Let users enable systemd lingering

[KellerFuchs]

% loginctl enable-linger
Could not enable linger: The name org.freedesktop.PolicyKit1 was not provided by any .service files

Lingering makes the user's service manager be spawned at boot, so that users' systemd-controled services are started automatically after reboot.

[daurnimator]

I've now installed policykit, so at least we get a good error now:

$ loginctl enable-linger $USER
==== AUTHENTICATING FOR org.freedesktop.login1.set-user-linger ===
Authentication is required to allow a non-logged-in user to run programs.
Authenticating as: root
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Could not enable linger: Access denied

[daurnimator]

Normally you'd have something like this in something like /etc/polkit-1/rules.d/50-permit-linger.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.set-user-linger") {
        return polkit.Result.YES;
    }
});

But of course... debian seem to have their own way.

[daurnimator]

Ah, we have policykit-1 0.105-8 installed. The rules format was changed (to the JS based form I know) in 0.112.

[KellerFuchs]

Also, your previous thing looks like it would let any user enable/disable lingering for any other user.

[daurnimator]

Also, your previous thing looks like it would let any user enable/disable lingering for any other user.

Yeah I was just throwing together an example

[KellerFuchs]

@daurnimator Since it looks like nothing is currently happening on this front, should we back out the policykit-1 install until there is a concrete proposal?

[daurnimator]

should we back out the policykit-1 install until there is a concrete proposal?

no? for the moment it at least improves the error messages.

[KellerFuchs]

Fair enough.

[daurnimator]

The policy-kit-1 >= 0.112 is only in debian experimental. https://packages.qa.debian.org/p/policykit-1/news/20170524T164929Z.html

Can we install that? When would that make it into an actual release?

[KellerFuchs]

@daurnimator Stuff in experimental is not subject to automatic unstable -> testing -> stable migrations (that's the whole point of experimental). Moreover, it cannot possibly get into a release before buster (10.0), which will probably take about 2 years, given that stretch was released a few months ago... Given that there seem to be very little activity on the package I really wouldn't hold my breath.

If I understand correctly, right now PolicyKit only brings us a “friendlier” error messages when trying to enable lingering for oneself, and is at a version too low for us to write a policy that let users enable lingering? Because if that's the case, I would be strongly in favor of uninstalling it, given its sketchy security history and given that it's low-key unmaintained in Debian.