# Elogind and Polkit - some Polkit rules seems to be ignored

## Acatorn

Greetings,

First of all. As this is my first post on the awesome Gentoo forum I would like to say Hello   :Very Happy: 

So far running Gentoo for about a year now was such a great experience that I think I finally found my operating system to stay.

Now, to the point. As long as I kept things simple everything was great. After some hesitations I decided to try Elogind and Polkit. I think both of them might be quite useful on the enterprise workstations or virtual desktops and I am during some research on that subject in my job (or maybe I am wrong, then feel free to tell me about it:).

So my current setup is as follows:

Gentoo + OpenRC + LightDM + AwesomeWM + dbus + elogind + polkit + polkit-gnome (polkit agent)

Global USE flags:

USE="X glamor vaapi nvidia xvmc vdpau acpi lm_sensors elogind policykit -systemd -consolekit -udisks -upower -zeroconf -avahi -pulseaudio -gnome"

dbus USE flags:

```

 [ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for sys-apps/dbus-1.12.16:

 U I

 + + X            : Add support for X11

 - - abi_x86_32   : 32-bit (x86) libraries

 - - debug        : Enable extra debug codepaths, like asserts and extra output.

                    If you want to get meaningful backtraces see https://wiki.ge

                    ntoo.org/wiki/Project:Quality_Assurance/Backtraces

 - - doc          : Add extra documentation (API, Javadoc, etc). It is

                    recommended to enable per package instead of globally

 + + elogind      : Use sys-auth/elogind for session tracking.

 - - static-libs  : Build static versions of dynamic libraries as well

 - - systemd      : Build with sys-apps/systemd at_console support

 - - test         : Enable dependencies and/or preparations necessary to run

                    tests (usually controlled by FEATURES=test but can be

                    toggled independently)

 + + user-session : Enable user-session semantics for session bus under systemd

```

elogind USE flags:

```

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for sys-auth/elogind-241.4:

 U I

 + + acl       : Add support for Access Control Lists

 - - debug     : Enable extra debug codepaths, like asserts and extra output. If

                 you want to get meaningful backtraces see https://wiki.gentoo.o

                 rg/wiki/Project:Quality_Assurance/Backtraces

 - - doc       : Add extra documentation (API, Javadoc, etc). It is recommended

                 to enable per package instead of globally

 + + pam       : Add support for PAM (Pluggable Authentication Modules) -

                 DANGEROUS to arbitrarily flip

 + + policykit : Enable PolicyKit authentication support

```

polkit USE flags:

```

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for sys-auth/polkit-0.115-r4:

 U I

 - - consolekit    : Use sys-auth/consolekit for session tracking

 + + elogind       : Use sys-auth/elogind for session tracking

 - - examples      : Install examples, usually source code

 - - gtk           : Add support for x11-libs/gtk+ (The GIMP Toolkit)

 + + introspection : Add support for GObject based introspection

 - - jit           : Enable just-in-time compilation for improved performance.

                     May prevent use of some PaX memory protection features in

                     Gentoo Hardened.

 - - kde           : Add support for software made by KDE, a free software

                     community

 + + nls           : Add Native Language Support (using gettext - GNU locale

                     utilities)

 + + pam           : Add support for PAM (Pluggable Authentication Modules) -

                     DANGEROUS to arbitrarily flip

 - - systemd       : Use sys-apps/systemd for session tracking

 - - test          : Enable dependencies and/or preparations necessary to run

                     tests (usually controlled by FEATURES=test but can be

                     toggled independently)

```

I wrote some simple polkit rule to test if it works:

