Bug 1884856 - running hostnamectl by user added to wheel group does not ask for password
Summary: running hostnamectl by user added to wheel group does not ask for password
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: polkit
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jan Rybar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-03 01:06 UTC by Ganapathi Kamath
Modified: 2020-10-06 17:01 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Ganapathi Kamath 2020-10-03 01:06:52 UTC
Description of problem:
I am not sure if this is correct, as it caught me by surprise and it seemed like new behavior to me.
When 'hostnamectl set-hostname foobar' run by a user who has been added to wheel, hostnamectl does not ask for password. Users are added to wheel to gain root access via sudo. 

If the user is removed form wheel, and then hostnamectl is run, systemd-hostnamed.service brings up the admin password gnome-shell-UAC-dialog, which seems correct.

The intention of adding user to wheel-group is so that sudo will ask for password (or cache credentials for 5 min) and allow to run commands directly as root without needing to 'su root'

Version-Release number of selected component (if applicable):
fedora 33

How reproducible:
100%

Steps to Reproduce:
1. test behavior of hostnamectl when run by unprivileged user <uname>, before adding unprivileged user to wheel
2. test behavior of hostnamectl when run by root
3. add user to wheel group "usermod -aG wheel <uname>"
4. test behavior of hostnamectl when run by unprivileged user <uname>, and confirm that it changes hostname silently as if root

Actual results:
The wheel user is able to change hostname without needing to sudo

Expected results:
A sudo / gnome-shell-UAC password dialog should show up.

It seems to me that systemd-hostnamed.service automatically confirms that user in wheel group and does not bother with asking password. This is not a case of password caching. credential timeout is not configured as DEFAULT timestamp_timeout has not been set in sudoers. Credentials if any can cleared with "sudo -k"

While wheel users are supposed to be able to everything as root, such as by doing "sudo bash", I thought the password asking/caching mechanism is supposed to be a protection.
IMHO, wheel should not totally eliminate the sudo password asking mechanism

Additional info:

Advance apologies if this is intentional design, and not a bug.

Comment 1 Zbigniew Jędrzejewski-Szmek 2020-10-03 08:11:31 UTC
This is by design, I think. I don't think this is actually encoded by systemd though.
We just specify
       <action id="org.freedesktop.hostname1.set-hostname">
                <description gettext-domain="systemd">Set hostname</description>
                <message gettext-domain="systemd">Authentication is required to set the local hostname.</message>
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>
in a policy file, and the precise meaning is determined by polkit.
I'll reassign this to polkit for confirmation, but I think this is reasonable behaviour and there isn't
anything to fix.

Comment 2 Ganapathi Kamath 2020-10-03 17:08:25 UTC

```
[gana@localhost]$ sudo cat /etc/sudoers
[sudo] password for gana: 
...

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
[gana@localhost]$
... 
```

sudo only skips passwords only if the command-tagspec NOPASSWD: is given. 
Credentials are cached indefinitely if timestamp_timeout=0 is set. Neither of which I have set. 

The older 'hostname' command would directly inform kernel and/or directly modify the /etc/hostname file . 

https://www.freedesktop.org/software/systemd/man/systemd-hostnamed.service.html#
https://www.freedesktop.org/software/systemd/man/hostnamectl.html
https://www.freedesktop.org/software/systemd/man/org.freedesktop.hostname1.html#
The man page for systemd-hostnamed.service states that the tool hostnamectl is a command line client to this service. 

