Bug 609799

Summary: system-config-firewall shows polkit error
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Vadkerti <mvadkert>
Component: polkitAssignee: David Zeuthen <davidz>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: low    
Version: 6.0CC: mclasen, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-12 19:38:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
system-config-firewall polkit error none

Description Miroslav Vadkerti 2010-07-01 07:00:23 UTC
Description of problem:
After running system-config-firewall as a non-root user an polkit error appears. See attached screenshot. 

Version-Release number of selected component (if applicable):
system-config-firewall-1.2.25-1.el6.noarch

How reproducible:
In my installation 100%

Steps to Reproduce:
1. Run system-config-fireall as user
  
Actual results:
Error

Expected results:
No error -> ask for root password

Additional info:

Comment 1 Miroslav Vadkerti 2010-07-01 07:01:14 UTC
Polkit version:
polkit-0.96-1.el6.x86_64

Comment 2 Miroslav Vadkerti 2010-07-01 07:04:45 UTC
Created attachment 428188 [details]
system-config-firewall polkit error

Comment 3 Thomas Woerner 2010-07-01 09:42:02 UTC
Please check if there are SELinux errors or DBUS errors and add the output of "rpm -V system-config-firewall"

Comment 4 Miroslav Vadkerti 2010-07-01 19:31:12 UTC
State: Thomas is investigating this issue.

Note to appearance of the bug: 
This bug was observed only when s-c-firewall is launched via ssh -X or in a vnc session. Running it locally on a machine works well.

Comment 5 Thomas Woerner 2010-07-05 10:25:25 UTC
This seems to be a polkit problem.

David, what do you think?

Comment 6 David Zeuthen 2010-07-07 14:51:01 UTC
Why do you think it's a polkit problem? All I see is a long error name. I don't think that's enough to reassign bugs, sorry :-)

Btw, 'ssh -X' or 'vnc session' does not count toward active or local sessions (and are not even in the ConsoleKit database) so I doubt polkit would answer in the affirmative when checking any authorization. In fact, it would default to the value of the <allow_any> element inside the <defaults> element. And this is clearly set to 'no':

  $ pkaction --action-id org.fedoraproject.config.firewall.auth --verbose
  org.fedoraproject.config.firewall.auth:
    description:       Firewall authorization
    message:           Authentication is required to read and modify firewall settings
    vendor:            System Config Firewall
    vendor_url:        http://fedorahosted.org/system-config-firewall
    icon:              
    implicit any:      no
    implicit inactive: no
    implicit active:   auth_admin_keep

so what we're seeing here is just things working correctly.

Comment 7 Thomas Woerner 2010-07-08 13:41:32 UTC
Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive has to be set to auth_admin. And then this will only allow access to the firewall mechanism via VNC and not to other dbus interfaces like for example NetworkManger (used to gather network information). In nearly all projects allow_any and allow_inactive are set to no. Even the PolicyKit Library Reference Manual proposes to do so (see examples). There is word on the impact of using no.

It is also not solving the ssh problem. SSH -X with allow_any: auth_admin, allow_inactive: auth_admin:

$ pkcheck --allow-user-interaction --process $$ --action-id org.fedoraproject.config.firewall.auth 
Authorization requires authentication but no agent is available.

BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use cases.

This is a generic problem in polkit in my opinion. Nothing system-config-firewall can solve.

Reassigning to polkit.

Comment 8 Miroslav Vadkerti 2010-07-10 18:31:13 UTC
any update on this?

Comment 9 David Zeuthen 2010-07-12 19:38:54 UTC
(In reply to comment #7)
> Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive
> has to be set to auth_admin. And then this will only allow access to the
> firewall mechanism via VNC and not to other dbus interfaces like for example
> NetworkManger (used to gather network information). In nearly all projects
> allow_any and allow_inactive are set to no. Even the PolicyKit Library
> Reference Manual proposes to do so (see examples). There is word on the impact
> of using no.
> 
> It is also not solving the ssh problem. SSH -X with allow_any: auth_admin,
> allow_inactive: auth_admin:
> 
> $ pkcheck --allow-user-interaction --process $$ --action-id
> org.fedoraproject.config.firewall.auth 
> Authorization requires authentication but no agent is available.
> 
> BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use
> cases.

Because of how ConsoleKit works - basically, currently, login managers will have to integrate with ConsoleKit so seat and session objects are properly created, maintained and destroyed. To my knowledge that never happened.

> This is a generic problem in polkit in my opinion. Nothing
> system-config-firewall can solve.
> 
> Reassigning to polkit.    

Please understand that polkit is simply just a user of ConsoleKit and there is nothing we can do to make the required ConsoleKit objects appear. You need to open bugs against each login program asking for ConsoleKit integration for this to work. It is useless to just have this bug open against polkit for this purpose so I'm closing it.

Comment 10 Miroslav Vadkerti 2010-07-12 20:37:05 UTC
Reported for openssh:
Bug 613796  - openssh: Add support for registering ConsoleKit sessions on login

Looks like vnc bug on this for fedora was already closed as won't fix. I'm not sure if we will be able to pull this in:
https://bugzilla.redhat.com/show_bug.cgi?id=476402

Comment 11 Miroslav Vadkerti 2010-07-13 07:37:26 UTC
This is already reported for EL6:
Bug 528511 - Can't install software via VNC

Comment 12 Steve Grubb 2010-11-22 21:00:49 UTC
I wanted to point something out, there is a session object inside the kernel that is set correctly on gdm and ssh logins. We do that by using a pam module. Could a pam module be written that sets things up so that ssh and consolekit get along?

Comment 13 David Zeuthen 2010-11-24 15:31:37 UTC
(In reply to comment #12)
> I wanted to point something out, there is a session object inside the kernel
> that is set correctly on gdm and ssh logins. We do that by using a pam module.
> Could a pam module be written that sets things up so that ssh and consolekit
> get along?

FWIW, the long term plan is to make systemd's PAM module do this and also make systemd track things like VT switches on graphical logins (and a couple of other things). Then we can make polkit get this information from systemd instead of ConsoleKit and then we can retire ConsoleKit altogether.