dbus: Removing pam_console, pam_foreground, /var/run/console support?

Thu Jun 29 16:28:56 UTC 2017

During some tangentially related work on dbus, the reference
implementation of D-Bus, I found that we have support for the following
protocol:

* To determine whether a peer is "at the console"
  (getty/login, xdm, gdm, etc., but not ssh or VNC):
    * Look up the peer's numeric user ID
    * Map that user ID to a username using the system passwd database
      (/etc/passwd, glibc NSS or similar)
    * Probe whether the file /var/run/console/${username} exists
      (the path /var/run/console is configurable and can be replaced)
    * If it does, the user is considered to be at the console

As far as I am aware, this is obsolete. The /var/run/console protocol was
implemented in the following places:

* pam_console, a Red-Hat-originated module which was once included in
  at least Fedora and Gentoo but has since been removed citing
  security concerns
* pam_foreground, an Ubuntu-originated module which was once included
  in at least Debian and Ubuntu but has since been removed from both
* Debian and Ubuntu patched versions of ConsoleKit with the patch or
  hook from <https://bugs.freedesktop.org/show_bug.cgi?id=14053> (but not
  upstream ConsoleKit, and apparently not ConsoleKit2 either)

Please reply to the dbus mailing list or comment on
https://bugs.freedesktop.org/show_bug.cgi?id=101629 if the removal
of this protocol would be a problem for you. In the absence of feedback
to the contrary, we intend to change the state of this protocol from
"enabled by default" to "must be explicitly enabled via configure options"
in the dbus 1.11.x series, and eventually delete the code altogether.

The /var/run/console protocol is used to implement "at_console"
policy rules in /etc/dbus-1/system.d, which are deprecated (but are
still used by a number of software packages, notably BlueZ, hplip,
oFono, wicd and wader). We recommend avoiding these rules. Instead,
services that are intended to be available to console users should
have D-Bus XML policy that accepts all method calls to the service,
and then perform sysadmin-configurable permission checks via
polkit. accountsservice, NetworkManager and PackageKit are typical
examples of freedesktop.org-hosted projects that do this correctly. This
allows the developer or system administrator to grant or deny access to
specific high-level actions defined by the service in question, rather
than working at the level of D-Bus messages.

After the /var/run/console protocol is removed, the following protocols
to get equivalent information for "at_console" policy rules will remain
available in dbus:

* If enabled, ask systemd-logind via its C API in libsystemd; a user with
  a session on any seat is considered to be at the console
* If compiled for Solaris, probe the file owner of /dev/console;
  its owner is considered to be at the console

Regards,
    S