[Pkg-utopia-maintainers] Bug#501807: hal: does not work with dynamically assigned secondary groups

Arthur de Jong adejong at debian.org
Fri Oct 10 16:31:53 UTC 2008 

Subject: hal: does not work with dynamically assigned secondary groups
Package: hal
Version: 0.5.11-4
Severity: normal

There seems to be a regression (this worked before) in the way at least
the plugdev group is interpreted by hal. I have a setup where users who
log in on the console are provided with extra groups like so:

  - add "auth optional pam_group.so" to /etc/pam.d/gdm 
  - add "gdm; :*; *; Al0000-2400; audio,floppy,video,cdrom,scanner,plugdev,voice"
    to /etc/security/group.conf

This causes the named groups to be assigned when the user logs in
through gdm (the second command does username/group lookups, the fist
one gets the groups from the process):
% id -a 
uid=1000(arthur) gid=100(users) groups=22(voice),24(cdrom),25(floppy),29(audio),40(src),44(video),46(plugdev),100(users),112(scanner)
% id -a arthur
uid=1000(arthur) gid=100(users) groups=40(src),46(plugdev),100(users)

One this setup users are set up in an LDAP server. The plugdev group is
not in LDAP because it is a system group so there is no central way to
add the user to that group. Adding all users to the plugdev group on all
systems is not really an option (this would be a lot of work when adding
or removing users).

This setup worked before but now I have to add the user to the plugdev
group in /etc/group for it to work, otherwise gnome-mount fails with
this error message: 

% gnome-mount --hal-udi=/org/freedesktop/Hal/devices/volume_label_MyCD --text --verbose
gnome-mount 0.7
** (gnome-mount:19399): DEBUG: Mounting /org/freedesktop/Hal/devices/volume_label_MyCD
** (gnome-mount:19399): DEBUG: read default option 'uid=' from gconf strlist key /system/storage/default_options/iso9660/mount_options
** (gnome-mount:19399): DEBUG: Mounting /org/freedesktop/Hal/devices/volume_label_MyCD with mount_point='MyCD', fstype='', num_options=1
** (gnome-mount:19399): DEBUG:   option='uid=1000'
** (gnome-mount:19399): WARNING **: Mount failed for /org/freedesktop/Hal/devices/volume_label_MyCD
org.freedesktop.DBus.Error.AccessDenied : A security policy in place prevents this sender from sending this message to this recipient, see message bus configuration file (rejected message had interface "org.freedesktop.Hal.Device.Volume" member "Mount" error name "(unset)" destination "org.freedesktop.Hal")

What is the best way to give users who log in through gdm the proper
access rights to mount filesystems?

[after some more searching]

In /etc/dbus-1/system.d/hal.conf there is a reference to an at_console
policy. Installing the consolekit package seems to get everything
working.

There may be two issues here. The first is that hal does not pick up the
runtime secondary groups any more.
The seconds is probably more a documentation issue. It took me a lot of
googling, grepping, running daemons in debugging mode, looking in XML
configuration files and reverse dependencies before I got at consolekit,
policykit and finally policykit-gnome which is probably the package I
want. Some shortcuts would be helpful here (some package could recommend
policykit-gnome or a helpful note in a README.Debian). Not sure which
package should do that though.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages hal depends on:
ii  adduser                      3.110       add and remove users and groups
ii  dbus                         1.2.1-3     simple interprocess messaging syst
ii  hal-info                     20081001-1  Hardware Abstraction Layer - fdi f
ii  libc6                        2.7-14      GNU C Library: Shared libraries
ii  libdbus-1-3                  1.2.1-3     simple interprocess messaging syst
ii  libdbus-glib-1-2             0.76-1      simple interprocess messaging syst
ii  libexpat1                    2.0.1-4     XML parsing C library - runtime li
ii  libgcc1                      1:4.3.2-1   GCC support library
ii  libglib2.0-0                 2.16.6-1    The GLib library of C routines
ii  libhal-storage1              0.5.11-4    Hardware Abstraction Layer - share
ii  libhal1                      0.5.11-4    Hardware Abstraction Layer - share
ii  libsmbios1                   0.13.13-1   Provide access to (SM)BIOS informa
ii  libstdc++6                   4.3.2-1     The GNU Standard C++ Library v3
ii  libusb-0.1-4                 2:0.1.12-13 userspace USB programming library
ii  libvolume-id0                0.125-7     libvolume_id shared library
ii  lsb-base                     3.2-20      Linux Standard Base 3.2 init scrip
ii  mount                        2.13.1.1-1  Tools for mounting and manipulatin
ii  pciutils                     1:3.0.0-6   Linux PCI Utilities
ii  pm-utils                     1.1.2.4-1   utilities and scripts for power ma
ii  udev                         0.125-7     /dev/ and hotplug management daemo
ii  usbutils                     0.73-10     Linux USB utilities

Versions of packages hal recommends:
ii  eject                       2.1.5+deb1-4 ejects CDs and operates CD-Changer
pn  libsmbios-bin               <none>       (no description available)

Versions of packages hal suggests:
pn  gnome-device-manager          <none>     (no description available)

-- no debconf information

-- 
-- arthur - adejong at debian.org - http://people.debian.org/~adejong --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20081010/943da670/attachment.pgp

More information about the Pkg-utopia-maintainers mailing list