<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">
</head>
<body>
<div>
<div>
<div dir="ltr" style="">No, this is a recipe im yocto kirkstone release which you can verify here <a rel="noreferrer noopener" href="https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/polkit" style="">https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/polkit</a>.
The yocto team has added this patch for duktape and as I said with it our polkit rules are not working.</div>
<div dir="ltr" style=""><br>
</div>
<div dir="ltr" style="">BR</div>
<div dir="ltr" style="">Piotr</div>
</div>
<div id="ms-outlook-mobile-signature">
<div><br>
</div>
Pobierz aplikację <a href="https://aka.ms/o0ukef">Outlook dla systemu iOS</a></div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>Od:</b> Jan Rybar <jrybar@redhat.com><br>
<b>Wysłane:</b> Wednesday, June 8, 2022 4:27:34 PM<br>
<b>Do:</b> Piotr Łobacz <piotr.lobacz@vm.pl><br>
<b>DW:</b> polkit-devel@lists.freedesktop.org <polkit-devel@lists.freedesktop.org><br>
<b>Temat:</b> Re: polkit rules are no longer working</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div dir="ltr">
<div>Hello again,</div>
<div></div>
</div>
<br>
<div class="x_gmail_quote">
<div dir="ltr" class="x_gmail_attr">On Wed, Jun 8, 2022 at 12:34 PM Piotr Łobacz <<a href="mailto:piotr.lobacz@vm.pl">piotr.lobacz@vm.pl</a>> wrote:<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="margin:0px; font-size:12pt">Hi,</span>
<div style="margin:0px; font-size:12pt">So, this is a bug in yocto not polkit. Btw. I was just writting to you now, that I have switched from duktape to mozjs and yes, it started to work for me back again. I think I should write to open embedded about this
issue.</div>
</div>
</div>
</blockquote>
<div>This is an important message BTW. How did you make polkit incorporated in 0.119? Did you apply the patch from upstream? Was polkit configured to use duktape during build and then it didn't work?</div>
<div><br>
</div>
<div>Thanks for info.<br>
</div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt"><br>
</div>
<span style="margin:0px; font-size:12pt">BR,</span></div>
<div id="x_gmail-m_-4146838241616838056appendonsend"></div>
<hr style="display:inline-block; width:98%">
<div id="x_gmail-m_-4146838241616838056divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>Od:</b> Jan Rybar <<a href="mailto:jrybar@redhat.com" target="_blank">jrybar@redhat.com</a>><br>
<b>Wysłane:</b> środa, 8 czerwca 2022 12:29<br>
<b>Do:</b> Piotr Łobacz <<a href="mailto:piotr.lobacz@vm.pl" target="_blank">piotr.lobacz@vm.pl</a>><br>
<b>DW:</b> <a href="mailto:polkit-devel@lists.freedesktop.org" target="_blank">polkit-devel@lists.freedesktop.org</a> <<a href="mailto:polkit-devel@lists.freedesktop.org" target="_blank">polkit-devel@lists.freedesktop.org</a>><br>
<b>Temat:</b> Re: polkit rules are no longer working</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
</div>
<br>
<div>
<div dir="ltr">On Wed, Jun 8, 2022 at 10:41 AM Piotr Łobacz <<a href="mailto:piotr.lobacz@vm.pl" target="_blank">piotr.lobacz@vm.pl</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi Jan, All,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
sorry for late response, but it was quite a challenge for me to backport old polkit 0.116 from yocto 3.4 with mozjs dependency (it demands version 0.60 and in kirkstone the lowest is 0.78). More over i had to add fixes for 0.60 in order to compile it with python
3.10 (in later yocto it was 3.8). But fortunately I have succeded and I can confirm that our rules are working.</div>
</div>
</blockquote>
<div>I needed to know whether polkit-0.118 or 0.117 break the functionality, but I can test that with modified rules file of your on Fedora once I find some time.<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Now the biggest difference which I have noticed is that polkit recipe has switched from mozjs to duktape and I have no idea it if implies in any way. <span lang="en"><span><span>Also, I haven't checked the other versions between 0.116 and 0.119.</span></span></span></div>
</div>
</blockquote>
<div>Duktape is not present in 0.119 yet. Changing mozjs version and one CVE fixup in dbus communication are the biggest changes in those.</div>
<div><br>
</div>
<div>Cheers.<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span lang="en"><span><span><br>
</span></span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span lang="en"><span><span>BR</span></span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span lang="en"><span><span>Piotr Lobacz</span></span></span></div>
<div id="x_gmail-m_-4146838241616838056x_gmail-m_-1390340501845672131appendonsend">
</div>
<hr style="display:inline-block; width:98%">
<div id="x_gmail-m_-4146838241616838056x_gmail-m_-1390340501845672131divRplyFwdMsg" dir="ltr">
