TDE
/
tde
8
0
Fork 0
Code Issues 70 Pull Requests Projects Releases 15 Wiki Activity
Labels Milestones
New Issue

tdepowersave spamming auth.log every two seconds #44

Closed
opened 3 years ago by mgb · 16 comments
mgb commented 3 years ago

Basic information

  • TDE version: 14.0.9
  • Distribution: Debian 10 Buster (w/ standard 4.19.0-13 kernel)
  • Hardware: Intel i7 (arch is amd64 w/ multiarch and some non-TDE i386)

Description

My auth.log backups go as far back as Jan 3rd and it's in all of them. I'm guessing it might be related to the fix for tdepowersave to notice when AC power status changed.

Steps to reproduce

  1. Install tdepowersave-trinity
  2. Look at auth.log - approx 111MB per week of this:

Feb 1 17:30:23 delta dbus-daemon[9673]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.27" (uid=1000 pid=10665 comm="tdepowersave [tdeinit] ") interface="org.trinitydesktop.hardwarecontrol.InputEvents" member="GetActiveSwitches" error name="(unset)" requested_reply="0" destination="org.trinitydesktop.hardwarecontrol" (uid=0 pid=10413 comm="/opt/trinity/bin/tde_dbus_hardwarecontrol ")
Feb 1 17:30:25 delta dbus-daemon[9673]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.27" (uid=1000 pid=10665 comm="tdepowersave [tdeinit] ") interface="org.trinitydesktop.hardwarecontrol.InputEvents" member="GetActiveSwitches" error name="(unset)" requested_reply="0" destination="org.trinitydesktop.hardwarecontrol" (uid=0 pid=10413 comm="/opt/trinity/bin/tde_dbus_hardwarecontrol ")

Screenshots

<!-- This is a comment. Please fill in the required fields below. The comments provide instructions on how to do so. Note: You do not need to remove comments. --> ## Basic information - TDE version: 14.0.9 - Distribution: Debian 10 Buster (w/ standard 4.19.0-13 kernel) - Hardware: Intel i7 (arch is amd64 w/ multiarch and some non-TDE i386) <!-- Use SL/* labels to set the severity level. Please do not set a milestone. --> ## Description My auth.log backups go as far back as Jan 3rd and it's in all of them. I'm guessing it might be related to the fix for tdepowersave to notice when AC power status changed. ## Steps to reproduce 1. Install tdepowersave-trinity 2. Look at auth.log - approx 111MB per week of this: Feb 1 17:30:23 delta dbus-daemon[9673]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.27" (uid=1000 pid=10665 comm="tdepowersave [tdeinit] ") interface="org.trinitydesktop.hardwarecontrol.InputEvents" member="GetActiveSwitches" error name="(unset)" requested_reply="0" destination="org.trinitydesktop.hardwarecontrol" (uid=0 pid=10413 comm="/opt/trinity/bin/tde_dbus_hardwarecontrol ") Feb 1 17:30:25 delta dbus-daemon[9673]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.27" (uid=1000 pid=10665 comm="tdepowersave [tdeinit] ") interface="org.trinitydesktop.hardwarecontrol.InputEvents" member="GetActiveSwitches" error name="(unset)" requested_reply="0" destination="org.trinitydesktop.hardwarecontrol" (uid=0 pid=10413 comm="/opt/trinity/bin/tde_dbus_hardwarecontrol ") ## Screenshots <!-- If it seems useful, please provide provide one or more screenshots. -->
SlavekB commented 3 years ago
Owner

The GetActiveSwitches call is related to determining the state of the lid – whether it is closed or open. And the message [system] Rejected send message means some problem at the dbus permission level.

Is it possible that the wonderful systemd was updated there and the user was not logged out / logged in? Can you try a dbus call using cli or d-feet?

