Hide Forgot
Description of problem: pkexec /usr/sbin/grub2-set-bootflag fails on user login after first boot. Version-Release number of selected component (if applicable): grub2-pc-2.02-57.el8.x86_64 How reproducible: 100% if a non-root user logs in first after system boot. Steps to Reproduce: 1. Boot RHEL 8 Beta 2. Log in with a non-root user 3. view error in /var/log/secure ~2min after login Actual results: [testuser@rhel8-beta ~]$ systemctl --user status grub-boot-success ● grub-boot-success.service - Mark boot as successful Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2018-12-03 10:32:48 EST; 1min 22s ago Process: 1533 ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success (code=exited, status=127) Main PID: 1533 (code=exited, status=127) Dec 3 10:32:48 rhel8-beta pkexec[1533]: testuser: Error executing command as another user: Not authorized [USER=root] [TTY=unknown] [CWD=/home/testuser] [COMMAND=/usr/sbin/grub2-set-bootflag boot_success] Expected results: Additional info: [root@rhel8-beta ~]# cat /usr/lib/systemd/user/grub-boot-success.service [Unit] Description=Mark boot as successful [Service] Type=oneshot ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success
The Policy shipped with grub2 is the following: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> <policyconfig> <vendor>GNU GRUB</vendor> <vendor_url>https://www.gnu.org/software/grub/</vendor_url> <action id="org.gnu.grub.set-bootflag"> <!-- SECURITY: - A normal active user on the local machine does not need permission to set bootflags to show the menu / mark current boot successful. --> <description>Set GRUB bootflags</description> <message>Authentication is required to modify the bootloaders bootflags</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/grub2-set-bootflag</annotate> </action> </policyconfig> It indicates that active (local) requests will succeed. However, the unit ships a systemd user unit and timer that is enabled by default. grub2.spec: <snip> ln -s ../grub-boot-success.timer \ %{buildroot}%{_userunitdir}/timers.target.wants <snip> When you have the above, and you login to the system remotely(beyond very common) for the first time after boot, you get this message. The above grub-boot-success.timer should be opt-in and not hard-coded into the specfile... - Kyle Walker
Reproduced the problem in old compose RHEL-8.0-20181113.1 (grub2-2.02-57.el8). Login to the machine through ssh using a non-root user and check that grub2-set-bootflag failed: $ systemctl --user status grub-boot-success ● grub-boot-success.service - Mark boot as successful Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2019-02-20 12:10:43 EST; 1min 46s ago Process: 1471 ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success (code=exited, status=127) Main PID: 1471 (code=exited, status=127) ---------------------------------------------------------------------------------- Verified in latest compose RHEL-8.0-20190220.n.0 (grub2-2.02-66.el8) that is fixed. Login to the machine through ssh using a non-root user and check that grub2-set-bootflag succeeded: $ systemctl --user status grub-boot-success ● grub-boot-success.service - Mark boot as successful Loaded: loaded (/usr/lib/systemd/user/grub-boot-success.service; static; vendor preset: enabled) Active: inactive (dead) since Wed 2019-02-20 19:33:52 IST; 5s ago Process: 1493 ExecStart=/usr/sbin/grub2-set-bootflag boot_success (code=exited, status=0/SUCCESS) Main PID: 1493 (code=exited, status=0/SUCCESS)