Bug 1284907 - No session for cookie
No session for cookie
Status: NEW
Product: Fedora
Classification: Fedora
Component: polkit (Show other bugs)
26
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miloslav Trmač
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1281852
  Show dependency treegraph
 
Reported: 2015-11-24 07:50 EST by Ondrej Moriš
Modified: 2017-07-26 10:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ondrej Moriš 2015-11-24 07:50:10 EST
Description of problem:

Consider the following policy:

# cat /usr/share/polkit-1/actions/org.freedesktop.policykit.cctest.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
        "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
  <action id="org.freedesktop.policykit.cctest.auth_self">
    <description>Testing policy</description>
    <defaults>
      <allow_any>auth_self</allow_any>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/bin/whoami</annotate>
  </action>
</policyconfig>

When testuser is logged to the system (either via console or ssh) and executes /bin/whoami via pkexec, operation is not authorized:

$ pkexec /bin/whoami
==== AUTHENTICATING FOR org.freedesktop.policykit.cctest.auth_self ===

Authenticating as: testuser
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

The following can be seen in /var/log/secure:

Nov 24 13:05:32 cc-toe5 polkitd[7113]: Registered Authentication Agent for unix-process:43521:8659824 (system bus name :1.204 [pkexec /bin/whoami], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Nov 24 13:05:40 cc-toe5 polkitd[7113]: Operator of unix-process:43521:8659824 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.cctest.auth_self for unix-process:43521:8659824 [-bash] (owned by unix-user:testuser)
Nov 24 13:05:40 cc-toe5 pkexec[43556]: testuser: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/14] [CWD=/home/testuser] [COMMAND=/bin/whoami]
Nov 24 13:05:40 cc-toe5 polkitd[7113]: Unregistered Authentication Agent for unix-process:43521:8659824 (system bus name :1.204, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Version-Release number of selected component (if applicable):

polkit-0.113-4.fc23.x86_64

How reproducible:

100%

Steps to Reproduce:

1. Create aforementioned policy.
2. Log-in as testuser.
3. Exeucte "pkexec /bin/whoami" (with testuser password).

Actual results:

Not authorized.

Expected results:

Authorized.

Additional info:
Comment 1 Miloslav Trmač 2015-11-24 08:11:31 EST
Thanks for your report.  This is https://bugs.freedesktop.org/show_bug.cgi?id=90837#c20 , isn’t it?
Comment 2 Miroslav Vadkerti 2016-02-10 08:57:32 EST
(In reply to Miloslav Trmač from comment #1)
> Thanks for your report.  This is
> https://bugs.freedesktop.org/show_bug.cgi?id=90837#c20 , isn’t it?

Yes, looks like we are hitting this upstream bug! Thanks for the reference. Hopefully we will have a fix soon :)
Comment 3 Jan Kurik 2016-02-24 10:37:33 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 4 Fedora End Of Life 2017-07-25 15:33:24 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.