[Bug 541258] New: polkit causes suspend key to lock screen then ask for suspend permission
http://bugzilla.novell.com/show_bug.cgi?id=541258 Summary: polkit causes suspend key to lock screen then ask for suspend permission Classification: openSUSE Product: openSUSE 11.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: lnussel@novell.com ReportedBy: bphilips@novell.com QAContact: qa@suse.de CC: kasievers@novell.com, zeuthen@gmail.com Found By: --- Created an attachment (id=319406) --> (http://bugzilla.novell.com/attachment.cgi?id=319406) Polkit prompt after unlocking the screen Steps to reproduce on Thinkpad x200s running Factory: 1) Press suspend key on the laptop 2) Screensaver launches and locks the screen, laptop does not suspend 3) Type in password to unlock screen saver 4) Polkit Authenticate asks for password to suspend 5) Type in password to suspend 6) Resume and the screensaver is not locked h This is the initial bug. Factory will suspend only after unlocking the screen and after typing in a password. Then the machine resumes with an unlocked screen. David Zeuthen looked at my system and found this odd policy is being set by /var/lib/polkit-1/localauthority/10-vendor.d files. These files seem to be generated by /sbin/chkstat-polkit in the polkit-default-privs. How did I get such a restrictive set of policies out of this tool by using a default Factory install? Problems I see: 1) This policy of locking the screen and then asking for a password would never make sense and makes screen locking on suspend pointless 2) None of these files in /var/lib/polkit-1/localauthority/10-vendor.d are owned by a package so it was a bit unclear where they were coming from Thanks, Brandon -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=541258
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c1
Ludwig Nussel
These files seem to be generated by /sbin/chkstat-polkit in the polkit-default-privs. How did I get such a restrictive set of policies out of this tool by using a default Factory install?
I don't know. AFAIK yast/the product definition file is responsible for setting the default privilege setting. Check PERMISSION_SECURITY and POLKIT_DEFAULT_PRIVS in /etc/sysconfig/security. Default normally is 'easy' resp 'standard' which allows org.freedesktop.devicekit.power.suspend on the active console. If your setting isn't easy/standard attach yast logs and reassign to yast. If the setting is correct, check wheter you are on the active console (ck-list-session).
1) This policy of locking the screen and then asking for a password would never make sense and makes screen locking on suspend pointless
That's a separate bug that needs to be filed for whatever program is responsible for that behavior.
2) None of these files in /var/lib/polkit-1/localauthority/10-vendor.d are owned by a package so it was a bit unclear where they were coming from
They are created on the fly so adding the files to the spec file probably doesn't make too much sense. The directories should actually be provided by polkit itself but I could add it to polkit-default-privs as well. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c2
Brandon Philips
(In reply to comment #0)
These files seem to be generated by /sbin/chkstat-polkit in the polkit-default-privs. How did I get such a restrictive set of policies out of this tool by using a default Factory install?
I don't know. AFAIK yast/the product definition file is responsible for setting the default privilege setting. Check PERMISSION_SECURITY and POLKIT_DEFAULT_PRIVS in /etc/sysconfig/security. Default normally is 'easy' resp 'standard' which allows org.freedesktop.devicekit.power.suspend on the active console.
I have never touched /etc/sysconfig/security before. But, here are the settings I have: PERMISSION_SECURITY="secure" POLKIT_DEFAULT_PRIVS="" After using the yast security tool to set the "Predefined Security Configuration" I get when I use "Home Workstation": PERMISSION_SECURITY="easy local" However, the radio button stays at "Custom Settings" when I relaunch Yast Security.
If your setting isn't easy/standard attach yast logs and reassign to yast. If the setting is correct, check wheter you are on the active console (ck-list-session).
active = TRUE
1) This policy of locking the screen and then asking for a password would never make sense and makes screen locking on suspend pointless
That's a separate bug that needs to be filed for whatever program is responsible for that behavior.
Aren't the policies in /var/lib/polkit-1/localauthority/10-vendor.d creating this behavior? Any clue who this bug should be filed against?
2) None of these files in /var/lib/polkit-1/localauthority/10-vendor.d are owned by a package so it was a bit unclear where they were coming from
They are created on the fly so adding the files to the spec file probably doesn't make too much sense. The directories should actually be provided by polkit itself but I could add it to polkit-default-privs as well.
Since the policies are created and managed by polkit-default-privs it should be added to that package. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c3
--- Comment #3 from Brandon Philips
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c4
--- Comment #4 from Brandon Philips
http://bugzilla.novell.com/show_bug.cgi?id=541258
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c5
Ludwig Nussel
I have never touched /etc/sysconfig/security before. But, here are the settings I have:
PERMISSION_SECURITY="secure" POLKIT_DEFAULT_PRIVS=""
So either the product definition is broken or some mechanism in yast. Please attach y2logs (http://en.opensuse.org/Bugs/YaST).
1) This policy of locking the screen and then asking for a password would never make sense and makes screen locking on suspend pointless
That's a separate bug that needs to be filed for whatever program is responsible for that behavior.
Aren't the policies in /var/lib/polkit-1/localauthority/10-vendor.d creating this behavior?
Sure a restrictive policy triggers this. It's not the fault of the restrictive policy if an application misbehaves though. An admin could set that manually as well.
Any clue who this bug should be filed against?
I'm not sure. I guess the authentication agent wants to show a window but since the screen is locked by a screensaver the window is not actually visible. No idea how that is supposed to work. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=541258
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c6
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c7
--- Comment #7 from Brandon Philips
(In reply to comment #2)
I have never touched /etc/sysconfig/security before. But, here are the settings I have:
PERMISSION_SECURITY="secure" POLKIT_DEFAULT_PRIVS=""
After setting YaST local security to "Home Workstation" I have: PERMISSION_SECURITY="easy local" POLKIT_DEFAULT_PRIVS="" I reboooted after setting this up via YaST. When I press suspend I get the same behavior- screensaver locks, and polkit is asking for root behind it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=541258
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c8
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=541258
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c9
--- Comment #9 from Ludwig Nussel
After setting YaST local security to "Home Workstation" I have: PERMISSION_SECURITY="easy local" POLKIT_DEFAULT_PRIVS=""
I reboooted after setting this up via YaST. When I press suspend I get the same behavior- screensaver locks, and polkit is asking for root behind it.
you may need to run /sbin/set_polkit_default_privs manually -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c10
--- Comment #10 from Brandon Philips
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c11
--- Comment #11 from Brandon Philips
See Bug 533605 Comment 10.
Doh, I mean See Bug 533605 Comment 9 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c12
--- Comment #12 from Brandon Philips
http://bugzilla.novell.com/show_bug.cgi?id=541258
Brandon Philips
http://bugzilla.novell.com/show_bug.cgi?id=541258
Brandon Philips
http://bugzilla.novell.com/show_bug.cgi?id=541258
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c13
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=541258
User bphilips@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=541258#c14
--- Comment #14 from Brandon Philips
I've filed a bug for yast2-security
What is the bug number? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com