shutdown triggers immediate logout (no chance to input shutdown password)

[ajacoutot]

Expected behaviour

Password authentication dialog (mate-polkit) to shutdown the system in case polkit is configured as such.

Actual behaviour

Immediate logout, without password dialog. The machine does not shutdown though.
Error in logs:
mate-session[76511]: WARNING: Unable to stop system: Authorization is required
That's expected because I couldn't input my password, logout happened immediately.

In order what happens is:

• login
• polkitd[29789]: Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session9 (system bus name :1.170 [], object path /org/mate/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)```
• click on shutdown (logout happens immediately and mate-polkit agent is unregistered right away)
• polkitd[29789]: Unregistered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session9 (system bus name :1.170, object path /org/mate/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Maybe there's an inhibit missing somewhere..?

Steps to reproduce the behaviour

Add a polkit rule similar to:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.consolekit.system.stop" ||
        action.id == "org.freedesktop.consolekit.system.stop-multiple-users" ||
        action.id == "org.freedesktop.consolekit.system.restart" ||
        action.id == "org.freedesktop.consolekit.system.restart-multiple-users") {
            return polkit.Result.AUTH_ADMIN;
        }
});

Click on the shutdown button.

MATE general version

1.20

Package version

1.20.1

Linux Distribution

OpenBSD -current (amd64)

Link to downstream report of your Distribution

n/a

[raveit65]

Link to downstream report of your Distribution

n/a

Why?
Better you ask your distro maintainer to reproduce the issue.
I am using fedora.....
.... and i can't reproduce the issue.

[ajacoutot]

Hi @raveit65 .
It is reproducible by our MATE maintainer. I'm just the messenger.
I understand you're using Fedora, which uses systemd. As mentioned in my original message, this looks ConsoleKit2 related (which MATE supposedly supports, at least there's code for it).

[raveit65]

Adding support for ConsoleKit2 was
a) not my idea :)
b) a bad idea because nobody from us use it.
c) should be dropped, IHMO

[ajacoutot]

Fair enough. Closing and fixing locally.
Thanks anyway.

[rnagy]

Hi

I would like to reopen this issue because after looking into this the main problem is that
in the request_reboot_privileges_completed_consolekit() callback end_phase() is called
so there is just no chance for the polkit dialog to pop up, a logout will be initiated right away.

I've also realized that canceling the polkit auth dialog will also emit the restart complete signal and will fall back to MDM logout.

I know that systemd is magic, but I just don't see how systemd would ask for a password
on a reboot request. I am happy to fix the consolekit support, but I would like to have
some explanation about how the systemd part should work. Or does systemd just allow anyone to reboot if the logged in user has the active session?

[ajacoutot]

Reopening because this is not related to ConsoleKit. I see the same behaviour with systemd on Linux Mint with the MATE Desktop.
Consider this polkit rule:

# cat /etc/polkit-1/localauthority/50-local.d/admin-shutdown.pkla
[Only allow admin to shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-multiple-sessions
ResultInactive=auth_admin
ResultActive=auth_admin
ResultAny=auth_admin

Then click on restart or shutdown in the quit MATE dialog, you'll get logged out before the polkit authentication agent had the change to display a password dialog. This is the journald output:

Mar 31 15:27:35 vm-mint gnome-keyring-daemon[2195]: The Secret Service was already initialized
Mar 31 15:27:35 vm-mint gnome-keyring-daemon[2195]: The PKCS#11 component was already initialized
Mar 31 15:27:36 vm-mint polkitd(authority=local)[1442]: Registered Authentication Agent for unix-session:c4 (system bus name :1.71 [/usr/lib/x86_64-linux-gnu/polkit-mate/polkit-mate-authentication-agent-1], object path /org/mate/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Mar 31 15:27:36 vm-mint dbus-daemon[1671]: [session uid=1000 pid=1671] Successfully activated service 'org.mate.panel.applet.MintMenuAppletFactory'
Mar 31 15:27:37 vm-mint dbus-daemon[589]: [system] Activating service name='org.mate.SettingsDaemon.DateTimeMechanism' requested by ':1.73' (uid=1000 pid=2644 comm="/usr/lib/mate-panel/clock-applet " label="unconfined") (using servicehelper)
Mar 31 15:27:37 vm-mint dbus-daemon[589]: [system] Successfully activated service 'org.mate.SettingsDaemon.DateTimeMechanism'
Mar 31 15:27:50 vm-mint polkitd(authority=local)[1442]: Unregistered Authentication Agent for unix-session:c4 (system bus name :1.71, object path /org/mate/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 31 15:27:50 vm-mint mate-session[2198]: WARNING: Unable to restart system: Interactive authentication required.
Mar 31 15:27:50 vm-mint lightdm[2162]: pam_unix(lightdm:session): session closed for user ajacoutot

[rnagy]

anyone? @raveit65 ?

[raveit65]

@mate-desktop/core-team

[dark-penguin]

I'm on Debian Buster, I have not added any polkit rules, and I don't even need to authenticate before shutdown. But sometimes I also experience "logging out instead of shutting down".

Apr 26 16:27:52 DEUS mate-session[1678]: WARNING: Unable to restart system: Interactive authentication required.
Apr 26 16:27:52 DEUS systemd-logind[783]: Session 1 logged out. Waiting for processes to exit.
Apr 26 16:27:52 DEUS lightdm[1475]: pam_unix(lightdm-autologin:session): session closed for user kami
Apr 26 16:27:53 DEUS lightdm[5789]: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)

Is it this bug too, or is it a separate issue?