You are not logged in.
Since a few days (couple of weeks?) I can't seem to reboot/poweroff my machine anymore as a regular user. Choosing shutdown from the KDE menu only logs me out and takes me back to the sddm login screen. I can still poweroff/reboot from the login screen or by using sudo, so it's probably related to dbus/polkit/logind.
Running "poweroff" from konsole results in this:
% poweroff
Failed to set wall message, ignoring: Interactive authentication required.
Failed to power off system via logind: Interactive authentication required.
Failed to talk to init daemon.
Using "systemctl poweroff":
% systemctl poweroff
Failed to set wall message, ignoring: Interactive authentication required.
Failed to power off system via logind: Interactive authentication required.
Failed to start poweroff.target: Interactive authentication required.
See system logs and 'systemctl status poweroff.target' for details.
The following then pops up in journalctl:
6月 21 12:08:35 oeut1341-pc polkitd[2102]: Registered Authentication Agent for unix-process:8621:46074 (system bus name :1.1873 [<unknown>], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.utf8)
6月 21 12:08:35 oeut1341-pc polkitd[2102]: Unregistered Authentication Agent for unix-process:8621:46074 (system bus name :1.1873, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ja_JP.utf8) (disconnected from bus)
After some googling around I suspect the following should return 'string "yes"' instead of 'string "challenge"':
% dbus-send --print-reply --system --dest=org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager.CanReboot
method return time=1498039814.868591 sender=:1.1 -> destination=:1.2276 serial=117 reply_serial=2
string "challenge"
But I haven't made any changes to polkit...? Maybe someone better acquainted with logind/dbus/etc. could point me in the right direction
Last edited by oeut1341 (2017-06-21 10:18:58)
Offline
How do you login, how do you start X? Outputs/contents of your .xinitrc if present, and of
printenv DBUS_SESSION_BUS_ADDRESS
loginctl show-session $XDG_SESSION_ID
Have you seen and gone through the suggestions in one of the many other threads popping up with this or similar issues like e.g.?: https://bbs.archlinux.org/viewtopic.php?id=227275
Offline
Local session, login with sddm. X started by sddm too. No .xinitrc or startx or anything.
% printenv DBUS_SESSION_BUS_ADDRESS
unix:path=/run/user/1000/bus
% loginctl show-session $XDG_SESSION_ID
Id=c2
User=1000
Name=oeut1341
Timestamp=Wed 2017-06-21 12:01:18 GMT
TimestampMonotonic=23325829
VTNr=1
Seat=seat0
Display=:0
Remote=no
Service=sddm
Desktop=KDE
Scope=session-c2.scope
Leader=2236
Audit=0
Type=x11
Class=user
Active=yes
State=active
IdleHint=no
IdleSinceHint=0
IdleSinceHintMonotonic=0
LockedHint=no
Thanks for mentioning that thread. I'll take a look at it on the evening.
Offline
Nope. https://bugs.archlinux.org/task/54396 is not it: the only service I had in ~/.config/systemd/user which could conflict with gpg-agent was ssh-agent, but disabling it did not do anything...
Last edited by oeut1341 (2017-06-22 09:54:51)
Offline
pacman -Qkk systemd
In doubt paste your version of /usr/share/polkit-1/actions/org.freedesktop.login1.policy and check for overrides in /etc/polkit-1 (you'll need root permissions to inspect rules.d)
Offline
When the shutdown or reboot fails and requires interactive authentication, what is the output of who
?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
% pacman -Qkk systemd
backup file: systemd: /etc/systemd/logind.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/logind.conf (Size mismatch)
systemd: 1368 total files, 0 altered files
In logind.conf only the following is uncommented:
% cat logind.conf | egrep -v '^#'
[Login]
IdleAction=lock
IdleActionSec=5min
Pastebin: /usr/share/polkit-1/actions/org.freedesktop.login1.policy
% sudo ls -a /etc/polkit-1/rules.d/
. .. 50-default.rules
% sudo cat /etc/polkit-1/rules.d/50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.
polkit.addAdminRule(function(action, subject) {
return ["unix-group:wheel"];
});
I suspected some program inhibiting shutdown or similar, but no:
% systemd-inhibit --list
0 inhibitors listed.
