On jeu., 2012-02-02 at 20:25 +0100, Michael Biebl wrote: > On 02.02.2012 20:25, Yves-Alexis Perez wrote: > > On jeu., 2012-02-02 at 18:28 +0000, Brian Potkin wrote: > >>> The problem with startx resp. the 90consolekit script is, that it is > >> run > >>> as unprivileged user and CK no longer trusts this context. > >>> That said, I don't think this problem is unfixable. I guess what it > >>> requires is that the PAM stack is setting up the right context so CK > >> can > >>> trust it. > >> > >> Is that a reference to using > >> > >> session optional pam_loginuid.so > >> > >> in /etc/pam.d/common-session? That also works me and has the > >> advantages > >> of being a single configuration change and having a Consolekit session > >> marked as 'active = TRUE' and 'is-local = TRUE'. I'd be supportive of > >> including a description of this method in README.Debian if it were to > >> help a significant number of startx users. > >> > >> > > I don't know what you did different, but just adding the snippet at the > > end of /etc/pam.d/common-session doesn't give me active=TRUE and > > is-local=TRUE here. > > You probably want to load it before pam_ck_connector >
Indeed. So I guess I'll patch README.Debian with something like: Index: debian/README.Debian =================================================================== --- debian/README.Debian (revision 6359) +++ debian/README.Debian (working copy) @@ -1,5 +1,5 @@ -Running Xfce ------------- +Running Xfce from a display manager +----------------------------------- If use you a login manager like GDM or LightDM, you may have two ways to start Xfce : @@ -13,25 +13,38 @@ installed on your system, it will default to startxfce4, which will run the complete Xfce desktop environment. -If you don't use a login manager but start Xfce from console, you need to -take care of few stuff: +GDM and LightDM will initialize ConsoleKit so you should be able to manage your +computer (mount removable devices, suspend, shutdown or hibernate etc.). +Running Xfce from the console +----------------------------- + +If you don't use a login manager but start Xfce from console, you need to take +care of few stuff in order to get a complete Xfce session with full permission +(mount, suspend/shutdown/hibernate etc.) This is because Debian now uses +PolicyKit/ConsoleKit to manage policies for things like device and power +management. If you run Xfce from a compatible display manager (like gdm or +lightdm), they'll talk to consolekit so your X session will have the +authentication tokens, but if you use startx, it won't. + +Important stuff: + * only use startx, without any argument * don't use a .xinitrc, use .xsession -This is because Debian now uses PolicyKit/ConsoleKit to manage policies for -things like device and power management. If you run Xfce from a compatible -display manager (like gdm or lightdm), they'll talk to consolekit so your X -session will have the authentication tokens, but if you use startx, it won't. -There's a script shipped by default with ConsoleKit which will do that, in -/etc/X11/Xsession.d/90consolekit, but the /etc/X11/Xsession.d/ scripts are only -executed if you don't use any .xinitrc. See startx (1) for more information. +This is because ConsoleKit ships an init script +(/etc/X11/Xsession.d/90consolekit), but the /etc/X11/Xsession.d/ scripts are +only executed if you don't use any .xinitrc. See startx (1) for more +information. -Managing shutdown ------------------ +Then you need to fine-tune your pam installation so ConsoleKit can be sure that +your user is correctly authenticated. For that, you need to: -There are two ways to enable user to shutdown the computer from Xfce: +* install libpam-ck-connector +* put: - - use sudo, and allow user to run /usr/lib/xfce4/session/xfsm-shutdown-helper - - use policykit and a compatible login manager (lightdm and gdm are known to - work, startx too if you use the tips above) +---- +session optional pam_loginuid.so +---- + +*before* pam_ck_connector.so in /etc/pam.d/common-session. What do you think? Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
