polkit does not start
Stephane Russell
srussell at prodigeinfo.qc.ca
Sun Jan 11 16:33:55 PST 2015
Hi again,
Well you're maybe right. But for what I could see, the problem don't
seem to originate from polkit alone.
I'm not expert of dbus, but for what I know, your logs indicates that
the EXTERNAL authentication mecanism is not supported
(http://dbus.freedesktop.org/doc/dbus-specification.html#auth-command-auth).
You'll see the reason below. Otherwise, you would have another kind of
response.
For hald and consolekit. Maybe hald is not using the same auth mecanism
then polkit. ConsoleKit is probably working fine for users, but the
system service is probably not, since its dependent on polkit. For what
I can see its failing as well.
I compiled glib, dbus, polkit and ConsoleKit with debug symbols on, by
using copies generated by dports and activating it. When testing, I'm
also using dbus with logs activated. I compiled it with an extra debug
flag and then can start it "manually" by adding an environment parameter
(DBUS_VERBOSE=1) as indicated in the man page of dbus-daemon.
I made some traces and found that polkitd can't reserve its service
name. I made a pseudo service named com.mycompany.Test1 and tried to
reserve a name with the test tool provided with gio (in glib),
gbbus-exemple-own-name:
/usr/local/etc/dbus-1/system.d/com.mycompany.Test1.conf:
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- This configuration file specifies the required security policies
for the ColorManager to work. -->
<!-- Only user root or user colord can own the colord service -->
<policy user="root">
<allow own="com.mycompany.Test1"/>
</policy>
<policy user="myuser">
<allow own="com.company.Test1"/>
</policy>
<!-- Allow anyone to call into the service - we'll reject callers using
PolicyKit -->
<policy context="default">
<allow send_destination="com.company.Test1"/>
<allow receive_sender="com.company.Test1"/>
</policy>
</busconfig>
I then modified and runned the test tool with "myuser" and root users as
well:
gdbus-example-own-name -r -a -n com.mycompany.Test1
Lost the name com.company.Test1 on the session bus
I got the same results for both cases. I concluded that the fail was
coming from there, but I can't figure why.
I noted in the logs you provided that the length of exchanged data are
twice as long in DragonFly then in FreeBSD. Are you using a 32 bits
machine for FreeBSD and 64bits for DragonFly? I wonder if it could be
related. Maybe the glib, dbus or polkit port for 64 bit is broken. Or
maybe SASL itself, but I think its less likelly.
Cheers,
SR
karu.pruun a écrit :
> That's interesting---I wonder if you could tell me what research you
> did on dbus and polkit. I would be interested in trying to make it
> work. Here's what I've found so far.
>
> I figured out that consolekit and hald are fine, it's polkit that
> messes up. Dbus cannot spawn it, and the problem is not dbus, it's
> polkit. Since I know almost nothing about dbus and friends my approach
> has been to compare with FreeBSD, where it's working fine, and try to
> isolate the piece of code where polkit on DragonFly deviates from the
> behavior seen on FreeBSD. I ran ktrace on polkit and the deviation
> from FreeBSD happens on the second attempt (type: AUTH EXTERNAL) of
> authentication:
>
> ---FreeBSD (successful)---
> 1579 polkitd CALL sendto(0x5,0x803076280,0x12,0x20000<MSG_NOSIGNAL>,0,0)
> 1579 polkitd GIO fd 5 wrote 18 bytes
> "AUTH EXTERNAL 30\r
> "
> 1579 polkitd RET sendto 18/0x12
> . . .
>
> 1579 polkitd CALL recvfrom(0x5,0x80310f000,0x1000,0,0,0)
> 1579 polkitd GIO fd 5 read 37 bytes
> "OK 42dd72d3f9cfe49615fb1f2154aabce1\r
> "
> 1579 polkitd RET recvfrom 37/0x25
> --- ---
>
> vs
>
> ---DragonFly---
> 16116:1 0 polkitd 0.000006 CALL
> sendto(0x5,0x800740280,0x24,MSG_NOSIGNAL,0,0)
> 16116:1 0 polkitd 0.000010 GIO fd 5 wrote 36 bytes
> "AUTH EXTERNAL 34323934393637323935\r
> "
> 16116:1 0 polkitd 0.000006 RET sendto 36/0x24
> . . .
