Bug 51237

Summary: pkexec fails with ERROR:pkexec.c:138:pam_conversation_function: code should not be reached
Product: PolicyKit Reporter: Travis Glenn Hansen <travisghansen>
Component: daemonAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED MOVED QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium CC: freedesktop-bugs
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: pam_conv hack
system-login
system-auth

Description Travis Glenn Hansen 2012-06-19 08:29:11 UTC 
Created attachment 63230 [details] [review]
pam_conv hack

Enabling pam support on my machine results in this issue every time I successfully authenticate.  I'm currently using sys-auth/polkit-0.106-r2 from gentoo.

In my testing (which was by no means thorough) the pam_conv function was only being called upon *successful* authentication so I simply applied the attached patch to bypass the issue.

https://bugs.launchpad.net/ubuntu/+source/policykit/+bug/875402
http://linux.die.net/man/3/pam_conv
Comment 1 David Zeuthen (not reading bugmail) 2012-06-19 14:17:57 UTC 
Looks like a problem with your PAM configuration - or my interpretation of how it works (in particular that pam_open_session() should not start a conversation).

What does your /etc/pam.d/polkit-1 file (and the files it point to) look like?
Comment 2 David Zeuthen (not reading bugmail) 2012-06-19 14:22:56 UTC 
Comment on attachment 63230 [details] [review]
pam_conv hack

Review of attachment 63230 [details] [review]:
-----------------------------------------------------------------

::: src/programs/pkexec.c.orig
@@ +141,1 @@
>  }

I don't think it's right to return PAM_SUCCESS (we'd have to set resp to something) - does it work if you just return PAM_CONV_ERR ?

It would also be helpful to try and print the arguments passed to the conversation function to get an idea of what it's trying to do...
Comment 3 Travis Glenn Hansen 2012-06-19 16:17:08 UTC 
Created attachment 63240 [details]
system-login
Comment 4 Travis Glenn Hansen 2012-06-19 16:17:31 UTC 
Created attachment 63241 [details]
system-auth
Comment 5 Travis Glenn Hansen 2012-06-19 16:23:00 UTC 
(In reply to comment #2)
> I don't think it's right to return PAM_SUCCESS (we'd have to set resp to
> something) - does it work if you just return PAM_CONV_ERR ?

Seems to work as well.

> 
> It would also be helpful to try and print the arguments passed to the
> conversation function to get an idea of what it's trying to do...

I'm pretty bad with C.  Can you perhaps attach a patch with whatever you'd like to see printed out for me?
Comment 6 Samuli Suominen 2012-06-19 19:20:59 UTC 
Travis, /etc/pam.d/polkit-1 should look like:

#%PAM-1.0

auth       include      system-local-login
account    include      system-local-login
password   include      system-local-login
session    include      system-local-login

Since we pass:

./configure --with-pam-include=system-local-login

And system-local-login looks like:

auth		include		system-login
account		include		system-login
password	include		system-login
session		include		system-login

And system-login looks like what you pasted here but I don't see you attaching system-local-login here at all... Does that mean your /etc/pam.d/polkit-1 is referring system-login instead of system-local-login?

In Gentoo we really need to use system-local-login to use proper modules from the sys-auth/pambase "Gentoo specific" package.
Comment 7 Travis Glenn Hansen 2012-06-19 19:28:03 UTC 
(In reply to comment #6)
> Travis, /etc/pam.d/polkit-1 should look like:
> 
> #%PAM-1.0
> 
> auth       include      system-local-login
> account    include      system-local-login
> password   include      system-local-login
> session    include      system-local-login
> 
> Since we pass:
> 
> ./configure --with-pam-include=system-local-login
> 
> And system-local-login looks like:
> 
> auth        include        system-login
> account        include        system-login
> password    include        system-login
> session        include        system-login
> 
> And system-login looks like what you pasted here but I don't see you attaching
> system-local-login here at all... Does that mean your /etc/pam.d/polkit-1 is
> referring system-login instead of system-local-login?
> 
> In Gentoo we really need to use system-local-login to use proper modules from
> the sys-auth/pambase "Gentoo specific" package.

Yes I have those.  I simply left out the stuff that was only including other files.  Hope it didn't cause too much confusion.
Comment 8 Samuli Suominen 2012-06-19 19:33:48 UTC 
(In reply to comment #7)
> Yes I have those.  I simply left out the stuff that was only including other
> files.  Hope it didn't cause too much confusion.

I ran 'diff -u' between my system-{auth,login} and your and the only difference is that I have pam_gnome_keyring.so in system-login like:

auth		optional	pam_gnome_keyring.so

[ ... snip ... ]

session		optional	pam_gnome_keyring.so auto_start

Otherwise our pam.d files are identical. It's working fine here so I don't understand :-/
Comment 9 GitLab Migration User 2018-08-20 21:36:19 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/polkit/polkit/issues/35.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.