|
Bugzilla – Full Text Bug Listing |
| Summary: | polkit-default-privs doesn't seem to work anymore (localauthority backend gone) | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 12.3 | Reporter: | Ralf Haferkamp <ralf> |
| Component: | Other | Assignee: | Marcus Meissner <meissner> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Critical | ||
| Priority: | P1 - Urgent | CC: | coolo, forgotten_DV81ZEWZkN, lnussel, mcatanzaro, meissner, one, wstephenson |
| Version: | RC 1 | Flags: | coolo:
SHIP_STOPPER+
|
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | Development | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 831400 | ||
|
Description
Ralf Haferkamp
2013-02-19 09:03:53 UTC
can you give the content of /var/lib/polkit-1/localauthority/10-vendor.d/org.libvirt.unix.manage* ? Here you are: # l /var/lib/polkit-1/localauthority/10-vendor.d/org.libvirt.unix.manage* -rw-r--r-- 1 root root 129 Feb 18 13:52 /var/lib/polkit-1/localauthority/10-vendor.d/org.libvirt.unix.manage.pkla # cat /var/lib/polkit-1/localauthority/10-vendor.d/org.libvirt.unix.manage.pkla [org.libvirt.unix.manage] Identity=unix-group:* Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes the whole localauthority backend (that we use here) got thrown away during devcelopment and we failed to notice helpful hint now "you can just implement this in JavaScript". Will see that I can do this in the next days. :( there are two ways, either generate the javascript code from set_polkit_default_privs or write javascript code that parses the files itself. I guess the latter is harder but would be more correct. hmm, or patch src/polkitbackend/polkitbackendjsauthority.c polkit_backend_js_authority_check_authorization_sync() Settings overwritten that were not enforced in last betas: de.berlios.smb4k.mounthelper.mount yes -> auth_admin_keep de.berlios.smb4k.mounthelper.unmount yes -> auth_admin_keep org.freedesktop.consolekit.system.stop-multiple-users auth_admin_keep -> yes org.freedesktop.consolekit.system.restart-multiple-users auth_admin_keep -> yes org.freedesktop.login1.inhibit-block-shutdown yes -> auth_admin_keep org.freedesktop.login1.inhibit-delay-shutdown yes -> auth_admin_keep org.freedesktop.login1.inhibit-block-sleep yes -> auth_admin_keep org.freedesktop.login1.inhibit-delay-sleep yes -> auth_admin_keep org.freedesktop.login1.inhibit-block-idle yes -> auth_admin_keep org.freedesktop.login1.inhibit-handle-power-key yes -> auth_admin_keep org.freedesktop.login1.inhibit-handle-suspend-key yes -> auth_admin_keep org.freedesktop.login1.inhibit-handle-hibernate-key yes -> auth_admin_keep org.freedesktop.login1.inhibit-handle-lid-switch yes -> auth_admin_keep org.freedesktop.login1.power-off-multiple-sessions auth_admin_keep -> yes org.freedesktop.login1.reboot-multiple-sessions auth_admin_keep -> yes org.freedesktop.ModemManager.Device.Control auth_self_keep -> yes org.freedesktop.ModemManager.USSD yes -> auth_admin org.freedesktop.NetworkManager.sleep-wake no -> yes org.freedesktop.NetworkManager.wifi.share.protected yes -> auth_admin org.freedesktop.NetworkManager.wifi.share.open yes -> auth_admin org.freedesktop.packagekit.system-network-proxy-configure yes -> auth_admin_keep org.freedesktop.timedate1.set-timezone auth_admin_keep -> yes org.freedesktop.udisks2.rescan yes -> auth_admin_keep org.freedesktop.udisks2.ata-check-power yes -> auth_admin_keep org.freedesktop.udisks2.ata-standby yes -> auth_admin_keep org.freedesktop.udisks2.cancel-job yes -> auth_admin_keep org.opensuse.cupspkhelper.mechanism.job-edit yes -> auth_admin_keep especially the login1 and udisk2 we can't start testing with RC2 ;( I've hacked generating js code into chkstat-polkit. Needs some testing of course. I did not modify the privileges (except for some mistakes in .restrictive). This is an autogenerated message for OBS integration: This bug (804376) was mentioned in https://build.opensuse.org/request/show/155990 Factory / polkit-default-privs This is an autogenerated message for OBS integration: This bug (804376) was mentioned in https://build.opensuse.org/request/show/156059 