[Bug 770041] New: PolicyKit pkla rules doesn't honour unix-group, only unix-user
https://bugzilla.novell.com/show_bug.cgi?id=770041 https://bugzilla.novell.com/show_bug.cgi?id=770041#c0 Summary: PolicyKit pkla rules doesn't honour unix-group, only unix-user Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: i586 OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: joerg.steffens@dass-it.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0 pkla rules that uses unix-group are not evaluated correctly. The same rule with unix-user works fine. Reproducible: Always Steps to Reproduce: 1. create a group named "noaccess" and add a user to that group, eg. testuser1 2. create a pkla file, e.g. /etc/polkit-1/localauthority/30-site.d/org.freedesktop.udisks.filesystem-mount.pkla with following contains: [org.freedesktop.udisks.filesystem-mount] Identity=unix-group:noaccess Action=org.freedesktop.udisks.filesystem-mount ResultAny=no ResultInactive=no ResultActive=no 3. inseert a USB storage device Actual Results: The storage device gets mounted. Expected Results: When trying to mount the storage device, an error message should appear. When using the same rule file, but add a unix-user to it, it works for this user: /etc/polkit-1/localauthority/30-site.d/org.freedesktop.udisks.filesystem-mount.pkla: [org.freedesktop.udisks.filesystem-mount] Identity=unix-user:testuser1 Action=org.freedesktop.udisks.filesystem-mount ResultAny=no ResultInactive=no ResultActive=no All the default rule are using only unix-group:*, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=770041
https://bugzilla.novell.com/show_bug.cgi?id=770041#c
kk zhang
https://bugzilla.novell.com/show_bug.cgi?id=770041
https://bugzilla.novell.com/show_bug.cgi?id=770041#c1
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=770041
https://bugzilla.novell.com/show_bug.cgi?id=770041#c2
--- Comment #2 from Joerg Steffens
https://bugzilla.novell.com/show_bug.cgi?id=770041
https://bugzilla.novell.com/show_bug.cgi?id=770041#c
Joerg Steffens
https://bugzilla.novell.com/show_bug.cgi?id=770041
https://bugzilla.novell.com/show_bug.cgi?id=770041#c3
Ludwig Nussel
yes, this does help, however, as you know, this file gets regenerated as soon as the command /sbin/set_polkit_default_privs is called. And this command will be called at least as soon as polkit-default-privs gets installed or updated.
Sure. I just wanted to check whether my guess about the cause was right :-)
These is nothing wrong with this behavior, I'm just wondering, that it is not possible to overwrite a PolicyKit rule for a specific group, if another rule has already defined a unix-group:* filter.
I expected PolicyKit to check the rule in a specific order, but for me it seems, that the rule with unix-group:* filter is always chosen, independly of where a more specific group related rule is specified. In contrast to this, it is possible to overwrite the unix-group:* filter by a user specific filter.
see man pklocalauthority about the evaluation order. You could try to use a directory that gets sorted before 10-vendor.d (e.g. 05-foobar). The existing directories are not hardcoded, they are just examples.
Is this behavior of PolicyKit is really intended?
Yes and no. Yes because polkit upstream thought that this local authority config thing makes sense. No becaues polkit-default-privs kind of abuses the method to set defaults. But hey, don't worry. Upstream now finally noticed that the config is too complicated and invented something entirely new! In the future those files are Javascript. \o/ *cough*.
If yes, the only solution I see is to create a copy of /etc/polkit-default-privs.standard, remove the lines, where group specific rules are wanted, and reference to the new file from /etc/sysconfig/security.
As you the author of the package, have you other suggestions?
You can also just modify the generated pkla files in some way. set_polkit_default_privs won't touch them anymore then. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=770041
https://bugzilla.novell.com/show_bug.cgi?id=770041#c4
Joerg Steffens
You could try to use a directory that gets sorted before 10-vendor.d (e.g. 05-foobar).
I've tried this. This does not work. As soon as a rule has a wildcard filter like unix-group:*, this rule is selected, independed of the paths of the other rules. I also tried to specify the rules in the /etc/polkit-1/localauthority/ as well as in the /var/lib/polkit-1/localauthority/ directory. In my opinion, this is a bug. However, as you reported, PolKit-Upstream changing the configuration system anyway and because of your hint, that modified generated pkla files are not overwritten by set_polkit_default_privs, it would be okay for me to close this bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=770041
https://bugzilla.novell.com/show_bug.cgi?id=770041#c5
Ludwig Nussel
participants (1)
-
bugzilla_noreply@novell.com