The `GetActiveSwitches` call is related to determining the state of the lid – whether it is closed or open. And the message `[system] Rejected send message` means some problem at the dbus permission level. Is it possible that the wonderful systemd was updated there and the user was not logged out / logged in? Can you try a dbus call using cli or d-feet?
MicheleC commented 3 years ago
Owner

I saw a similar thing when I was playing with dbus and testing a lot, even using multiple sessions. You should try a reboot and see if the problem still persists. If not, it is probably something like Slavek pointed out (like systemd update or so). But it could also be a problem with dbus service permissions, so testing on a fresh reboot is recommended.

I saw a similar thing when I was playing with dbus and testing a lot, even using multiple sessions. You should try a reboot and see if the problem still persists. If not, it is probably something like Slavek pointed out (like systemd update or so). But it could also be a problem with dbus service permissions, so testing on a fresh reboot is recommended.
mgb commented 3 years ago
Poster

No systemd here other than libsystemd0.

No software updates since last reboot 47 hours ago.

Dbus is present but if you want me to try a manual dbus call you'll have to give me something to copy/paste into my command line as I have no experience with that.

FWIW this doesn't appear on an old i386 Pentium II laptop but that has substantially less software installed and much older hardware although it does have tdepowersave-trinity.

No systemd here other than libsystemd0. No software updates since last reboot 47 hours ago. Dbus is present but if you want me to try a manual dbus call you'll have to give me something to copy/paste into my command line as I have no experience with that. FWIW this doesn't appear on an old i386 Pentium II laptop but that has substantially less software installed and much older hardware although it does have tdepowersave-trinity.
MicheleC commented 3 years ago
Owner

ok, thanks for the info Mike. Although you don't have systemd installed, can you first have a look at the suggestion mentioend here?

If you still have isues after that, we will need to do further investigation and we will come up with some CLI command for you to test

ok, thanks for the info Mike. Although you don't have systemd installed, can you first have a look at the suggestion mentioend [here](https://wiki.trinitydesktop.org/index.php?title=Release_Notes_For_R14.0.7#Removed_dbus_policy_at_console)? If you still have isues after that, we will need to do further investigation and we will come up with some CLI command for you to test
mgb commented 3 years ago
Poster

First, to anyone following along at home, I would say don't try restarting dbus. Just reboot. Believe me, you'll thank me.

Second, no change with group="users". However Debian by default creates a separate group for each user to avoid some security problems.

I'm going to try group="audio". The audio group is allowed to play sounds and I believe it is Debian standard. However users are not added to it by default so it is not a general purpose solution. However here I add people who are allowed to login to TDE to the audio group so it might work if dbus considers secondary groups as well as primaries.

First, to anyone following along at home, I would say don't try restarting dbus. Just reboot. Believe me, you'll thank me. Second, no change with group="users". However Debian by default creates a separate group for each user to avoid some security problems. I'm going to try group="audio". The audio group is allowed to play sounds and I believe it is Debian standard. However users are not added to it by default so it is not a general purpose solution. However here I add people who are allowed to login to TDE to the audio group so it might work if dbus considers secondary groups as well as primaries.
MicheleC commented 3 years ago
Owner

First, to anyone following along at home, I would say don't try restarting dbus. Just reboot. Believe me, you'll thank me.

👍 💯

I'm going to try group="audio". The audio group is allowed to play sounds and I believe it is Debian standard. However users are not added to it by default so it is not a general purpose solution. However here I add people who are allowed to login to TDE to the audio group so it might work if dbus considers secondary groups as well as primaries.

Ok, let us know how it goes and we take it from there.

> First, to anyone following along at home, I would say don't try restarting dbus. Just reboot. Believe me, you'll thank me. :+1: :100: > I'm going to try group="audio". The audio group is allowed to play sounds and I believe it is Debian standard. However users are not added to it by default so it is not a general purpose solution. However here I add people who are allowed to login to TDE to the audio group so it might work if dbus considers secondary groups as well as primaries. Ok, let us know how it goes and we take it from there.
mgb commented 3 years ago
Poster

I tried group="audio" and also group="<my user's private group>".