As you mention, that page also mentions that changing hostname is authenticated via polkit. 

https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
https://wiki.archlinux.org/index.php/Polkit#Bypass_password_prompt
... seems to treat wheel differently from sudo 
/* Allow members of the wheel group to execute any actions
 * without password authentication, similar to "sudo NOPASSWD:"
 */

```
[root@localhost rules.d]# cat /etc/polkit-1/rules.d/50-default.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */

// DO NOT EDIT THIS FILE, it will be overwritten on update
//
// Default rules for polkit
//
// See the polkit(8) man page for more information
// about configuring polkit.

polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});
[root@localhost rules.d]# 
```

It seems to me polkit is trying to replicate functionality of sudo, but not quite achieving identical behavior. Polkit automatically defines unix-group:wheel to be administrators so directly behaving like "wheel+NOPASSWD:" Polkit has a way of auth timeout-cacheing passwords by client-process. In a GUI, there may need to be a different way to do "sudo bash/ctrl-D" or "sudo -k"

In windows-10, when logged in a unprivileged user, there are come control-panels, in which options remain greyed out. When a user clicks a "change settings" hyperlink, auths for admin privilege, only after which options are changeable.

I would guess the difference between admin group and wheel group would be that the admin-users are root-equivalent users, while the wheel-users are unprivileged users who need root access temporarily. The general advice for avoiding trojans/malware etc is to login and use the computer not as an admin user but as an unprivileged user. The wheel sudo-ing was a best of both worlds for self-managed computers.

The reason why someone would prefer "wheel" over "wheel+NOPASSWD:" is so that an unprivileged user remains unprivileged unless the user consciously and explicitly asks for sudo powers to prevent inadvertent changes. The sudo power can then be timed-out or be relinquished later.

Maybe hostnamectl is not the only tool where this happens. Perhaps there are many places in the GUI/settings and other commands where wheel-powers are automatically applied.
I could live with the change, but it seems like some security is lost.

Comment 3 Miloslav Trmač 2020-10-03 17:48:56 UTC
(I’m no longer working on polkit and I won’t be investigating the details.)

Before this gets too far into assumptions about what is / should be going on, on an old Fedora 28:

> $ LC_ALL=en_US.UTF-8 id -a
> uid=…(…) gid=…(…) groups=…(…),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> $ hostnamectl set-hostname foo
> ==== AUTHENTICATING FOR org.freedesktop.hostname1.set-static-hostname ====
> Authentication is required to set the statically configured local host name, as well as the pretty host name.
> Authenticating as: Miloslav Trmač (…)
> Password: 

and that matches my expectation.

I don’t dispute at all that the password is not required for you, but either _something_ has changed since Fedora 28, or _something_ is different about the environment, and someone will need to figure out what.

Comment 4 Ganapathi Kamath 2020-10-03 20:52:52 UTC
I too jumped from 30 -> 33

Setup is 
Win10 -> Virtualbox -> Linux-VM
Fresh fedora workstation 33 setup onto a partition
Installed from Fedora-Everything-netinst-x86_64-33-20200929.n.0.iso

So the system partition is a fresh installation
I copied over my /home/gana directory, and so there is lot of user leftover config clutter.

Next time I boot into dual-boot setup Linux fedora-workstation 30, I will check to see what hostnamectl does there. Have been procrastinating/preparing to do a fresh install there. I've been dnf-upgrading that since fedora-1x.

Comment 5 Ganapathi Kamath 2020-10-04 03:05:30 UTC
Seems to be the same odd-new behavior on Fedora-30 all updates to EOL applied. 

```
[gana@hname ~]$ cat /etc/group | grep gana
wheel:x:10:gana
gana:x:1000:mpd
vboxusers:x:975:gana
[gana@hname ~]$ hostnamectl set-hostname qq
[gana@hname ~]$ cat /etc/hostname
qq
[gana@hname ~]$ hostnamectl set-hostname hname
[gana@hname ~]# rpm -qa | egrep -i "^polkit-0|^systemd-2"
systemd-241-14.git18dd3fb.fc30.x86_64
polkit-0.116-2.fc30.2.x86_64
});
```

/etc/polkit-1/rules.d/50-default.rules has the return ["unix-group:wheel"

Comment 6 Ganapathi Kamath 2020-10-06 00:16:57 UTC
Policykit-0.6.1 Fedora-8 2007, first introduced into Fedora 
polkit-0.95 Fedora-12 2009 
polkit-0.106 Fedora-18 changed the language in which policy files are written
Fedora-18 introduced hostnamectl 