----
X session:
% who
oeut1341 pts/0 2017-06-23 20:14 (:0)
oeut1341 pts/1 2017-06-23 20:14 (:0)
TTY:
% who
oeut1341 tty2 2017-06-23 20:13
In both cases the same "Interactive authentication required" etc. error. So not related to X it seems...
Last edited by oeut1341 (2017-06-23 18:32:45)
Offline
Let's see whether we can get more data on the failure ...
pkaction --verbose --action-id org.freedesktop.login1.power-off
Offline
% pkaction --verbose --action-id org.freedesktop.login1.power-off
org.freedesktop.login1.power-off:
description: Power off the system
message: Authentication is required for powering off the system.
vendor: The systemd Project
vendor_url: http://www.freedesktop.org/wiki/Software/systemd
icon:
implicit any: auth_admin_keep
implicit inactive: auth_admin_keep
implicit active: yes
annotation: org.freedesktop.policykit.imply -> org.freedesktop.login1.set-wall-message
Offline
Let's try something else, what if you set org.freedesktop.login1.set-wall-message to "yes" for all three categories in /usr/share/polkit-1/actions/org.freedesktop.login1.policy ?
iirc polkitd reloads the config on SIGHUP.
Offline
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
Works (yay!):
% dbus-send --print-reply --system --dest=org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager.CanReboot
method return time=1498470230.453532 sender=:1.0 -> destination=:1.8369 serial=103 reply_serial=2
string "yes"
Now to find the culprit...
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
This doesn't work:
% dbus-send --print-reply --system --dest=org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager.CanReboot
method return time=1498470197.469885 sender=:1.0 -> destination=:1.8236 serial=99 reply_serial=2
string "challenge"
From polkit man:
allow_any
Implicit authorizations that apply to any client. Optional.allow_inactive
Implicit authorizations that apply to clients in inactive
sessions on local consoles. Optional.allow_active
Implicit authorizations that apply to clients in active
sessions on local consoles. Optional.
So is somehow my session being seen as a remote one? But loginctl says Remote=no
Last edited by oeut1341 (2017-06-26 09:48:20)
Offline
1. org.freedesktop.login1.power-off still needs authentication for remote and inactive users
2. org.freedesktop.login1.set-wall-message is auth_admin_keep for anyone anyway, ie. needs previous privileges anyway
Wild guess:
stat `which wall`
Offline
% stat $(which wall)
File: /usr/bin/wall
Size: 27368 Blocks: 56 IO Block: 4096 regular file
Device: 802h/2050d Inode: 1191691 Links: 1
Access: (2755/-rwxr-sr-x) Uid: ( 0/ root) Gid: ( 5/ tty)
Access: 2017-04-01 12:51:35.000000000 +0200
Modify: 2017-03-26 23:54:41.000000000 +0200
Change: 2017-04-01 12:51:35.490841789 +0200
Birth: -
Offline
Nope, suid'd for UID0 :-(
org.freedesktop.login1.power-off seems to call org.freedesktop.login1.set-wall-message in the context of the unprivileged user, but I've no idea why that's the case :-(
Offline
Update: I added a couple of "debug" rules to /etc/polkit-1/rules.d/, i.e., polkit.log(...), and then caught these messages in the logs:
oeut1341-pc polkitd[15890]: /etc/polkit-1/rules.d/20-debug.rules:6: subject: [Subject pid=2759 user='oeut1341' groups=oeut1341,adm,disk,wheel,video,audio,scanner seat='' session='' local=false active=false]
So it seems polkit thinks my session is neither local nor active... while loginctl says otherwise (see post #3).
Offline