You are not logged in.
When upgrading to polkit (0.105-1 -> 0.107-4) Many problems with PaX MPROTECT
With package 0.105-1 there are no problems with full PaX protections on everything.
freedesktop.org Bug
https://bugs.freedesktop.org/show_bug.cgi?id=56628
Last edited by hunterthomson (2012-11-01 04:27:38)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
Setting -cPEmRXS /usr/lib/polkit-1/polkitd # Dose NOT solve the problem, Only fixes the RWX line
I realize that "grsecurity and PaX" are not officially supported by Archlinux. However, polkit should not be doing things that PaX blocks anyway. The only valid reason for a program to do funky stuff with memory is like if your program is a virtualization program i.e. KVM or Java VM
I have downgraded to 0.105-1 and all is well.
NOTE: No problems when booting with normal -ARCH kernel
What problems will I face staying on the old polkit-0.105-1 ?
grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/polkit-1/polkitd[polkitd:1588] uid/euid:102/102 gid/egid:102/102, parent /usr/lib/systemd/systemd[systemd:1]
grsec: Segmentation fault occurred at 0000000000000010 in /usr/lib/polkit-1/polkitd[polkitd:1588]
grsec: bruteforce prevention initiated against uid 102, banning for 15 minutes
systemd[1]: Failed to start Authorization Manager.
dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
Last edited by hunterthomson (2012-11-01 03:40:47)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
You'll need to recompile polkit 0.105 with --enable-systemd, otherwise it'll break trying to use the now-removed ConsoleKit.
Last edited by ZekeSulastin (2012-11-01 04:31:36)
Offline
Awe...., maybe that is what the problem is i.e. systemd doing stuff that ConsoleKit use to do.
Like when I upgrade to polkit-0.107-4 then set paxctl -cPEmRXS /usr/lib/polkit-1/polkitd
I don't have any more problems with polkit I guess. It seems that the problem is systemd not being able to connect to dbus. However, there are no errors that help me find what bin's need security holes poked into them.
D-Bus seems to start...
Oct 31 18:49:44 walnut systemd[1]: Starting D-Bus System Message Bus Socket.
Oct 31 18:49:44 walnut systemd[1]: Listening on D-Bus System Message Bus Socket.
Oct 31 18:49:44 walnut systemd[1]: Starting D-Bus System Message Bus...
Oct 31 18:49:44 walnut systemd[1]: Started D-Bus System Message Bus.
But then I get errors like this....
Oct 31 18:50:24 walnut dbus-daemon[399]: dbus[399]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
Oct 31 18:50:24 walnut dbus[399]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
Oct 31 18:50:24 walnut systemd-logind[401]: New session 1 of user bob.
Oct 31 18:50:24 walnut login[575]: LOGIN ON tty1 BY bob
Oct 31 18:50:24 walnut dbus-daemon[399]: dbus[399]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
Oct 31 18:50:24 walnut dbus[399]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
Oct 31 18:50:24 walnut console-kit-daemon[1523]: console-kit-daemon[1523]: WARNING: polkit_authority_get: Error getting authority: Error
Oct 31 18:50:24 walnut console-kit-daemon[1523]: WARNING: polkit_authority_get: Error getting authority: Error initializing authority: E
Oct 31 18:50:24 walnut systemd[1]: Started Console Manager.
Last edited by hunterthomson (2012-11-01 05:25:02)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
I see I still have consolekit-0.4.6-4 installed and that is why polkit-0.105-1 still works.
if support for this is now removed from Archlinux this package should have been removed when I upgraded ya?
So, what do I need to fix then to make D-Bus work with systemd again?
/usr/lib/systemd/systemd-logind ?
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
Awe, okay the dbus errors were "becuase" I still had consolekit installed... however now that it is removed "startx" nolonger works. I get no EE or WW in the log... I'll start a Newbie thread for that problem though.
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
The fun thing is:
polkit needs MPROTECT and RANDMMAP off because it's using SpiderMonkey as JavaScript engine. Why does polkit need a JavaScript engine, one might ask. For configuration. Of course...
See for example my adjuvant polkit configuration for libvirt. It prevents usage in even seconds.
polkit.addRule(function(action, subject) {
if (action.id == 'org.libvirt.unix.manage' && subject.isInGroup('wheel') && ((new Date()).getSeconds() % 2)) {
return polkit.Result.YES;
}
});
Offline