There seems to be no preconfigured defaults in 
# find /etc/polkit-1/localauthority
/etc/polkit-1/localauthority
/etc/polkit-1/localauthority/10-vendor.d
/etc/polkit-1/localauthority/20-org.d
/etc/polkit-1/localauthority/30-site.d
/etc/polkit-1/localauthority/50-local.d
/etc/polkit-1/localauthority/90-mandatory.d


The file 
/usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
has the action policy to ask for password

polkit-pkla-compat in fedora-30 has only stub folders for /etc/polkit-1/localauthority
and also again in /var/lib/polkit1-/localauthority
q1) why two places /etc, /var?
q2) Why the directories are empty ? 

rpm description: A polkit JavaScript rule and associated helpers that mostly provide compatibility with the .pkla file format supported in polkit <= 0.105 for users

https://pkgs.org/search/?q=polkit-pkla-compat
I think this package did not exist before f30 (not sure)
It seems to be missing the defaults. (again unsure)

I can't seem to dig/google search for earlier package infos.

Ref:
https://forums.fedoraforum.org/showthread.php?300450-gnome-packagekit-installer-no-longer-asks-for-password
https://askubuntu.com/questions/98006/how-do-i-prevent-policykit-from-asking-for-a-password

Comment 7 Ganapathi Kamath 2020-10-06 00:40:51 UTC
'polkit Local Authority' was an older pre-2013 file format for specifying policy. My understanding is it was supposed to be replaced with javascript like configuration. Local-authority was to be replaced by a polkitBackendAUthority
http://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html

Comment 8 Ganapathi Kamath 2020-10-06 01:45:00 UTC
In the below bus-name is changing, as is the process id

$ hostnamectl set-hostname QQQQQ ; hostnamectl set-hostname WWWWW  ;hostnamectl set-hostname EEEEE &
[1] 115437

$ echo $!
115437

--------------------------------
$ journalctl -xf



Oct 05 21:21:14 EEEEE polkitd[851]: Registered Authentication Agent for unix-process:115381:2311693 (system bus name :1.1478 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Oct 05 21:21:14 EEEEE audit: BPF prog-id=75 op=LOAD

Oct 05 21:21:14 EEEEE audit: BPF prog-id=76 op=LOAD

Oct 05 21:21:14 EEEEE systemd[1]: Starting Hostname Service...

░░ Subject: A start job for unit systemd-hostnamed.service has begun execution

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit systemd-hostnamed.service has begun execution.

░░ 

░░ The job identifier is 23601.

Oct 05 21:21:14 EEEEE audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:21:14 EEEEE systemd[1]: Started Hostname Service.

░░ Subject: A start job for unit systemd-hostnamed.service has finished successfully

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit systemd-hostnamed.service has finished successfully.

░░ 

░░ The job identifier is 23601.

Oct 05 21:21:14 QQQQQ systemd-resolved[748]: System hostname changed to 'QQQQQ'.

Oct 05 21:21:14 QQQQQ systemd-hostnamed[115386]: Changed static hostname to 'QQQQQ'

Oct 05 21:21:14 QQQQQ NetworkManager[899]: <info>  [1601947274.6380] hostname: hostname changed from "EEEEE" to "QQQQQ"

Oct 05 21:21:14 QQQQQ polkitd[851]: Unregistered Authentication Agent for unix-process:115381:2311693 (system bus name :1.1478, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Oct 05 21:21:14 QQQQQ NetworkManager[899]: <info>  [1601947274.6391] policy: set-hostname: set hostname to 'QQQQQ' (from system configuration)

Oct 05 21:21:14 QQQQQ systemd[1]: Starting Network Manager Script Dispatcher Service...

░░ Subject: A start job for unit NetworkManager-dispatcher.service has begun execution

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit NetworkManager-dispatcher.service has begun execution.

░░ 

░░ The job identifier is 23770.

