polkit rules are no longer working

Jan Rybar jrybar at redhat.com
Wed Jun 8 10:29:58 UTC 2022 

Hi,


On Wed, Jun 8, 2022 at 10:41 AM Piotr Łobacz <piotr.lobacz at vm.pl> wrote:

> Hi Jan, All,
> sorry for late response, but it was quite a challenge for me to backport
> old polkit 0.116 from yocto 3.4 with mozjs dependency (it demands version
> 0.60 and in kirkstone the lowest is 0.78). More over i had to add fixes for
> 0.60 in order to compile it with python 3.10 (in later yocto it was 3.8).
> But fortunately I have succeded and I can confirm that our rules are
> working.
>
I needed to know whether polkit-0.118 or 0.117 break the functionality, but
I can test that with modified rules file of your on Fedora once I find some
time.

>
> Now the biggest difference which I have noticed is that polkit recipe has
> switched from mozjs to duktape and I have no idea it if implies in any way. Also,
> I haven't checked the other versions between 0.116 and 0.119.
>
Duktape is not present in 0.119 yet. Changing mozjs version and one CVE
fixup in dbus communication are the biggest changes in those.

Cheers.

>
> BR
> Piotr Lobacz
> ------------------------------
> *Od:* polkit-devel <polkit-devel-bounces at lists.freedesktop.org> w imieniu
> użytkownika Piotr Łobacz <piotr.lobacz at vm.pl>
> *Wysłane:* wtorek, 7 czerwca 2022 13:37
> *Do:* Jan Rybar <jrybar at redhat.com>
> *DW:* polkit-devel at lists.freedesktop.org <
> polkit-devel at lists.freedesktop.org>
> *Temat:* Re: polkit rules are no longer working
>
> Hi Jan,
> First thx for quick answer. I am currently out, but I will try to do all
> the test in the evening and get back to you with all the informations.
>
> BR
> Piotr Lobacz
>
> Pobierz aplikację Outlook dla systemu iOS <https://aka.ms/o0ukef>
> ------------------------------
> *Od:* Jan Rybar <jrybar at redhat.com>
> *Wysłane:* Tuesday, June 7, 2022 12:41:46 PM
> *Do:* Piotr Łobacz <piotr.lobacz at vm.pl>
> *DW:* polkit-devel at lists.freedesktop.org <
> polkit-devel at lists.freedesktop.org>
> *Temat:* Re: polkit rules are no longer working
>
> Hello,
>
> I'm not aware of anything apparent that should affect that. AFAIK mozjs
> changed IIRC twice between those versions and then there was a
> vulnerability mitigation.
> Can you please provide outputs from journal?
> Also, do you happen to have an option to downgrade to 0.118 or lower to
> determine the version to blame?
>
> In case of further questions, don't hesitate to reach out to me.
> Thanks.
>
> Jan Rybar
>
> On Tue, Jun 7, 2022 at 12:07 PM Piotr Łobacz <piotr.lobacz at vm.pl> wrote:
>
> Hi all,
> I am facing an issue with polkit rules for pkexec. Currently when i try to
> run an application with pkexec command I'm facing an error:
>
> Jun 07 09:46:06 eg pkexec[59699]: test: Error executing command as another
> user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/root]
> [COMMAND=/usr/sbin/nft]
>
> the rule for this to be run, looks like this:
>
> polkit.addRule(function(action, subject) {
>     user_app = [
>     '/bin/chmod',
>     '/bin/chown',
>     '/bin/rm',
>     '/sbin/ifconfig',
>     '/sbin/route',
>     '/usr/sbin/update-ca-certificates',
>     '/usr/bin/hostnamectl',
>     '/usr/bin/iotedge',
>     '/usr/bin/swupdate',
>     '/usr/bin/timedatectl',
>     '/usr/sbin/dmidecode',
>     '/usr/sbin/eg_reboot',
>     '/usr/sbin/factory_reset',
>     '/usr/sbin/grub_console',
>     '/usr/sbin/nft',
>     '/usr/sbin/read_admin_keys',
>     '/usr/sbin/useradd',
>     '/usr/sbin/userdel'
> ];
>     if (action.id == "org.freedesktop.policykit.exec" && subject.user ==
> "tes" && user_app.includes(action.lookup("program"))) {
>         return polkit.Result.YES;
> }
> });
>
> and is stored in /etc/polkit-1/rules.d/30-sbin-test.rules. This was all
> working before, with polkit 0.116, but now we have switched to newer yocto
> 4.0 and there is polkit 0.119, with which it stopped working for us. Does
> something has changed in the polkitd service and I'm missing it?
>
> BR
> Piotr
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/polkit-devel/attachments/20220608/cadbaade/attachment-0001.htm>

More information about the polkit-devel mailing list