/etc/polkit-1/rules.d/10-custom.rules:

```

polkit.addRule(function(action, subject) {

    if (action.id == "org.freedesktop.login1.attach-device" ||

   action.id == "org.freedesktop.login1.flush-devices" ||

   action.id == "org.freedesktop.login1.halt" ||

   action.id == "org.freedesktop.login1.halt-ignore-inhibit" ||

   action.id == "org.freedesktop.login1.halt-multiple-sessions" ||

   action.id == "org.freedesktop.login1.hibernate" ||

   action.id == "org.freedesktop.login1.hibernate-ignore-inhibit" ||

   action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ||

   action.id == "org.freedesktop.login1.inhibit-block-idle" ||

   action.id == "org.freedesktop.login1.inhibit-block-shutdown" ||

   action.id == "org.freedesktop.login1.inhibit-block-sleep" ||

   action.id == "org.freedesktop.login1.inhibit-delay-shutdown" ||

   action.id == "org.freedesktop.login1.inhibit-delay-sleep" ||

   action.id == "org.freedesktop.login1.inhibit-handle-hibernate-key" ||

   action.id == "org.freedesktop.login1.inhibit-handle-lid-switch" ||

   action.id == "org.freedesktop.login1.inhibit-handle-power-key" ||

   action.id == "org.freedesktop.login1.inhibit-handle-suspend-key" ||

   action.id == "org.freedesktop.login1.lock-sessions" ||

   action.id == "org.freedesktop.login1.manage" ||

   action.id == "org.freedesktop.login1.power-off" ||

   action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||

   action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||

   action.id == "org.freedesktop.login1.reboot" ||

   action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||

   action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||

   action.id == "org.freedesktop.login1.reload-config" ||

   action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||

   action.id == "org.freedesktop.login1.set-self-linger" ||

   action.id == "org.freedesktop.login1.set-user-linger" ||

   action.id == "org.freedesktop.login1.set-wall-message" ||

   action.id == "org.freedesktop.login1.suspend" ||

   action.id == "org.freedesktop.login1.suspend-ignore-inhibit" ||

   action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||

   action.id == "org.gnome.gparted") {

      if (subject.user == "tombo") {

         return polkit.Result.AUTH_ADMIN;

      } else if (subject.user == "lightdm") {

         return polkit.Result.YES;

      }

    }

});

```

Now, the problem is some of the above org.freedesktop.login1.* actions seems to be completely ignored. In particular those that does not work are those responsible for suspend, hibernate and session lock. The funny thing is that at first I had user-session USE flag disabled in dbus because it's description regards systemd so I though it's not relevant in my case, but when that flag was disabled even actions responsible for poweroff and reboot got ignored. So now (after I enabled user-session USE flag in dbus) commands like:

```

loginctl poweroff

loginctl reboot

gparted

```

works fine - polkit-gnome agent prompts for admin password when I run them with my user "tombo" and "poweroff" and "reboot" buttons are enabled and in LightDM (I run LightDM as user lightdm)

But when I use commands (no matter which user I am):

```

loginctl suspend

loginctl hibernate

loginctl lock-session

```

then they are executed immediately   :Shocked: 

Here's the log from /var/log/auth.log when I use logictl suspend:

```

Jan 16 22:28:57 GENTOO-L-T polkitd[3571]: Registered Authentication Agent for unix-process:7412:7779293 (system bus name :1.66 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Jan 16 22:29:05 GENTOO-L-T polkitd[3571]: Unregistered Authentication Agent for unix-process:7412:7779293 (system bus name :1.66, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Jan 16 22:29:07 GENTOO-L-T lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)

Jan 16 22:29:09 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.suspend-multiple-sessions']

Jan 16 22:29:09 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=7568 user='lightdm' groups=lightdm,video,grp_reboot seat='seat0' session='6' local=true active=true]

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-delay-sleep']

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-block-sleep']

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-block-shutdown']

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:4: action=[Action id='org.freedesktop.login1.inhibit-delay-shutdown']

Jan 16 22:29:13 GENTOO-L-T polkitd[3571]: /etc/polkit-1/rules.d/00-log-access.rules:5: subject=[Subject pid=3790 user='tombo' groups=tombo,wheel,floppy,audio,cdrom,video seat='seat0' session='2' local=true active=false]

```

I'm really puzzled with it and I cannot figure it out myself. Please good people, help me to understand what am I doing wrong. Or maybe it's some kind of bug in elogind, polkit, pam or dbus?