>
> 16116:1 0 polkitd 0.000520 CALL recvfrom(0x5,0x800735000,0x1000,0,0,0)
> 16116:1 0 polkitd 0.000013 GIO fd 5 read 46 bytes
> "REJECTED EXTERNAL DBUS_COOKIE_SHA1 ANONYMOUS\r
> "
> 16116:1 0 polkitd 0.000005 RET recvfrom 46/0x2e
> --- ---
>
> The challenge is to find out why DragonFly computes
> '34323934393637323935' for the argument of AUTH EXTERNAL while FreeBSD
> does '30'. However, I haven't been able to identify the piece of code
> in polkit (and glib-2.0) where that particular call above to sendto()
> occurs.
>
> I compiled polkit and glib with gdb symbols but it seems I might need
> more symbols in perhaps other libraries? In any case, so far the call
> to sendto() seems to occur in a piece of code that I can't step in.
> I'll keep looking.
>
> Cheers
>
> Peeter
>
> --
>
>
> On Thu, Jan 8, 2015 at 7:45 PM, <srussell at prodigeinfo.qc.ca> wrote:
>> I had the same problem and had to give up. Dbus logs are saying that no
>> valid external protocols were found.
>>
>> REJECTED EXTERNAL DBUS_COOKIE_SHA1 ANONYMOUS
>>
>> 498557: [dbus-auth.c(1704):handle_auth] server: Trying mechanism EXTERNAL
>> 498557: [dbus-auth.c(1624):process_data] server: data: '4294967295'
>> 498557: [dbus-auth.c(1026):handle_server_data_external_mech] server: no
>> credentials, mechanism EXTERNAL can't authenticate
>> 498557: [dbus-auth.c(430):shutdown_mech] server: Shutting down mechanism
>> EXTERNAL
>>
>> It happens only for the system dbus. I made some reseach and it occurs when
>> dbus is trying to reserve the name of a service. Gio returns:
>>
>> Lost the name [...] on session bus.
>>
>> I verified the pam confiruration and it looked ok.
>>
>> Overall:
>> -upowerd crashes
>> -ConsoleKit can't make a session active
>> -X login is freezing a minute or two
>> -The session menu of xfce is freezing also for some time
>> -any logoff from xfve is freezing temporarilly and leaves some applications
>> opened.
>>
>> I spent a lot of time trying to figure out the problem, but I had to give
>> up. My workaround was to disable the global dbus service. Dbus is still
>> available for applications, but I think that dports is disabling it for
>> applications as well, when possible.
>>
>> SR
>>
>>
>> Le 2015-01-08 10:50, karu.pruun a écrit :
>>
>>
>> Hello
>>
>> I seem to have troubles getting polkit working. I have in /etc/rc.conf
>>
>> ---/etc/rc.conf---
>> hald_enable="YES"
>> dbus_enable="YES"
>> --- ---
>>
>> and this combination results in dbus, hald and consolekit services
>> running, but polkitd fails
>>
>> ---/var/log/messages---
>> Jan 8 17:42:55 dfly dbus[984]: [system] Activating service
>> name='org.freedesktop.ConsoleKit' (using servicehelper)
>> Jan 8 17:42:55 dfly console-kit-daemon[1010]: WARNING:
>> polkit_authority_get: Error getting authority: Error initializing
>> authority: Exhausted all available authentication mechanisms (tried:
>> EXTERNAL, DBUS_COOKIE_SHA1, ANONYMOUS) (available: EXTERNAL,
>> DBUS_COOKIE_SHA1, ANONYMOUS)
>> --- ---
>>
>> I ran a quick test on a FreeBSD virtual machine, the above two lines
>> in rc.conf start dbus, hald, consolekit and polkitd and all seems
>> fine. I wonder if I've missed anything on DragonFly?
>>
>> Cheers
>>
>> Peeter
>>
>> --
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150111/019a3c46/attachment-0002.bin>
More information about the Users
mailing list