qubes-issues
qubes-issues copied to clipboard
QubesOS
user session is not "active" if passwordless root access is disabled
Qubes OS release
R4.1
Brief summary
loginctl reports user session as "State: online" instead of "State: active". This breaks (at least) access rights for devices with TAG+="uaccess".
Activating session manually works only from root, from user it gives:
$ loginctl activate
Failed to issue method call: Access denied
Steps to reproduce
- Take Debian minimal template (might apply to others too)
- Install
libpam-systemd(otherwise sessions are not registered at all) - Create AppVM based on it and start it
- Call
loginctl session-stateas a user in that VM
Expected behavior
State: active
Actual behavior
State: online
Reported by @andrewdavidwong
As discussed with @marmarek, this seems to affect Debian minimal but not Fedora minimal.
I think it is better to add libpam-systemd; it’s a tiny package and the UX benefit is worth it.
I think it is better to add
libpam-systemd; it’s a tiny package and the UX benefit is worth it.
I disagree. The raison d'être of minimal templates is to be minimal. "Tiny" and "UX benefit" are not principled reasons to add a package to a template the primary purpose of which is to be as minimal as possible. If we added every tiny package with a UX benefit, the template would no longer be minimal at all. It would be quite bloated, and there would be little reason for it to exist in addition to the standard template. Users are free add whichever packages they choose for such reasons, which is how minimal templates are intended to be used.
fedora-37-minimal ships with systemd-libs already installed.
qube based on that template shows "State: active" for loginctl session-status