In both cases my screen brightness failed to set and I can't work with one screen glaring so bright I need sunglasses.

Sorry but it's late and I'm up against a hard deadline so I need to get back to work now.

Thanks for trying.

I tried group="audio" and also group="<my user's private group>". In both cases my screen brightness failed to set and I can't work with one screen glaring so bright I need sunglasses. Sorry but it's late and I'm up against a hard deadline so I need to get back to work now. Thanks for trying.
mgb commented 3 years ago
Poster

OK, seems to work fine now with group="audio".

What was happening was that tdepowersave was overriding the monitor brightness which had previously been set in .xsessionrc but once I made the two match it's OK and the auth.log spam has stopped.

Not sure if this is the ideal solution as not everyone uses group="audio". Debian and its derivatives don't use the "users" group for normal users so that doesn't work either.

Are there security reasons for not enabling these messages in context="default"?

OK, seems to work fine now with group="audio". What was happening was that tdepowersave was overriding the monitor brightness which had previously been set in .xsessionrc but once I made the two match it's OK and the auth.log spam has stopped. Not sure if this is the ideal solution as not everyone uses group="audio". Debian and its derivatives don't use the "users" group for normal users so that doesn't work either. Are there security reasons for not enabling these messages in context="default"?
SlavekB commented 3 years ago
Owner

OK, seems to work fine now with group="audio".

What was happening was that tdepowersave was overriding the monitor brightness which had previously been set in .xsessionrc but once I made the two match it's OK and the auth.log spam has stopped.

Not sure if this is the ideal solution as not everyone uses group="audio". Debian and its derivatives don't use the "users" group for normal users so that doesn't work either.

Are there security reasons for not enabling these messages in context="default"?

We assumed that the plugdev group can be useful, so plugdev is used in the default configuration file. Are your local users a member of this group?

It is a good idea that reading these switches could be allowed for everyone – in the default context. It probably can't cause sensitive information to leak there, and at the same time it doesn't allow anyone to set anything – just read.

> OK, seems to work fine now with group="audio". > > What was happening was that tdepowersave was overriding the monitor brightness which had previously been set in .xsessionrc but once I made the two match it's OK and the auth.log spam has stopped. > > Not sure if this is the ideal solution as not everyone uses group="audio". Debian and its derivatives don't use the "users" group for normal users so that doesn't work either. > > Are there security reasons for not enabling these messages in context="default"? We assumed that the plugdev group can be useful, so plugdev is used in the default configuration file. Are your local users a member of this group? It is a good idea that reading these switches could be allowed for everyone – in the default context. It probably can't cause sensitive information to leak there, and at the same time it doesn't allow anyone to set anything – just read.
mgb commented 3 years ago
Poster

Across all the machines I manage only four have users in plugdev. Three of those users are me and one is nagios.

I have no idea what caused any of them to be added to plugdev as we set up machines in a fairly controlled fashion. Possibly at some point in time a debian package script was adding users to plugdev. I'm going to remove them as they shouldn't be there.

I'm not a great fan of allowing unsophisticated users to plug in a memory stick their buddy gave them and thereby infecting a network but I can see that plugdev might make sense as a default for TDE for this policy.

Across all the machines I manage only four have users in plugdev. Three of those users are me and one is nagios. I have no idea what caused any of them to be added to plugdev as we set up machines in a fairly controlled fashion. Possibly at some point in time a debian package script was adding users to plugdev. I'm going to remove them as they shouldn't be there. I'm not a great fan of allowing unsophisticated users to plug in a memory stick their buddy gave them and thereby infecting a network but I can see that plugdev might make sense as a default for TDE for this policy.
SlavekB commented 3 years ago
Owner

I'm not a great fan of allowing unsophisticated users to plug in a memory stick their buddy gave them and thereby infecting a network but I can see that plugdev might make sense as a default for TDE for this policy.

Anyway, I like your idea to allow reading input switches and their states for everyone. I am convinced that we can go this way.

