Hi, Am Donnerstag, 26. November 2020, 12:09:12 CET schrieb Dario Faggioli:
Hello,
I was having a look at that little issue that we have with MicroOS Desktop asking passwords every 3 seconds, and I think I bumped into something I'm not sure I understand.
So, one operation for which it asks for the root password (when it shouldn't, e.g., Tumbleweed doesn't, for doing that) is when I plug an USB key.
In order to understand what is going on, I added some logging to polkitd, and here's what I've found.
On Tumbleweed:
nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:2: action=[Action id='com.endlessm.ParentalControls.AppFilter.ReadOwn'] nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:3: subject=[Subject pid=2321 user='dario' groups=audio,bin,dialout,docker,kvm,lp,mail,tty,video,vnc,wheel,dario,users,libvirt,osc seat=null session=nul> nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:1027: com.endlessm.ParentalControls.AppFilter.ReadOwn => yes
On MicroOS:
nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:2: action=[Action id='org.freedesktop.udisks2.filesystem-mount' device='/dev/sdd1' polkit.message='Authentication is required to mount $(drive)' partition> nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:3: subject=[Subject pid=1754 user='dario' groups=users,wheel,dario seat=null session=null local=true active=true] nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:1026: org.freedesktop.udisks2.filesystem-mount => auth_admin
So, why 'yes' on one hand and 'auth_admin' on the other? Well, the code is in /etc/polkit-1/rules.d/90-default-privs.rules (at the bottom).
There's a big array with all the actions and, on Tumbleweed, I have this, for the action above:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'yes' ],
While on MicroOS:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'auth_admin' ],
So here's from where 'yes' and 'auth_admin' come from.
Now, let's do the same dance again.
Tumbleweed:
$ rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-1550+20201119.2c1dce4-1.1.noarch
MicroOS
$ rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-1550+20201119.2c1dce4-1.1.noarch
So, same package, different content.
What's the value of PERMISSION_SECURITY in /etc/sysconfig/security? It decides which of /etc/polkit-default-privs.* gets used for generating the .rules file. Cheers, Fabian
I'm sure there's a way to understand why that is, probably looking at: https://build.opensuse.org/package/view_file/openSUSE:Factory/polkit-default...
And: https://github.com/openSUSE/polkit-default-privs
And I plan to do so, but I haven't had the time yet.
However, it's definitely not my field. So, if anyone more knowledgeable on these matters want to beat me at it, please, feel free :-)
Thanks and Regards