<font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>Od:</b> polkit-devel <<a href="mailto:polkit-devel-bounces@lists.freedesktop.org" target="_blank">polkit-devel-bounces@lists.freedesktop.org</a>> w imieniu użytkownika Piotr Łobacz <<a href="mailto:piotr.lobacz@vm.pl" target="_blank">piotr.lobacz@vm.pl</a>><br>
<b>Wysłane:</b> wtorek, 7 czerwca 2022 13:37<br>
<b>Do:</b> Jan Rybar <<a href="mailto:jrybar@redhat.com" target="_blank">jrybar@redhat.com</a>><br>
<b>DW:</b> <a href="mailto:polkit-devel@lists.freedesktop.org" target="_blank">polkit-devel@lists.freedesktop.org</a> <<a href="mailto:polkit-devel@lists.freedesktop.org" target="_blank">polkit-devel@lists.freedesktop.org</a>><br>
<b>Temat:</b> Re: polkit rules are no longer working</font>
<div> </div>
</div>
<div>
<div>
<div>
<div dir="ltr">Hi Jan,</div>
<div dir="ltr">First thx for quick answer. I am currently out, but I will try to do all the test in the evening and get back to you with all the informations.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">BR</div>
<div dir="ltr">Piotr Lobacz</div>
</div>
<div id="x_gmail-m_-4146838241616838056x_gmail-m_-1390340501845672131x_ms-outlook-mobile-signature">
<div><br>
</div>
Pobierz aplikację <a href="https://aka.ms/o0ukef" target="_blank">Outlook dla systemu iOS</a></div>
</div>
<hr style="display:inline-block; width:98%">
<div id="x_gmail-m_-4146838241616838056x_gmail-m_-1390340501845672131x_divRplyFwdMsg" dir="ltr">
<font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>Od:</b> Jan Rybar <<a href="mailto:jrybar@redhat.com" target="_blank">jrybar@redhat.com</a>><br>
<b>Wysłane:</b> Tuesday, June 7, 2022 12:41:46 PM<br>
<b>Do:</b> Piotr Łobacz <<a href="mailto:piotr.lobacz@vm.pl" target="_blank">piotr.lobacz@vm.pl</a>><br>
<b>DW:</b> <a href="mailto:polkit-devel@lists.freedesktop.org" target="_blank">polkit-devel@lists.freedesktop.org</a> <<a href="mailto:polkit-devel@lists.freedesktop.org" target="_blank">polkit-devel@lists.freedesktop.org</a>><br>
<b>Temat:</b> Re: polkit rules are no longer working</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div>Hello,</div>
<div><br>
</div>
<div>I'm not aware of anything apparent that should affect that. AFAIK mozjs changed IIRC twice between those versions and then there was a vulnerability mitigation.
<br>
</div>
<div>Can you please provide outputs from journal? <br>
</div>
<div>Also, do you happen to have an option to downgrade to 0.118 or lower to determine the version to blame?</div>
<div><br>
</div>
<div>In case of further questions, don't hesitate to reach out to me.<br>
</div>
<div>Thanks.</div>
<div><br>
</div>
<div>Jan Rybar<br>
</div>
</div>
<br>
<div>
<div dir="ltr">On Tue, Jun 7, 2022 at 12:07 PM Piotr Łobacz <<a href="mailto:piotr.lobacz@vm.pl" target="_blank">piotr.lobacz@vm.pl</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi all,</div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I am facing an issue with polkit rules for pkexec. Currently when i try to run an application with pkexec command I'm facing an error:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Jun 07 09:46:06 eg pkexec[59699]: test: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/root] [COMMAND=/usr/sbin/nft]<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
the rule for this to be run, looks like this:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div>polkit.addRule(function(action, subject) {</div>
<div> user_app = [</div>
<div> '/bin/chmod',</div>
<div> '/bin/chown',</div>
<div> '/bin/rm',</div>
<div> '/sbin/ifconfig',</div>
<div> '/sbin/route',</div>
<div> '/usr/sbin/update-ca-certificates',</div>
<div> '/usr/bin/hostnamectl',</div>
<div> '/usr/bin/iotedge',</div>
<div> '/usr/bin/swupdate',</div>
<div> '/usr/bin/timedatectl',</div>
<div> '/usr/sbin/dmidecode',</div>
<div> '/usr/sbin/eg_reboot',</div>
<div> '/usr/sbin/factory_reset',</div>
<div> '/usr/sbin/grub_console',</div>
<div> '/usr/sbin/nft',</div>
<div> '/usr/sbin/read_admin_keys',</div>
<div> '/usr/sbin/useradd',</div>
<div> '/usr/sbin/userdel'</div>
<div>];</div>
<div> if (<a href="http://action.id" target="_blank">action.id</a> == "org.freedesktop.policykit.exec" && subject.user == "tes" && user_app.includes(action.lookup("program"))) {</div>
<div> return polkit.Result.YES;</div>
<div>}</div>
<div>});</div>
<div><br>
</div>
<div>and is stored in /etc/polkit-1/rules.d/30-sbin-test.rules. This was all working before, with polkit 0.116, but now we have switched to newer yocto 4.0 and there is polkit 0.119, with which it stopped working for us. Does something has changed in the polkitd
service and I'm missing it?</div>
<div><br>
</div>
<div>BR</div>
<div>Piotr</div>
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div id="x_gmail-m_-4146838241616838056x_gmail-m_-1390340501845672131x_x_gmail-m_5933154902259098843Signature">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</body>
</html>