Factory / polkit-default-privs https://build.opensuse.org/request/show/156061 Factory / polkit-default-privs *** Bug 796059 has been marked as a duplicate of this bug. *** as discussed in IRC and off-line I've submitted a polkit-default-privs that sets the inhibit rules to upstream defaults. I've also added a requirement to libmozjs as otherwise polkit wont actually apply the policy. This is an autogenerated message for OBS integration: This bug (804376) was mentioned in https://build.opensuse.org/request/show/156660 Factory / polkit-default-privs https://build.opensuse.org/request/show/156661 Maintenance / This is an autogenerated message for OBS integration: This bug (804376) was mentioned in https://build.opensuse.org/request/show/156711 Factory / polkit-default-privs https://build.opensuse.org/request/show/156712 Maintenance / openSUSE-RU-2013:0366-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 804376 CVE References: Sources used: openSUSE 12.3 (src): polkit-default-privs-12.3-6.11.1 Helpfully coming at us a couple of months late: http://lists.fedoraproject.org/pipermail/devel/2013-May/182579.html https://git.fedorahosted.org/cgit/polkit-pkla-compat.git/ Do we need another report for Factory? E.g. /etc/polkit-1/rules-d/90-default-privs: 'org.freedesktop.login1.suspend': [ 'auth_admin', 'auth_admin', 'auth_admin' ], Both suspending within KDE session and qdbus --system org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager.Suspend true does *not* ask for password: pkaction --action-id org.freedesktop.login1.suspend --verbose org.freedesktop.login1.suspend: description: Suspend the system message: Authentication is required for suspending the system. vendor: The systemd Project vendor_url: http://www.freedesktop.org/wiki/Software/systemd icon: implicit any: auth_admin_keep implicit inactive: auth_admin_keep implicit active: yes rpm -qf /etc/polkit-1/rules-d/90-default-privs is this your own file? (In reply to comment #18) > rpm -qf /etc/polkit-1/rules-d/90-default-privs rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-13.1-192.2.noarch i | polkit-default-privs | package | 13.1-192.2 | noarch | Base_System > is this your own file? Not sure i understand the question :-) I've tried both changing polkit-default-privs.standard and adding auth_admin to polkit-default-privs.local, with the same result... hmm, it should get evaluated... perhaps we again miss the javascript library... can you run: rpm -qa|grep mozjs Sure, i have both: libmozjs185-1_0-1.8.5-3.53.x86_64 libmozjs-17_0-17.0-2.4.x86_64 I use opensuse 13.1 and here set_polkit_default_privs doesn't work. I've added the following line to /etc/polkit-default-privs.local org.freedesktop.udisks2.filesystem-mount auth_admin:auth_admin:yes but after executing set_polkit_default_privs I have the following result from pkaction command: pkaction --action-id org.freedesktop.udisks2.filesystem-mount-system --verbose org.freedesktop.udisks2.filesystem-mount-system: description: Mount a filesystem on a system device message: Authentication is required to mount the filesystem vendor: The udisks Project vendor_url: http://udisks.freedesktop.org/ icon: drive-removable-media implicit any: auth_admin implicit inactive: auth_admin implicit active: auth_admin_keep I think the bug should be reopened or a new bug should be filed for 13.1 I've done a cut and paste error, the line in /etc/polkit-default-privs.local is: org.freedesktop.udisks2.filesystem-mount-system auth_admin:auth_admin:yes After more investigation the changes done to /etc/polkit-default-privs.local are correctly applied to the system (after executing set_polkit_default_privs) but pkaction shows the wrong permissions. This is a bug in pkaction or I've misunderstood pkaction's behavior? it is actually a design issue I think. as far as I remember, pkaction does not evaluate the javascript polkit rules, these are only applied once you actually try to do the action. Thanks for your reply. Unfortunately this makes pkaction useless, I hope polkit developers will correct this bug. |