Oct 05 21:21:14 QQQQQ systemd[1]: Started Network Manager Script Dispatcher Service.

░░ Subject: A start job for unit NetworkManager-dispatcher.service has finished successfully

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit NetworkManager-dispatcher.service has finished successfully.

░░ 

░░ The job identifier is 23770.

Oct 05 21:21:14 QQQQQ audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:21:14 QQQQQ polkitd[851]: Registered Authentication Agent for unix-process:115399:2311706 (system bus name :1.1481 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Oct 05 21:21:14 WWWWW systemd-resolved[748]: System hostname changed to 'WWWWW'.

Oct 05 21:21:14 WWWWW systemd-hostnamed[115386]: Changed static hostname to 'WWWWW'

Oct 05 21:21:14 WWWWW NetworkManager[899]: <info>  [1601947274.7986] hostname: hostname changed from "QQQQQ" to "WWWWW"

Oct 05 21:21:14 WWWWW NetworkManager[899]: <info>  [1601947274.7987] policy: set-hostname: current hostname was changed outside NetworkManager: 'EEEEE'

Oct 05 21:21:14 WWWWW NetworkManager[899]: <info>  [1601947274.7987] policy: set-hostname: set hostname to 'WWWWW' (from system configuration)

Oct 05 21:21:14 WWWWW polkitd[851]: Unregistered Authentication Agent for unix-process:115399:2311706 (system bus name :1.1481, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Oct 05 21:21:14 WWWWW polkitd[851]: Registered Authentication Agent for unix-process:115437:2311722 (system bus name :1.1484 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Oct 05 21:21:14 EEEEE systemd-resolved[748]: System hostname changed to 'EEEEE'.

Oct 05 21:21:14 EEEEE systemd-hostnamed[115386]: Changed static hostname to 'EEEEE'

Oct 05 21:21:14 EEEEE NetworkManager[899]: <info>  [1601947274.9757] hostname: hostname changed from "WWWWW" to "EEEEE"

Oct 05 21:21:14 EEEEE NetworkManager[899]: <info>  [1601947274.9758] policy: set-hostname: current hostname was changed outside NetworkManager: 'EEEEE'

Oct 05 21:21:14 EEEEE polkitd[851]: Unregistered Authentication Agent for unix-process:115437:2311722 (system bus name :1.1484, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)


--------------------------------

On the other hand if user is removed form wheel group one gets the following logs. Entered password 3 times totally, once for each hostnamectl command. So its niether caching credentials for totally unpriveleged user. As was done before, process id of the last hostnamectl invocation was 116983



Oct 05 21:40:22 EEEEE polkitd[851]: Registered Authentication Agent for unix-process:116875:2426497 (system bus name :1.1657 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Oct 05 21:40:22 EEEEE audit: BPF prog-id=119 op=LOAD

Oct 05 21:40:22 EEEEE audit: BPF prog-id=120 op=LOAD

Oct 05 21:40:22 EEEEE systemd[1]: Starting Hostname Service...

░░ Subject: A start job for unit systemd-hostnamed.service has begun execution

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit systemd-hostnamed.service has begun execution.

░░ 

░░ The job identifier is 28166.

Oct 05 21:40:22 EEEEE systemd[1]: Started Hostname Service.

░░ Subject: A start job for unit systemd-hostnamed.service has finished successfully

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit systemd-hostnamed.service has finished successfully.

░░ 

░░ The job identifier is 28166.

Oct 05 21:40:22 EEEEE audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:22 EEEEE systemd[1]: Starting Fingerprint Authentication Daemon...

░░ Subject: A start job for unit fprintd.service has begun execution

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit fprintd.service has begun execution.

░░ 

░░ The job identifier is 28335.

Oct 05 21:40:22 EEEEE audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:22 EEEEE systemd[1]: Started Fingerprint Authentication Daemon.

░░ Subject: A start job for unit fprintd.service has finished successfully

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit fprintd.service has finished successfully.

