[systemd-devel] systemd v4[01] and graphical login managers

Lennart Poettering lennart at poettering.net
Fri Feb 10 15:59:47 PST 2012

On Fri, 10.02.12 22:34, Christian Hesse (list at eworm.de) wrote:

> > > > Well, strace the PAM client which invokes the PAM session hooks and
> > > > figure out where exactly the fifo is closed and by what piece of
> > > > code. The FIFO fd is received via a dbus reply (which you'll see as a
> > > > recvmsg() with an SCM_RIGHTS param, followed by an fcntl(F_DUPFD)), and
> > > > you'd need to trace where it gets closed in the parent process.
> > > 
> > > Here is my trace:
> > > http://www.eworm.de/tmp/lightdm.log
> > > 
> > > I think this is the code closing the fd:
> > > http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/view/head:/src/pam-session.c#L393
> > 
> > Well, but normally the PAM session should only be closed after the user
> > logged out again. Why is this invoked so early?
> Looks like lightdm starts a root pam session for the greeter. That is closed
> before the user pam session ist started...

It should be starting a PAM session for the greeter, but definitely not
for "root". That would mean their entire greeter runs as root? THat's a
really bad idea.

The greeter should have its own PAM session so that systemd-logind know
about it and can rearrange access control to devices such as soundcards
properly, so that screenreaders and event sounds work.

> Anyway... slim is not split into core and greeter. Does it act the same
> nevertheless? Will take a look at that, too.

Umpf. Their entire stuff runs as a single process? So if their UI
toolkit is borked you just became root? That sounds really bad. 

Can't really believe Ubuntu ships with such a setup by default.


Lennart Poettering - Red Hat, Inc.

More information about the systemd-devel mailing list