Bug 1302652 - packagekit prompts the password of an unrelated user to mine
packagekit prompts the password of an unrelated user to mine
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-28 05:27 EST by Nikos Mavrogiannopoulos
Modified: 2016-02-18 05:15 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-18 05:15:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nikos Mavrogiannopoulos 2016-01-28 05:27:38 EST
Description of problem:

I am in a system where my user (provided by pam_sssd) is the following:
$ id
uid=22220(nmavrogi) gid=22220(nmavrogi) groups=22220(nmavrogi),135(mock),1070(devel),5356(prc-ext),5977(idm-dev-lab) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

He does not exist in the password file. I do however have the following user in my password file:
$ id test
uid=1000(test) gid=1000(test) groups=1000(test),10(wheel)

When I have to install something through packagekit command not found, I get asked for the password of my test user!!!

How reproducible:
$ indent -linux common/common.c
bash: indent: command not found...
Install package 'indent' to provide command 'indent'? [N/y] y

[Prompt for test's password]



Expected results:

I should be asked my user's password.
Comment 1 Nikos Mavrogiannopoulos 2016-02-18 04:22:43 EST
Reassigning to sssd, as this issue also exists if I use yum extender. Thus it is not related to package kit.
Comment 2 Lukas Slebodnik 2016-02-18 04:37:06 EST
I doubt it's related to sssd but

Please provide steps to reproduce:
In my case, command just fails it does not want to install any package.


sh$ indent -linux common/common.c
-bash: indent: command not found
sh$ echo $?
127
Comment 3 Sumit Bose 2016-02-18 04:41:11 EST
Isn't this the expected behavior when you assign the 'Account Type' 'Administrator', i.e. adding the user to the wheel group, in the Gnome user manager?
Comment 4 Jakub Hrozek 2016-02-18 04:46:18 EST
I also remember that Nikos uses a bit non-standard config with id_provider=proxy proxying to files, so it would also be nice to see the PAM config files..
Comment 5 Sumit Bose 2016-02-18 04:58:32 EST
I'm pretty sure it is not related to SSSD at all but a policykit feature.

To reproduce make sure you have a user in the wheel group, stop sssd and call pkexec. pkexec will ask you for the password of the user from the wheel group. If there are multiple users in the wheel group the first one is used.
Comment 6 Lukas Slebodnik 2016-02-18 05:04:32 EST
So it will be good if Nikos can confirm it with output of command
"getent group wheel"

If it's true than workaround might be to change of users in wheel group.
Comment 7 Nikos Mavrogiannopoulos 2016-02-18 05:09:11 EST
(In reply to Lukas Slebodnik from comment #2)
> I doubt it's related to sssd but
> 
> Please provide steps to reproduce:
> In my case, command just fails it does not want to install any package.
> 
> 
> sh$ indent -linux common/common.c
> -bash: indent: command not found
> sh$ echo $?
> 127

run yum extender.
Comment 8 Nikos Mavrogiannopoulos 2016-02-18 05:10:23 EST
(In reply to Lukas Slebodnik from comment #6)
> So it will be good if Nikos can confirm it with output of command
> "getent group wheel"
> 
> If it's true than workaround might be to change of users in wheel group.

$ getent group wheel
wheel:x:10:test
Comment 9 Nikos Mavrogiannopoulos 2016-02-18 05:11:28 EST
(In reply to Sumit Bose from comment #5)
> I'm pretty sure it is not related to SSSD at all but a policykit feature.
> 
> To reproduce make sure you have a user in the wheel group, stop sssd and
> call pkexec. pkexec will ask you for the password of the user from the wheel
> group. If there are multiple users in the wheel group the first one is used.

Should then this be assigned to policykit? I doubt that this is an intended feature.
Comment 10 Nikos Mavrogiannopoulos 2016-02-18 05:15:04 EST
(In reply to Nikos Mavrogiannopoulos from comment #9)
> (In reply to Sumit Bose from comment #5)
> > I'm pretty sure it is not related to SSSD at all but a policykit feature.
> > 
> > To reproduce make sure you have a user in the wheel group, stop sssd and
> > call pkexec. pkexec will ask you for the password of the user from the wheel
> > group. If there are multiple users in the wheel group the first one is used.
> 
> Should then this be assigned to policykit? I doubt that this is an intended
> feature.

My bad. It seems that my user is not in the wheel group but only in sudo group, thus the prompt is indeed the expected one. Policykit seems to do the right thing even in the wrong order. Sorry for the noise.

Note You need to log in before you can comment on or make changes to this bug.