Bug 101629 - Consider dropping support for /var/run/console (--with-console-auth-dir)
Summary: Consider dropping support for /var/run/console (--with-console-auth-dir)
Status: RESOLVED MOVED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: git master
Hardware: Other All
: medium normal
Assignee: Simon McVittie
QA Contact: D-Bus Maintainers
URL:
Whiteboard:
Keywords:
Depends on: 101964
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 19:19 UTC by Simon McVittie
Modified: 2018-10-12 21:31 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Deprecate the pam_console/pam_foreground flag-file directory (5.82 KB, patch)
2017-09-25 15:41 UTC, Simon McVittie
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Simon McVittie 2017-06-28 19:19:21 UTC
dbus-daemon implements the deprecated at_console feature (see also Bug #39611) with several mechanisms. One of them is to stat the "tag file" /var/run/console/${username}, and if it exists, that is assumed to signify that ${username} is at the console. Those are the semantics that were implemented by pam_console and pam_foreground, both of which were later superseded by ConsoleKit, which was in turn superseded by systemd-logind (or occasionally ConsoleKit2) on Linux systems.

According to Bug #14053, some distributions patch ConsoleKit to create those tag files, but normally it does not. Judging by Bug #94591, ConsoleKit2 doesn't either.

For completeness, the other mechanisms we have for at_console are:

* for Linux with systemd or systemd-shim: check whether they are logged-in
  on any seat using systemd-logind APIs

* for Solaris: there is a file that will be owned by the active console user
  (assumed to be unique!)

I think we should consider removing the "tag files" handling.
Comment 1 Philip Withnall 2017-06-29 10:55:23 UTC
Do any distributions still use pam_console or pam_foreground, or allow users to configure their systems to use them?

What would be the benefits of dropping support for this (apart from the obvious ones of decreased maintenance burden)? Is this part of your push to eliminate /var/run in favour of /run? If so, does keeping the support for /var/run/console harm that goal if it’s only enabled on old systems which use those PAM modules?
Comment 2 Simon McVittie 2017-06-29 11:30:31 UTC
(In reply to Philip Withnall from comment #1)
> Do any distributions still use pam_console or pam_foreground, or allow users
> to configure their systems to use them?

I don't know. We could try asking the mailing list?

pam_console seems to have been removed in Fedora 8, and the transition page https://fedoraproject.org/wiki/Releases/FeatureRemovePAMConsole says it was always essentially Fedora-specific, other than Fedora derivatives and "a few minor distributions"; although that's somewhat contradicted by references to it being removed from Gentoo in 2007. (Perhaps the Fedora developers thought of Gentoo as a minor distribution?)

pam_foreground seems to have only been used in Ubuntu and Debian. In Debian, it was unmaintained since 2008 and finally removed in 2016.

> What would be the benefits of dropping support for this (apart from the
> obvious ones of decreased maintenance burden)?

Deleting dead code is the only benefit, really.

> Is this part of your push to
> eliminate /var/run in favour of /run? If so, does keeping the support for
> /var/run/console harm that goal if it’s only enabled on old systems which
> use those PAM modules?

It's always enabled on Unix systems (although the code is never reached if using systemd-logind), so step 1 would be to make it opt-in.
Comment 3 Philip Withnall 2017-06-29 12:57:21 UTC
(In reply to Simon McVittie from comment #2)
> (In reply to Philip Withnall from comment #1)
> > Do any distributions still use pam_console or pam_foreground, or allow users
> > to configure their systems to use them?
> 
> I don't know. We could try asking the mailing list?

Worth a quick e-mail, I suppose. Probably best phrased as a ‘we’re going to make this opt-in, then drop it afterwards; does anyone object?’ rather than as ‘who’s using pam_*?’.

> pam_console seems to have been removed in Fedora 8, and the transition page
> https://fedoraproject.org/wiki/Releases/FeatureRemovePAMConsole says it was
> always essentially Fedora-specific, other than Fedora derivatives and "a few
> minor distributions"; although that's somewhat contradicted by references to
> it being removed from Gentoo in 2007. (Perhaps the Fedora developers thought
> of Gentoo as a minor distribution?)
> 
> pam_foreground seems to have only been used in Ubuntu and Debian. In Debian,
> it was unmaintained since 2008 and finally removed in 2016.

That’s quite conclusive.

> > What would be the benefits of dropping support for this (apart from the
> > obvious ones of decreased maintenance burden)?
> 
> Deleting dead code is the only benefit, really.

\o/

> > Is this part of your push to
> > eliminate /var/run in favour of /run? If so, does keeping the support for
> > /var/run/console harm that goal if it’s only enabled on old systems which
> > use those PAM modules?
> 
> It's always enabled on Unix systems (although the code is never reached if
> using systemd-logind), so step 1 would be to make it opt-in.

Seems reasonable to make it opt-in for one minor release, then drop it in the following minor release.
Comment 4 Simon McVittie 2017-06-29 16:25:39 UTC
(In reply to Simon McVittie from comment #2)
> pam_foreground seems to have only been used in Ubuntu and Debian. In Debian,
> it was unmaintained since 2008 and finally removed in 2016.

Actually, it was removed in 2010, and replaced by a transitional package that pulled in its ConsoleKit equivalent. That transitional package is what was removed in 2016.
Comment 5 Simon McVittie 2017-09-25 15:41:11 UTC
Created attachment 134465 [details] [review]
Deprecate the pam_console/pam_foreground flag-file directory

This feature is now compile-time conditional, and off by default.

pam_console appears to have been in Fedora and Gentoo until 2007.
pam_foreground seems to be specific to Debian and Ubuntu, where it was
unmaintained since 2008 and removed in 2010. The replacement for both
was ConsoleKit, which has itself been superseded by systemd-logind and
ConsoleKit2.

---

NEWS entry included.
Comment 6 Philip Withnall 2017-09-25 16:15:30 UTC
Comment on attachment 134465 [details] [review]
Deprecate the pam_console/pam_foreground flag-file directory

Review of attachment 134465 [details] [review]:
-----------------------------------------------------------------

++
Comment 7 Simon McVittie 2017-09-25 23:37:55 UTC
Disabled by default in 1.11.18. We can release 1.12.x with it still possible to enable, then rip out the functionality in 1.13.x if nobody has spoken up in favour of it.
Comment 8 GitLab Migration User 2018-10-12 21:31:23 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/dbus/dbus/issues/181.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.