----------

## charles17

 *Acatorn wrote:*   

> So my current setup is as follows:
> 
> Gentoo + OpenRC + LightDM + AwesomeWM + dbus + elogind + polkit + polkit-gnome (polkit agent)
> 
> Global USE flags:
> ...

 

Do I correctly understand you need or want https://wiki.gentoo.org/wiki/Polkit and https://wiki.gentoo.org/wiki/PAM?

Regarding your selection of USE flags are you aware that many are set by the profile you selected?  

To keep it simple you might want want to remove all settings which can be removed without causing changes in next emerge.  E.g. X, on desktop profiles this is already set.

My personal recommendation is removing the USE= line from make.conf and start with a fresh and empty /etc/portage/package.use file adding only what's really needed.

----------

## Acatorn

 *Quote:*   

> 
> 
> Regarding your selection of USE flags are you aware that many are set by the profile you selected?
> 
> To keep it simple you might want want to remove all settings which can be removed without causing changes in next emerge. E.g. X, on desktop profiles this is already set.
> ...

 

Yes, I am aware of that and I choose:

```

 [16]  default/linux/amd64/17.1 (stable) *

```

Actually I think I understand USE flags mechanics quite well. I set some flags in /etc/portage/make.conf simply for convenience - I enabled X because in most cases I want packages to provide GUI (if they have it). When I find package foo that I don't want to be compiled with X USE flag then I simply create a file /etc/portage/package.use/foo and set -X in there. 

 *Quote:*   

> 
> 
> Do I correctly understand you need or want https://wiki.gentoo.org/wiki/Polkit and https://wiki.gentoo.org/wiki/PAM?
> 
> 

 

I have already read those wiki articles and I think I grasped well the polkit one. But I cannot say that about the PAM one   :Wink: 

Do you suggest that, in my setup, polkit and pam are kinda in conflict with each other? Because I don't understand why commands like:

```

loginctl poweroff

loginctl reboot

gparted

```

works correctly - they ask user tombo for admin password as I wrote in /etc/polkit-1/rules.d/10-custom.rules.

But commands like:

```

loginctl suspend

loginctl hibernate

loginctl lock-session 

```

just ignore my polkit rules  :Crying or Very sad: 

Sorry if my previous post is too long. I wanted it to contain all the informations I've got. Also sorry if answer for my questions lies in those wiki articles and I still do not understand it. I'm still noob in pam and polkit  :Wink:  [/quote]

----------

## charles17

 *Acatorn wrote:*   

> I have already read those wiki articles and I think I grasped well the polkit one. But I cannot say that about the PAM one  
> 
> Do you suggest that, in my setup, polkit and pam are kinda in conflict with each other? ...

 

With polkit I have no experience.  But for PAM there was this recent topic 1000290.

----------

## dmpogo

I suspect polkit does not have a good reputation on this forum  :Smile:   If you search, you'll find many more posts about how to remove it entirely (not easy) or minimize its presence,  than how to use it effectively.   Honestly, I do not recall any discussion on polkit useful application in a while.

----------

## CaptainBlood

Same kind of issue link

polkit doesn't seem to be doing anything here, as current user can reboot with root logged at console.

Thks 4 ur attention.

----------

## Yamakuzure

 *Acatorn wrote:*   

> But when I use commands (no matter which user I am):
> 
> ```
> 
> loginctl suspend
> ...

 This is fixed in 97d2a93 as noted in issue 149 you opened. From next release on your rules will be heeded again.

 *CaptainBlood wrote:*   

> Same kind of issue link
> 
> polkit doesn't seem to be doing anything here, as current user can reboot with root logged at console.
> 
> Thks 4 ur attention.

 

Nope, this is something completely different. Please see the thread you opened.

----------

## CaptainBlood

@Yamakuzure

Thks 4 ur attention, interest & support

----------

