Bug 49160 - pkexec broken using systemd
Summary: pkexec broken using systemd
Alias: None
Product: PolicyKit
Classification: Unclassified
Component: daemon (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: David Zeuthen (not reading bugmail)
QA Contact: David Zeuthen (not reading bugmail)
Depends on:
Reported: 2012-04-25 15:33 UTC by Gert Michael Kulyk
Modified: 2012-04-26 02:40 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Polkit pam configuration (726 bytes, text/plain)
2012-04-26 00:28 UTC, Gert Michael Kulyk

Description Gert Michael Kulyk 2012-04-25 15:33:33 UTC
Currently I'm testing systemd enabled builds of several (mostly gnome) packages. Now my system is in a state, that nearly everything is using systemd. Now when trying to use pkexec, it silently fails. In /var/log/auth.log I find the following:

pkexec: pam_ck_connector(polkit-1:session): cannot determine display-device

Is pkexec compiled with --enable-systemd=yes still relying on information from ConsoleKit? (Please note: removing pam_ck_connector from pam files causes pkexec to fail silently.)
Comment 1 Gert Michael Kulyk 2012-04-25 15:35:56 UTC
I forgot to mention: this is polkit 0.105 and systemd 182.
Comment 2 David Zeuthen (not reading bugmail) 2012-04-25 19:24:56 UTC
Not sure how this can be a polkit bug; looks more like your polkit-1 PAM configuration is busted? Have you checked that pkexec is in fact setuid root? Anyway, this works fine on Fedora, never heard of any problems there and we switched to systemd a while ago....
Comment 3 Gert Michael Kulyk 2012-04-26 00:28:48 UTC
Created attachment 60597 [details]
Polkit pam configuration
Comment 4 Gert Michael Kulyk 2012-04-26 00:30:31 UTC
The binary is setuid root. Concerning the pam configuration (see attachment), it is including the common modules loaded on a debian system.
Comment 5 Gert Michael Kulyk 2012-04-26 02:40:47 UTC
After some fiddling around with different pam configurations, I've found a working one. Seems like pkexec does not like configs where pam_systemd and pam_ck_connector are both present and both are marked optional. On a debian system this means that instead of including pam config "common-session" you'll have to include "common-session-noninteractive" where pam_ck_connector is not getting loaded at all.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.