Bug 1655687 - pkexec /usr/sbin/grub2-set-bootflag fails on user login
Summary: pkexec /usr/sbin/grub2-set-bootflag fails on user login
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: grub2
Version: 8.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Bootloader engineering team
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-03 17:04 UTC by Stephen Hobbs
Modified: 2019-06-13 23:09 UTC (History)
7 users (show)

Fixed In Version: grub2-2.02-64.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-13 23:09:36 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1625332 None None None 2019-10-22 09:13:55 UTC
Red Hat Knowledge Base (Solution) 3729941 None None pkexec /usr/sbin/grub2-set-bootflag fails on user login after first boot 2019-04-18 20:23:56 UTC

Internal Links: 1625332

Description Stephen Hobbs 2018-12-03 17:04:22 UTC
Description of problem:
pkexec /usr/sbin/grub2-set-bootflag fails on user login after first boot.

Version-Release number of selected component (if applicable):
grub2-pc-2.02-57.el8.x86_64

How reproducible:
100% if a non-root user logs in first after system boot.

Steps to Reproduce:
1. Boot RHEL 8 Beta
2. Log in with a non-root user
3. view error in /var/log/secure ~2min after login

Actual results:
[testuser@rhel8-beta ~]$ systemctl --user status grub-boot-success
● grub-boot-success.service - Mark boot as successful
   Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-12-03 10:32:48 EST; 1min 22s ago
  Process: 1533 ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success (code=exited, status=127)
 Main PID: 1533 (code=exited, status=127)

Dec  3 10:32:48 rhel8-beta pkexec[1533]: testuser: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/home/testuser] [COMMAND=/usr/sbin/grub2-set-bootflag boot_success]

Expected results:


Additional info:
[root@rhel8-beta ~]# cat /usr/lib/systemd/user/grub-boot-success.service 
[Unit]
Description=Mark boot as successful

[Service]
Type=oneshot
ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success

Comment 1 Kyle Walker 2018-12-03 17:15:41 UTC
The Policy shipped with grub2 is the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
  <vendor>GNU GRUB</vendor>
  <vendor_url>https://www.gnu.org/software/grub/</vendor_url>
  <action id="org.gnu.grub.set-bootflag">
    <!-- SECURITY:
          - A normal active user on the local machine does not need permission
            to set bootflags to show the menu / mark current boot successful.
     -->
    <description>Set GRUB bootflags</description>
    <message>Authentication is required to modify the bootloaders bootflags</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/grub2-set-bootflag</annotate>
  </action>
</policyconfig>


It indicates that active (local) requests will succeed. However, the unit ships a systemd user unit and timer that is enabled by default.

grub2.spec:
<snip>
ln -s ../grub-boot-success.timer \
        %{buildroot}%{_userunitdir}/timers.target.wants
<snip>

When you have the above, and you login to the system remotely(beyond very common) for the first time after boot, you get this message.

The above grub-boot-success.timer should be opt-in and not hard-coded into the specfile...

- Kyle Walker

Comment 3 Javier Martinez Canillas 2019-02-20 17:37:48 UTC
Reproduced the problem in old compose RHEL-8.0-20181113.1 (grub2-2.02-57.el8).

Login to the machine through ssh using a non-root user and check that grub2-set-bootflag failed:

$ systemctl --user status grub-boot-success
● grub-boot-success.service - Mark boot as successful
   Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-02-20 12:10:43 EST; 1min 46s ago
  Process: 1471 ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success (code=exited, status=127)
 Main PID: 1471 (code=exited, status=127)

----------------------------------------------------------------------------------

Verified in latest compose RHEL-8.0-20190220.n.0 (grub2-2.02-66.el8) that is fixed.

Login to the machine through ssh using a non-root user and check that grub2-set-bootflag succeeded:

$ systemctl --user status grub-boot-success
● grub-boot-success.service - Mark boot as successful
   Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled)
   Active: inactive (dead) since Wed 2019-02-20 19:33:52 IST; 5s ago
  Process: 1493 ExecStart=/usr/sbin/grub2-set-bootflag boot_success (code=exited, status=0/SUCCESS)
 Main PID: 1493 (code=exited, status=0/SUCCESS)


Note You need to log in before you can comment on or make changes to this bug.