After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 772537 - Log full of "Error executing command as another user: Not authorized" errors from attempts to run /usr/libexec/gsd-backlight-helper
Log full of "Error executing command as another user: Not authorized" errors ...
Status: RESOLVED FIXED
Product: gnome-session
Classification: Core
Component: gnome-session
3.22.x
Other Linux
: Normal major
: ---
Assigned To: Session Maintainers
Session Maintainers
: 773685 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2016-10-06 23:26 UTC by Adam Williamson
Modified: 2017-09-02 16:22 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
gsm-systemd.c: Restrict the login monitor to the "session" category (1.33 KB, patch)
2017-02-02 18:16 UTC, Owen Taylor 		committed Details | Review

Description Adam Williamson 2016-10-06 23:26:13 UTC 
My Fedora 24 laptop, with:

gdm-3.20.1-3.fc24.x86_64
gnome-settings-daemon-3.20.1-3.fc24.x86_64
polkit-0.113-5.fc24.x86_64

has its logs stuffed with messages like this:

Oct 06 16:18:53 xps13.happyassassin.net pkexec[4929]: pam_unix(polkit-1:session): session opened for user root by (uid=1001)
Oct 06 16:18:53 xps13.happyassassin.net pkexec[4929]: adamw: Executing command [USER=root] [TTY=unknown] [CWD=/home/adamw] [COMMAND=/usr/libexec/gsd-backlight-helper --set-brightness 99]
Oct 06 16:18:53 xps13.happyassassin.net pkexec[4930]: gdm: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/var/lib/gdm] [COMMAND=/usr/libexec/gsd-backlight-helper --set-brightness 90]
Oct 06 16:18:53 xps13.happyassassin.net gnome-settings-daemon.desktop[1577]: Error executing command as another user: Not authorized
Oct 06 16:18:53 xps13.happyassassin.net gnome-settings-daemon.desktop[1577]: This incident has been reported.
Oct 06 16:19:00 xps13.happyassassin.net pkexec[4942]: gdm: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/var/lib/gdm] [COMMAND=/usr/libexec/gsd-backlight-helper --set-brightness 85]
Oct 06 16:19:00 xps13.happyassassin.net gnome-settings-daemon.desktop[1577]: Error executing command as another user: Not authorized
Oct 06 16:19:00 xps13.happyassassin.net gnome-settings-daemon.desktop[1577]: This incident has been reported.
Oct 06 16:19:00 xps13.happyassassin.net pkexec[4943]: pam_systemd(polkit-1:session): Cannot create session: Already running in a session
Oct 06 16:19:00 xps13.happyassassin.net audit[4943]: USER_START pid=4943 uid=1001 auid=1001 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
Oct 06 16:19:00 xps13.happyassassin.net pkexec[4943]: pam_unix(polkit-1:session): session opened for user root by (uid=1001)

I get them over and over. My user is an admin (in wheel group).
Comment 1 Rui Matos 2016-10-07 11:35:51 UTC 
I guess bug 764896 wasn't completely fixed yet :-(
Comment 2 Adam Williamson 2016-10-07 16:17:08 UTC 
yeah...by the looks of things that patch was in 3.20.1, and I've had 3.20.1 on this laptop since upgrading to F24 according to dnf history, so it definitely seems like it still happens somehow.
Comment 3 Gautier Pelloux-Prayer 2016-12-31 10:18:04 UTC 
A few additional info, if it helps:

- Running gnome-shell 3.22.2 under Debian and still having the issue
- One new line appear every-time I hit lower/greater brightness keys on the physical keyboard: brightness is changed and gnome-shell display the pop-up about it, but there is still a new line logged.
- Adding "blacklist acpi_als" in /etc/modprobe.d/blacklist.conf does reduce a LOT of these messages, but not all of them. Periodically I can still see some messages in the logs (one every minute or so). 
- "Automatic brightness" is disabled while "Dim screen when inactive" is enabled and "Blank screen" after 15 minutes.
Comment 4 Bastien Nocera 2017-01-13 16:53:54 UTC 
*** Bug 773685 has been marked as a duplicate of this bug. ***
Comment 5 Bastien Nocera 2017-01-14 01:07:47 UTC 
Bug 773685 has a work-around patch, but I'd rather it was root-caused. I couldn't reproduce the problem on my system because the IIO subsystem is buggy.

So allow me to go down that rabbit hole and I'll let you know when I come back out of it again.
Comment 6 Owen Taylor 2017-01-31 17:26:04 UTC 
It seems like the code in gsd-power-manager.c is meant to claim the light sensor only if:

 * iio-sensor-proxy is available on the bus
 * the backlight is not disabled
 * the session is active

But the code is not structured to actually do this - most transitions don't check the other parts. For example, when iio-sensor-proxy appears on the bus or the backlight is enabled, then the code unconditionally claims the light sensor. I don't have an exact theory for what code path gets triggered on my system to cause this pproblem for the gdm session, but I suspect that if there was some function somewhere that was:

 should_claim_light = proxy && backlight_enabled && session_active;
 if (should_claim_light)
    claim_light ();
 else 
    disclaim_light();

it might well fix this problem. (With appropriate checking for not making redundant calls.)