> I'm not a great fan of allowing unsophisticated users to plug in a memory stick their buddy gave them and thereby infecting a network but I can see that plugdev might make sense as a default for TDE for this policy. Anyway, I like your idea to allow reading input switches and their states for everyone. I am convinced that we can go this way.
MicheleC commented 3 years ago
Owner

yes, it sounds a sensible option and safer than using plugdev.

@mgb just wondering, since you are on debian 10, did you replace systemd with sysv? any unexpected issues?

yes, it sounds a sensible option and safer than using plugdev. @mgb just wondering, since you are on debian 10, did you replace systemd with sysv? any unexpected issues?
mgb commented 3 years ago
Poster

The only issue I've had with sysv in Debian is one systemd zealot DD using his packaging scripts to forcibly remove some files from /etc/init.d and me having to restore them from pre-upgrade backups. They work just fine of course.

I've used Devuan and wish I still could but Devuan's boss's response to the 2019 April Fool's incident was to laugh it off rather than investigating to see if security had actually been compromised in any way.

https://lwn.net/ml/devuan-devel/201904011105.11988.mgb-devuan@yosemite.net/

The only issue I've had with sysv in Debian is one systemd zealot DD using his packaging scripts to forcibly remove some files from /etc/init.d and me having to restore them from pre-upgrade backups. They work just fine of course. I've used Devuan and wish I still could but Devuan's boss's response to the 2019 April Fool's incident was to laugh it off rather than investigating to see if security had actually been compromised in any way. https://lwn.net/ml/devuan-devel/201904011105.11988.mgb-devuan@yosemite.net/
MicheleC commented 3 years ago
Owner

Thanks Mike. And interesting reading about Devuan April's fool, I didn't know about it.

Thanks Mike. And interesting reading about Devuan April's fool, I didn't know about it.
SlavekB commented 3 years ago
Owner

Resolved in TDE/tdelibs#125.

Resolved in TDE/tdelibs#125.
SlavekB closed this issue 3 years ago
SlavekB added this to the R14.0.10 release milestone 3 years ago
SlavekB commented 3 years ago
Owner

FYI, the modification only affects the configuration file for dbus and has no further sequence. Thanks to this, it can also be used for the current final release without the need to update to PSB.

FYI, the modification only affects the configuration file for dbus and has no further sequence. Thanks to this, it can also be used for the current final release without the need to update to PSB.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
r14.1.x
master
r14.0.x
v3.5.13-sru
Labels
Apply labels
Clear labels
GE/need-info
General - need additional info from contributor PR/keep-branch
Pull request - do not delete branch after merging PR/not-ok
Pull request - need fixing PR/rfc
Pull request - request for comments PR/update-trans
Pull request - update to translation files needed PR/wip
Pull request - work in progress RS/R14.0.x
Related to R14.0.x series RS/R14.1.x
Related to R14.1.x series SL/critical
Severity level - critical SL/major
Severity level - major SL/minor
Severity level - minor SL/normal
Severity level - normal SL/regression
Severity level - regression from previous version SL/trivial
Severity level - trivial SL/wishlist
Severity level - wishlist request ST/duplicate
Status - duplicate of another issue ST/invalid
Status - invalid report ST/notourproblem
Status - not our problem ST/rejected
Status - rejected ST/wontfix
Status - won't fix ST/worksforme
Status - works for me, unable to reproduce
No Label GE/need-info PR/keep-branch PR/not-ok PR/rfc PR/update-trans PR/wip RS/R14.0.x RS/R14.1.x SL/critical SL/major SL/minor SL/normal SL/regression SL/trivial SL/wishlist ST/duplicate ST/invalid ST/notourproblem ST/rejected ST/wontfix ST/worksforme
Milestone
Set milestone
Clear milestone
No items
No Milestone
R14.0.10 release
Projects
Clear projects
No project
Assignees
Assign users
Clear assignees
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: TDE/tde#44
Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(<nil>)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes