2009-12-23

ConsoleKit, access denied and a see-it-once bug

    I just noticed an interesting bug when I upgraded my ArchLinux last Sunday.  Every time when I log on my Openbox desktop, I found my NetworkManager applet icon cannot be shown on the system tray. When I invoke nm-applet from comman line, I got an error like below:

** (nm-applet:14122): WARNING **:   applet_dbus_manager_start_service(): 
Could not acquire the NetworkManagerUserSettings service.
  Message: 'Connection ":1.21" is not allowed to own the service 
"org.freedesktop.NetworkManagerUserSettings" due to security policies in the 
configuration file'
The most interesting thing is: the issue only happens *once*. When I log out and log in again, everything looks fine.

Obviously it's not a hardware issue. Since it only happens after upgrading, I decided to have a check on udev configuration files and finally got something new:

<policy at_console="true">
   <allow own="org.freedesktop.NetworkManagerUserSettings"/>
   <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
     send_interface="org.freedesktop.NetworkManagerSettings"/>
   <allow send_destination="org.freedesktop.NetworkManagerUserSettings" send_interface="org.freedesktop.NetworkManagerSettings.Connection"/>
</policy>

This is new to me. I know that the traditional way is to use network group to define who can access network configuration. I also got some suggestions from *here* that I should add to make it back to old behavior.


But wait -- is it really the root cause? If that is the case, why it works when I log on twice?

After some studies I noticed that the settings above are used by ConsoleKit. Meanwhile, I also found that there should be a daemon, /usr/sbin/console-kit-daemon, which will assign an XDG_SESSION_COOKIE environment variable to every active logon session so it can determine who is using the current console. This is important for nm-applet to determine who should be assigned the access to read network settings.

Look -- the key is here. I didn't see XDG_SESSION_COOKIE environment variable when I log on system for the first time! However, I'm able to see the setting from the second logon. It seems the server was not there but was then invoked after first session, but NO DOCUMENT says that console-kit-daemon can be automatically started!

So the final fix is rather simple: I opened my /etc/rc.local file and added two lines:
#!/bin/bash
/usr/sbin/console-kit-daemon
That will force starting a console-kit-daemon service when system starts up. I rebooted the machine and everything works then.

Also, it just solve another see-it-once issue: my PCManFM file manager always give me an error when I'm trying to mount any USB flash disk, with a message like "send message rejected". This is also a see-it-once issue on my first logon session. After applying the fix (or workaround? Who knows) above, it also disappeared.

So my friend, if you are also experiencing the same issue, try that. Good luck.

No comments: