|Summary:||system-config-firewall shows polkit error|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Miroslav Vadkerti <mvadkert>|
|Component:||polkit||Assignee:||David Zeuthen <davidz>|
|Status:||CLOSED CANTFIX||QA Contact:||BaseOS QE Security Team <qe-baseos-security>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-07-12 19:38:54 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Miroslav Vadkerti 2010-07-01 07:00:23 UTC
Description of problem: After running system-config-firewall as a non-root user an polkit error appears. See attached screenshot. Version-Release number of selected component (if applicable): system-config-firewall-1.2.25-1.el6.noarch How reproducible: In my installation 100% Steps to Reproduce: 1. Run system-config-fireall as user Actual results: Error Expected results: No error -> ask for root password Additional info:
Comment 1 Miroslav Vadkerti 2010-07-01 07:01:14 UTC
Polkit version: polkit-0.96-1.el6.x86_64
Comment 2 Miroslav Vadkerti 2010-07-01 07:04:45 UTC
Created attachment 428188 [details] system-config-firewall polkit error
Comment 3 Thomas Woerner 2010-07-01 09:42:02 UTC
Please check if there are SELinux errors or DBUS errors and add the output of "rpm -V system-config-firewall"
Comment 4 Miroslav Vadkerti 2010-07-01 19:31:12 UTC
State: Thomas is investigating this issue. Note to appearance of the bug: This bug was observed only when s-c-firewall is launched via ssh -X or in a vnc session. Running it locally on a machine works well.
Comment 5 Thomas Woerner 2010-07-05 10:25:25 UTC
This seems to be a polkit problem. David, what do you think?
Comment 6 David Zeuthen 2010-07-07 14:51:01 UTC
Why do you think it's a polkit problem? All I see is a long error name. I don't think that's enough to reassign bugs, sorry :-) Btw, 'ssh -X' or 'vnc session' does not count toward active or local sessions (and are not even in the ConsoleKit database) so I doubt polkit would answer in the affirmative when checking any authorization. In fact, it would default to the value of the <allow_any> element inside the <defaults> element. And this is clearly set to 'no': $ pkaction --action-id org.fedoraproject.config.firewall.auth --verbose org.fedoraproject.config.firewall.auth: description: Firewall authorization message: Authentication is required to read and modify firewall settings vendor: System Config Firewall vendor_url: http://fedorahosted.org/system-config-firewall icon: implicit any: no implicit inactive: no implicit active: auth_admin_keep so what we're seeing here is just things working correctly.
Comment 7 Thomas Woerner 2010-07-08 13:41:32 UTC
Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive has to be set to auth_admin. And then this will only allow access to the firewall mechanism via VNC and not to other dbus interfaces like for example NetworkManger (used to gather network information). In nearly all projects allow_any and allow_inactive are set to no. Even the PolicyKit Library Reference Manual proposes to do so (see examples). There is word on the impact of using no. It is also not solving the ssh problem. SSH -X with allow_any: auth_admin, allow_inactive: auth_admin: $ pkcheck --allow-user-interaction --process $$ --action-id org.fedoraproject.config.firewall.auth Authorization requires authentication but no agent is available. BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use cases. This is a generic problem in polkit in my opinion. Nothing system-config-firewall can solve. Reassigning to polkit.
Comment 8 Miroslav Vadkerti 2010-07-10 18:31:13 UTC
any update on this?
Comment 9 David Zeuthen 2010-07-12 19:38:54 UTC
(In reply to comment #7) > Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive > has to be set to auth_admin. And then this will only allow access to the > firewall mechanism via VNC and not to other dbus interfaces like for example > NetworkManger (used to gather network information). In nearly all projects > allow_any and allow_inactive are set to no. Even the PolicyKit Library > Reference Manual proposes to do so (see examples). There is word on the impact > of using no. > > It is also not solving the ssh problem. SSH -X with allow_any: auth_admin, > allow_inactive: auth_admin: > > $ pkcheck --allow-user-interaction --process $$ --action-id > org.fedoraproject.config.firewall.auth > Authorization requires authentication but no agent is available. > > BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use > cases. Because of how ConsoleKit works - basically, currently, login managers will have to integrate with ConsoleKit so seat and session objects are properly created, maintained and destroyed. To my knowledge that never happened. > This is a generic problem in polkit in my opinion. Nothing > system-config-firewall can solve. > > Reassigning to polkit. Please understand that polkit is simply just a user of ConsoleKit and there is nothing we can do to make the required ConsoleKit objects appear. You need to open bugs against each login program asking for ConsoleKit integration for this to work. It is useless to just have this bug open against polkit for this purpose so I'm closing it.
Comment 10 Miroslav Vadkerti 2010-07-12 20:37:05 UTC
Reported for openssh: Bug 613796 - openssh: Add support for registering ConsoleKit sessions on login Looks like vnc bug on this for fedora was already closed as won't fix. I'm not sure if we will be able to pull this in: https://bugzilla.redhat.com/show_bug.cgi?id=476402
Comment 11 Miroslav Vadkerti 2010-07-13 07:37:26 UTC
This is already reported for EL6: Bug 528511 - Can't install software via VNC
Comment 12 Steve Grubb 2010-11-22 21:00:49 UTC
I wanted to point something out, there is a session object inside the kernel that is set correctly on gdm and ssh logins. We do that by using a pam module. Could a pam module be written that sets things up so that ssh and consolekit get along?
Comment 13 David Zeuthen 2010-11-24 15:31:37 UTC
(In reply to comment #12) > I wanted to point something out, there is a session object inside the kernel > that is set correctly on gdm and ssh logins. We do that by using a pam module. > Could a pam module be written that sets things up so that ssh and consolekit > get along? FWIW, the long term plan is to make systemd's PAM module do this and also make systemd track things like VT switches on graphical logins (and a couple of other things). Then we can make polkit get this information from systemd instead of ConsoleKit and then we can retire ConsoleKit altogether.