polkit authentication agent is run even if polkitd authorize action without password (via PAM)
I have a yubikey (an usb dongle to authenticate myself on my computer).
I configured my /etc/pam.d/system-auth
like the following so when my yubikey is plugged I don't need to type my password to be authenticated:
…
auth required pam_env.so
auth sufficient pam_yubico.so mode=challenge-response
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
…
(So I can run sudo commands without password prompt)
When I use pkexec
(or any command using polkit, eg. systemctl
) gnome polkit authentication prompt is not displayed, and the command is run as intended.
max@host % pkexec whoami
root
But then, if I lock/unlock my session, the prompt is displayed, but I can't type any password nor make it disappear. Which is very annoying since it will always be in front of all the other applications.
I tried with the following polkit rule, and the prompt did not appear. So the bug seems to be trigger only when polkit rely on PAM to allow/deny the action.
max@host % sudo cat /etc/polkit-1/rules.d/test.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.policykit.exec" && subject.user == "max" && action.lookup("program") == "/usr/bin/whoami") {
return polkit.Result.YES;
}
});
how to reproduce
Edit your /etc/pam.d/system-auth, add auth sufficient pam_permit.so
before auth required pam_unix.so
:
…
auth required pam_env.so
auth sufficient pam_permit.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
…
Run pkexec whoami
, lock your session loginctl lock-session
and unlock it.
The "authentication is needed" prompt should appear at the top left corner of the screen.
further informations
pkexec seams to ask polkitd, which ask gnome-shell, which use the following to perform authentication:
performAuthentication() {
this._destroySession();
this._session = new PolkitAgent.Session({ identity: this._identityToAuth,
cookie: this._cookie });
this._sessionCompletedId = this._session.connect('completed', this._onSessionCompleted.bind(this));
this._sessionRequestId = this._session.connect('request', this._onSessionRequest.bind(this));
this._sessionShowErrorId = this._session.connect('show-error', this._onSessionShowError.bind(this));
this._sessionShowInfoId = this._session.connect('show-info', this._onSessionShowInfo.bind(this));
this._session.initiate();
}
This bug is a UI bug.
Here is the result of a pkexec whoami
(I added a log('toto: …')
at the start of each js/ui/components/polkitAgent.js
function):
juil. 29 16:36:48 mde-oxalide org.gnome.Shell.desktop[8686]: ShellPolkitAuthenticationAgent: 16:36:48.616: SCHEDULING org.freedesktop.policykit.exec cookie 7-8e866dd7d34d873deaf151f2906bd3ca-1-6eb87dc28e0f4904126b0fe276952441
juil. 29 16:36:48 mde-oxalide org.gnome.Shell.desktop[8686]: ShellPolkitAuthenticationAgent: 16:36:48.616: MAYBE_PROCESS cur=(nil) len(scheduled)=1
juil. 29 16:36:48 mde-oxalide org.gnome.Shell.desktop[8686]: ShellPolkitAuthenticationAgent: 16:36:48.616: INITIATING org.freedesktop.policykit.exec cookie 7-8e866dd7d34d873deaf151f2906bd3ca-1-6eb87dc28e0f4904126b0fe276952441
juil. 29 16:36:48 mde-oxalide gnome-shell[8686]: toto: _onInitiate
juil. 29 16:36:48 mde-oxalide gnome-shell[8686]: toto: _onUserChanged
juil. 29 16:36:48 mde-oxalide gnome-shell[8686]: toto: performAuthentication
juil. 29 16:36:48 mde-oxalide gnome-shell[8686]: toto: _destroySession
juil. 29 16:36:49 mde-oxalide kernel: input: Yubico Yubico Yubikey II as /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/0003:1050:0010.000E/input/input44
juil. 29 16:36:49 mde-oxalide kernel: hid-generic 0003:1050:0010.000E: input,hidraw0: USB HID v1.11 Keyboard [Yubico Yubico Yubikey II] on usb-0000:00:14.0-1/input0
juil. 29 16:36:49 mde-oxalide gnome-shell[8686]: toto: _onSessionCompleted
juil. 29 16:36:49 mde-oxalide gnome-shell[8686]: toto: _emitDone
juil. 29 16:36:49 mde-oxalide gnome-shell[8686]: toto: _onDialogDone
juil. 29 16:36:49 mde-oxalide gnome-shell[8686]: toto: _completeRequest
juil. 29 16:36:49 mde-oxalide org.gnome.Shell.desktop[8686]: ShellPolkitAuthenticationAgent: 16:36:49.210: COMPLETING CURRENT org.freedesktop.policykit.exec cookie 7-8e866dd7d34d873deaf151f2906bd3ca-1-6eb87dc28e0f4904126b0fe276952441
juil. 29 16:36:49 mde-oxalide org.gnome.Shell.desktop[8686]: ShellPolkitAuthenticationAgent: 16:36:49.212: MAYBE_PROCESS cur=(nil) len(scheduled)=0
juil. 29 16:36:49 mde-oxalide polkitd[582]: Operator of unix-session:8 successfully authenticated as unix-user:max to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:9246:235788 [-zsh] (owned by unix-user:max)
juil. 29 16:36:49 mde-oxalide pkexec[9431]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
juil. 29 16:36:49 mde-oxalide pkexec[9431]: max: Executing command [USER=root] [TTY=/dev/pts/3] [CWD=/home/max] [COMMAND=/usr/bin/whoami]
Then when I lock/unlock my session I didn't get any gnome-shell log except this one:
juil. 29 16:37:40 mde-oxalide gnome-shell[8686]: Could not delete runtime/persistent state file: Erreur lors de la suppression du fichier /run/user/1000/gnome-shell/runtime-state-LE.:0/screenShield.locked : Aucun fichier ou dossier de ce type
Yet the prompt only appear when I unlock my session not before.
The most annoying thing is that this dialog can't disappear without terminate my session.
(note: I use wayland)