From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <slazav@altlinux.org>
Message-ID: <4B28CAF7.30402@altlinux.org>
Date: Wed, 16 Dec 2009 14:56:39 +0300
From: Vladislav Zavjalov <slazav@altlinux.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.1.5pre) Gecko/20091019 Thunderbird/3.0pre
MIME-Version: 1.0
To: devel@lists.altlinux.org
References: <20091214135707.GA9709@dad.imath.kiev.ua>	<20091216111414.GL32260@osdn.org.ua>
	<a4ab440f0912160319j62102062j4780e11e20ee168@mail.gmail.com>
In-Reply-To: <a4ab440f0912160319j62102062j4780e11e20ee168@mail.gmail.com>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [devel] =?koi8-r?b?Q29uc29sZUtpdCDJIERNIHBvbGljeQ==?=
X-BeenThere: devel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux Team development discussions <devel@lists.altlinux.org>
List-Id: ALT Linux Team development discussions <devel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel>,
	<mailto:devel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel>
List-Post: <mailto:devel@lists.altlinux.org>
List-Help: <mailto:devel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel>,
	<mailto:devel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 11:56:37 -0000
Archived-At: <http://lore.altlinux.org/devel/4B28CAF7.30402@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel/>
List-Post: <mailto:devel@altlinux.org>

On 12/16/09 14:19, Mykola S. Grechukh wrote:
> 16 декабря 2009 г. 11:14 пользователь Michael Shigorin<>  написал:
>> On Mon, Dec 14, 2009 at 03:57:08PM +0200, Igor Vlasenko wrote:
>>> Уважаемые коллеги, смотрел
>>> https://bugzilla.altlinux.org/show_bug.cgi?id=22447
>>> по поводу регистрирации сессий в Console Kit.
>>> Если сервисы начинают предоставляться в зависимости
>>> от Console Kit, то втихую этого нельзя делать.
>>
>> И кстати, не только dm -- на 5.1/branch пойманы проблемы
>> с флэшками в KDE3, запущенном при помощи startx.
>
> Именно поэтому в федорке вызовы ck-init засунуты прямо в скриты
> xinitrc. У нас  pam_ck_connector, но он не помогает для startx.

Хорошо бы, наверное, все сделать через pam_ck_connector...

Для startx есть /etc/pam.d/xserver, но он у нас отключен.

xorg-server/os/utils.c:

...
/*
  * CheckUserAuthorization: check if the user is allowed to start the
  * X server.  This usually means some sort of PAM checking, and it is
  * usually only done for setuid servers (uid != euid).
  */

#ifdef USE_PAM
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <pwd.h>
#endif /* USE_PAM */

void
CheckUserAuthorization(void)
{
#ifdef USE_PAM
     static struct pam_conv conv = {
         misc_conv,
         NULL
     };

     pam_handle_t *pamh = NULL;
     struct passwd *pw;
     int retval;

     if (getuid() != geteuid()) {
         pw = getpwuid(getuid());
         if (pw == NULL)
             FatalError("getpwuid() failed for uid %d\n", getuid());

         retval = pam_start("xserver", pw->pw_name, &conv, &pamh);
         if (retval != PAM_SUCCESS)
             FatalError("pam_start() failed.\n"
                         "\tMissing or mangled PAM config file or 
module?\n");

         retval = pam_authenticate(pamh, 0);
         if (retval != PAM_SUCCESS) {
             pam_end(pamh, retval);
             FatalError("PAM authentication failed, cannot start X 
server.\n"
                         "\tPerhaps you do not have console ownership?\n");
         }

         retval = pam_acct_mgmt(pamh, 0);
         if (retval != PAM_SUCCESS) {
             pam_end(pamh, retval);
             FatalError("PAM authentication failed, cannot start X 
server.\n"
                         "\tPerhaps you do not have console ownership?\n");
         }

         /* this is not a session, so do not do session management */
         pam_end(pamh, PAM_SUCCESS);
     }
#endif
}
...