changes officially blessed!
> Col
> 'Twas brillig, and Colin Guthrie at 04/08/11 18:43 did gyre and gimble:
>> Hi,
>> OK, so the reason that device ACLs are kinda broken with systemd is
>> because the acl stuff is being done twice, once via udev and again via
>> systemd.... but sadly systemd gets it wrong as it's not aware of the
>> user session, see:
>> systemd-loginctl --no-pager
>> This is due to the fact that some essential additions to
>> /etc/pam.d/system-auth are not done when systemd is installed.
>> I added the following line to the end of my system-auth (the "login"
>> file where console kit connector lies didn't work):
>> -session    optional      pam_systemd.so
>> The question is, how should we handle this? Edit the pam package and add
>> it or do something more complex? AFAIK Fedora uses a system to manage
>> these files called authconfig.... not sure if we could/should adopt
>> that. I don't know much about it.
>> On a related note, we'll also need to rebuild udev without udev-acl
>> support, as this is now
>> handled by systemd. At present, with the above fix to pam, I will be
>> getting my ACLs written twice, which (when systemd knows I'm logged in)
>> is fine. I think it's actually the default in udev 173, but
>> we can do that manually with 172 via:
>>   --disable-udev_acl
>> in udev.
>> That said, this would commit us to systemd so we need to tread carefully
>> here as without systemd, then the ACLs would not get written with
>> obvious consequences (basically the exact opposite of now!).
>> Anyway, for now I have my ACLs back and can use my audio devices! Yay!
>> Col


Colin Guthrie

Day Job:
  Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
  Mageia Contributor [http://www.mageia.org/]
  PulseAudio Hacker [http://www.pulseaudio.org/]
  Trac Hacker [http://trac.edgewall.org/]

More information about the Mageia-dev mailing list