I of course might be misunderstanding the code structure :-)
Comment 7 Owen Taylor 2017-02-02 16:57:24 UTC 
While I still think there are some issues with the state transition logic, the root cause of the problem on my machine turns out to be a selinux problem where the gdm gnome-session-binary couldn't set up an inotify watch on /var/run/systemd/sessions/

Feb 02 11:52:04 localhost.localdomain audit[1518]: AVC avc:  denied  { read } for  pid=1518 comm="gnome-session-b" name="machines" dev="tmpfs" ino=22942 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=dir permissive=0
Feb 02 11:52:04 localhost.localdomain gnome-session[1518]: gnome-session-binary[1518]: WARNING: Error getting login monitor: -13
Comment 8 Owen Taylor 2017-02-02 18:16:17 UTC 
Created attachment 344802 [details] [review]
gsm-systemd.c: Restrict the login monitor to the "session" category

We only are interested in changes to sd_session_get_active(), so only
listen for changes in the "session" category. This reduces overhead
by a small amount, and also reduces the amount of /var/run/systemd
that needs to be read. (Bug 772537 is a failure because of a SELinux
policy preventint reading /var/run/systemd/machines - which we don't
need to monitor anyways.)
Comment 9 Ray Strode [halfline] 2017-02-02 18:24:14 UTC 
Review of attachment 344802 [details] [review]:

::: gnome-session/gsm-systemd.c
@@ +232,3 @@
         sd_source = (SdSource *)source;
 
+        if ((ret = sd_login_monitor_new ("session", &sd_source->monitor)) < 0) {

makes the code better, fixes selinux problem.  win-win i guess.
Comment 10 Owen Taylor 2017-02-02 18:33:26 UTC 
Pushed to gnome-3.22 and master

Attachment 344802 [details] pushed as 73dba36 - gsm-systemd.c: Restrict the login monitor to the "session" category
Comment 11 Bastien Nocera 2017-02-15 18:00:40 UTC 
*** Bug 766067 has been marked as a duplicate of this bug. ***
Comment 12 Martin Dengler 2017-09-02 13:52:35 UTC 
This does not seem to be fixed.

# uname -a
Linux box 4.12.9-200.fc25.x86_64 #1 SMP Fri Aug 25 13:23:30 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q gnome-shell gnome-settings-daemon gdm | sort
gdm-3.22.3-1.fc25.x86_64
gnome-settings-daemon-3.22.2-1.fc25.x86_64
gnome-shell-3.22.3-1.fc25.x86_64

# ps axuwww | grep setting[s]
user     12089  0.6  0.5 1383012 47672 tty2    Sl+  08:35   0:05 /usr/libexec/gnome-settings-daemon
gdm      20308  0.7  0.4 1144196 32832 tty1    Sl+  08:47   0:01 /usr/libexec/gnome-settings-daemon

# journalctl -f
[...]
Sep 02 08:49:03 box pkexec[22275]: pam_unix(polkit-1:session): session opened for user root by (uid=8000)
Sep 02 08:49:03 box pkexec[22275]: tele: Executing command [USER=root] [TTY=unknown] [CWD=/home/tele] [COMMAND=/usr/libexec/gsd-backlight-helper --set-brightness 843]
Sep 02 08:49:03 box pkexec[22274]: gdm: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/var/lib/gdm] [COMMAND=/usr/libexec/gsd-backlight-helper --set-brightness 843]
Sep 02 08:49:03 box gnome-settings-daemon.desktop[20308]: Error executing command as another user: Not authorized
Sep 02 08:49:03 box gnome-settings-daemon.desktop[20308]: This incident has been reported.
Sep 02 08:49:04 box pkexec[22290]: gdm: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/var/lib/gdm] [COMMAND=/usr/libexec/gsd-backlight-helper --set-brightness 843]
Sep 02 08:49:04 box gnome-settings-daemon.desktop[20308]: Error executing command as another user: Not authorized
Sep 02 08:49:04 box gnome-settings-daemon.desktop[20308]: This incident has been reported.
Sep 02 08:49:04 box pkexec[22291]: pam_systemd(polkit-1:session): Cannot create session: Already running in a session
Sep 02 08:49:04 box pkexec[22291]: pam_unix(polkit-1:session): session opened for user root by (uid=8000)
Comment 13 Bastien Nocera 2017-09-02 16:22:54 UTC 
(In reply to Martin Dengler from comment #12)
> This does not seem to be fixed.

This issue is about a particular part of the problem, which isn't the one your logs mention.

> # uname -a
> Linux box 4.12.9-200.fc25.x86_64 #1 SMP Fri Aug 25 13:23:30 UTC 2017 x86_64
> x86_64 x86_64 GNU/Linux
> # rpm -q gnome-shell gnome-settings-daemon gdm | sort
> gdm-3.22.3-1.fc25.x86_64
> gnome-settings-daemon-3.22.2-1.fc25.x86_64
> gnome-shell-3.22.3-1.fc25.x86_64

You'll probably need the patches in bug 786164, or the ones in the 3.22.x branch, for gnome-settings-daemon. If you still see problems, file a new bug against gnome-settings-daemon.