Bug 1857654
| Summary: | Users logging on via VNC are presented a pop-up "Authentication required to refresh system repositories" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | mertensb.mazda |
| Component: | gnome-software | Assignee: | Milan Crha <mcrha> |
| Status: | CLOSED ERRATA | QA Contact: | Radek Duda <rduda> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | --- | CC: | Aaron.Boudreaux, andreas.fenner, ayadav, carlos.fernandez, casantos, dleroux, jgrulich, jkoten, jrybar, klember, mcatanza, mcrha, pschindl, rduda, rhughes, rstrode, sbarcomb, Todd.Baker, tpelka, tpopela, vpakolu, yzheng |
| Target Milestone: | rc | Keywords: | Reopened, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | gnome-software-3.36.1-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-14 15:33:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2177711 | ||
| Bug Blocks: | |||
|
Description
mertensb.mazda
2020-07-16 09:44:47 UTC
journalctl shows the following when the user logs on and dismisses the authorization prompt: Jul 16 13:57:17 <hostname> polkitd[1060]: Operator of unix-session:c7 FAILED to authenticate to gain authorization for action org.freedesktop.packagekit.system-sources-refresh for system-bus-name::1.3548 [/usr/bin/gnome-software --gapplication-service] (owned by unix-user:<user>) Jul 16 13:57:17 <hostname> PackageKit[25757]: uid 1003 failed to obtain auth Jul 16 13:57:18 <hostname> gnome-software[26114]: Only 0 apps for recent list, hiding (In reply to mertensb.mazda from comment #0) > > https://c-nergy.be/blog/?p=14051 describes the same issue on Ubuntu. > The page contains instructions on how to "fix" the issue by overriding the > polkit default authorization rules. > However the article does not explain what this actually does. > Does this grant users permission to install software? > If so that solution does not apply to our use case. Create a /etc/polkit-1/localauthority/50-local.d/repos.pkla file containing [Allow Package Management all Users] Identity=unix-user:* Action=org.freedesktop.packagekit.system-sources-refresh ResultAny=yes ResultInactive=yes ResultActive=yes Then restart polkit with # systemctl restart polkit Carlos Santos Senior Software Maintenance Engineer Red Hat Hi Carlos, Apologies for the very late reply the email notification was lost between too many other emails. My main question is: what does this do? Does this grant all users to install/update/remove software? Based on https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html I understand this to mean that all users are granted authorization for this action. https://cgit.freedesktop.org/packagekit/tree/policy/org.freedesktop.packagekit.policy.in contains the defaults and has a comment saying: - Normal users do not require admin authentication to refresh the cache, as this doesn't actually install or remove software. In our case I do not want to grant authorization to users to install/update/remove software. All I'm looking for is a way to prevent them from seeing this pop-up box. Thanks in advance Bram Hello, please verify if PackageKit is installed. The Why: PackageKit package drops .rules and .policy files loaded into Polkit to define what PackageKit actions are allowed to what users. One of the files dropped by PackageKit - /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy - contains action with action id="org.freedesktop.packagekit.system-sources-refresh" with the exact message being reported. This action rule states this: <allow_any>auth_admin</allow_any> which means that any user can update the repository (e.g. for system updates) if they authenticate as admins. THIS IS USUALLY WANTED BEHAVIOUR, because if you use e.g. Gnome Desktop, you want packagekitd to find newest updates for your system. Now, I can imagine there are new users on your system that are not in "wheel" group (i.e. admin), so they're not automatically allowed to refresh repositories and they need to authenticate. Hence the message. This can be resolved by adding rules in /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules file or by switching refresh action from allow_any to other option or by disabling PackageKit. Please consult polkit manual page, section DECLARING ACTIONS. Anyway, moving this BZ on PackageKit component. I think tigervnc ought to set up a session really. We're falling back to the prompt as it's not being marked as active. I'm not sure this is something we can do about from Tigervnc perspective. It's most likely gnome-software requiring access to PackageKit and if the user is not in the "wheel" group, it automatically asks for access using the polkit dialog. I spent some time investigating this, trying to find out the difference between regular and VNC session and it looks that all remote sessions are not marked as "active", which results into following condition in the PackageKit polkit rule to fail:
Rule:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.package-install" &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
Given this, I don't believe there is something I can do about in Tigervnc and the only workaround for this is to modify the Polkit rule.
Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display. I'm guessing the policy agent for PackageKit is gnome-software in this case? i.e. would "gsettings set org.gnome.software download-updates false" be suitable in this environment? Update: it apparently fails on "subject.local == true" as the VNC session appears to be Active after all. Hello all, is there any update on this? I confirm it also happens when we create a VM based on redhat under VMware on VDI environments. I'll be pleased to test and report back to find a fix for this. Kind regards, Carlos. I don't think this is a PackageKit bug -- it's working as designed. I think either Tigervnc needs to create sessions marked "active" or the polkit auth rule should be locally modified, or the calling software should be disabled. As such this isn't something we're planning to fix, sorry. From my point of view, in case the users are not meant to do any update, neither install/remove any software, the best option is to not start the gnome-software on login at all. That can be done with `sudo rm /etc/xdg/autostart/org.gnome.Software.desktop` (even it'll re-appear when the gnome-software package is updated) or a similar way to disable the autostart of the process. The advantage is that it'll not use machine resources in the background. For a code fix on the gnome-software, the upstream version uses: pk_client_set_interactive (PK_CLIENT (task), interactive); pk_client_set_background (PK_CLIENT (task), !interactive); to let the PackageKit know whether it can (or cannot) do credential prompts. The pk_client_set_interactive() is not set before pk_client_refresh_cache() in the RHEL 8.8 version of the gnome-software (3.36.1), there is used only the pk_client_set_background(), derived from the cache age value, not from an explicit "interactive" variable. > pk_client_set_interactive (PK_CLIENT (task), interactive);
Except it does not work, PackageKit does not seem to check for the interactive flag in this case or something else misbehaves. I'm asked for the password regardless of this change (I verified the "interactive" is FALSE here).
Related gnome-software bug: https://gitlab.gnome.org/GNOME/gnome-software/-/issues/582 And related PackageKit merge request: https://github.com/PackageKit/PackageKit/pull/468 without which one cannot disable Polkit prompts by using the `interactive` flag. I can confirm that using the last two patches from the PackageKit merge request and patching the gnome-software with the added function mentioned in the previous comment fixes the prompt for the VNC users. I filled bug #2177711 for the PackageKit side of the change. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (gnome-software bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6979 |