Bug 1214026
Summary: | PolicyKit should authorize groups using getgroups() rather than getgr*() | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> |
Component: | polkit | Assignee: | Jan Rybar <jrybar> |
Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | imc, jhrozek, martin, massi.ergosum, ossman, sam |
Target Milestone: | --- | Keywords: | FutureFeature, Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-19 13:49:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Gallagher
2015-04-21 19:03:54 UTC
Thanks for your report. Subtasks: * In authentication_agent_initiate_challenge, store also the original identities before expanding groups to contained users. * In polkit_backend_interactive_authority_authentication_agent_response, use the original identies + getgrouplist() instead of the expanded list. * Document that the user identities in BeginAuthentication may not be comprehensive. * Correspondingly update PolkitAgentTextListener to let the user enter any user name * … and make similar changes to the GNOME/KDE polkit agents. Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. https://lists.freedesktop.org/archives/polkit-devel/2016-November/000513.html also just brought up that in very large environments (tens of thousands of users/groups), it's often desirable to set the SSSD option `ignore_group_members` in order to avoid extremely poor performance when a getgr[nam|id]() call is made. In this situation, the group membership is intentionally zeroed out. The output of `getgroups()` however will be accurate for the requested user. We should really consider prioritizing this fix, as SSSD presence in large environments is becoming far more prevalent and more such issues are being reported. I've just come across a weird issue on Fedora 30 which I believe boils down to this bug. We lock the root password on our systems, and create users who are members of specified admin groups. One of these groups is the group of local admin users, and these users are created with that group as their primary group. $ getent group linuxadminslocal linuxadminslocal:x:500: $ getent passwd imc imc:x:602:500:Ian Collier,,,:/home/imc:/bin/bash However, on a newly installed system (which doesn't yet have any network accounts), when we tell polkit that this Unix group is a valid administrator group, polkit still insists on asking for the root password (even though sudo works correctly): $ cat /etc/polkit-1/rules.d/40-cs-admin.rules polkit.addAdminRule(function(action, subject) { return ["unix-group:wheel","unix-group:linuxsysadmins","unix-group:linuxadminslocal"]; }); $ pkexec ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ==== Authentication is needed to run `/bin/bash' as the super user Authenticating as: root Password: Editing the group file to add my userid explicitly to that group fixes this. Upstream issue: https://gitlab.freedesktop.org/polkit/polkit/issues/24 *** Bug 1694611 has been marked as a duplicate of this bug. *** |