polkit authentication agent is run even if polkitd authorize action without password (via PAM)
I have a yubikey (an usb dongle to authenticate myself on my computer).
I configured my /etc/pam.d/system-auth
like the following so when my yubikey is plugged I don't need to type my password to be authenticated:
…
auth required pam_env.so
auth sufficient pam_yubico.so mode=challenge-response
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
…
(So I can run sudo commands without password prompt)
When I use pkexec
(or any command using polkit, eg. systemctl
) gnome polkit authentication prompt is not displayed, and the command is run as intended.
max@host % pkexec whoami
root
But then, if I lock/unlock my session, the prompt is displayed, but I can't type any password nor make it disappear. Which is very annoying since it will always be in front of all the other applications.
I tried with the following polkit rule, and the prompt did not appear. So the bug seems to be trigger only when polkit rely on PAM to allow/deny the action.
max@host % sudo cat /etc/polkit-1/rules.d/test.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.policykit.exec" && subject.user == "max" && action.lookup("program") == "/usr/bin/whoami") {
return polkit.Result.YES;
}
});
how to reproduce
Edit your /etc/pam.d/system-auth, add auth sufficient pam_permit.so
before auth required pam_unix.so
:
…
auth required pam_env.so
auth sufficient pam_permit.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
…
Run pkexec whoami
, lock your session loginctl lock-session
and unlock it.
The "authentication is needed" prompt should appear at the top left corner of the screen.