░░ 

░░ The job identifier is 28335.

Oct 05 21:40:24 EEEEE audit[116897]: USER_AUTH pid=116897 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:24 EEEEE audit[116897]: USER_ACCT pid=116897 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:24 EEEEE polkitd[851]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.hostname1.set-static-hostname for system-bus-name::1.1656 [hostnamectl set-hostname QQQQQ] (owned by unix-user:gana)

Oct 05 21:40:24 QQQQQ systemd-resolved[748]: System hostname changed to 'QQQQQ'.

Oct 05 21:40:24 QQQQQ systemd-hostnamed[116881]: Changed static hostname to 'QQQQQ'

Oct 05 21:40:24 QQQQQ NetworkManager[899]: <info>  [1601948424.8169] hostname: hostname changed from "EEEEE" to "QQQQQ"

Oct 05 21:40:24 QQQQQ NetworkManager[899]: <info>  [1601948424.8170] policy: set-hostname: current hostname was changed outside NetworkManager: 'EEEEE'

Oct 05 21:40:24 QQQQQ NetworkManager[899]: <info>  [1601948424.8170] policy: set-hostname: set hostname to 'QQQQQ' (from system configuration)

Oct 05 21:40:24 QQQQQ systemd[1]: Starting Network Manager Script Dispatcher Service...

░░ Subject: A start job for unit NetworkManager-dispatcher.service has begun execution

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit NetworkManager-dispatcher.service has begun execution.

░░ 

░░ The job identifier is 28504.

Oct 05 21:40:24 QQQQQ audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:24 QQQQQ systemd[1]: Started Network Manager Script Dispatcher Service.

░░ Subject: A start job for unit NetworkManager-dispatcher.service has finished successfully

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ A start job for unit NetworkManager-dispatcher.service has finished successfully.

░░ 

░░ The job identifier is 28504.

Oct 05 21:40:24 QQQQQ polkitd[851]: Unregistered Authentication Agent for unix-process:116875:2426497 (system bus name :1.1657, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Oct 05 21:40:25 QQQQQ polkitd[851]: Registered Authentication Agent for unix-process:116910:2426725 (system bus name :1.1664 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Oct 05 21:40:27 QQQQQ audit[116963]: USER_AUTH pid=116963 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:27 QQQQQ audit[116963]: USER_ACCT pid=116963 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:27 QQQQQ polkitd[851]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.hostname1.set-static-hostname for system-bus-name::1.1663 [hostnamectl set-hostname WWWWW] (owned by unix-user:gana)

Oct 05 21:40:27 WWWWW systemd-hostnamed[116881]: Changed static hostname to 'WWWWW'

Oct 05 21:40:27 WWWWW systemd-resolved[748]: System hostname changed to 'WWWWW'.

Oct 05 21:40:27 WWWWW NetworkManager[899]: <info>  [1601948427.3193] hostname: hostname changed from "QQQQQ" to "WWWWW"

Oct 05 21:40:27 WWWWW NetworkManager[899]: <info>  [1601948427.3197] policy: set-hostname: current hostname was changed outside NetworkManager: 'EEEEE'

Oct 05 21:40:27 WWWWW NetworkManager[899]: <info>  [1601948427.3198] policy: set-hostname: set hostname to 'WWWWW' (from system configuration)

Oct 05 21:40:27 WWWWW polkitd[851]: Unregistered Authentication Agent for unix-process:116910:2426725 (system bus name :1.1664, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Oct 05 21:40:27 WWWWW polkitd[851]: Registered Authentication Agent for unix-process:116983:2426974 (system bus name :1.1668 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Oct 05 21:40:29 WWWWW audit[117038]: USER_AUTH pid=117038 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:29 WWWWW audit[117038]: USER_ACCT pid=117038 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:29 WWWWW polkitd[851]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.hostname1.set-static-hostname for system-bus-name::1.1667 [hostnamectl set-hostname EEEEE] (owned by unix-user:gana)

Oct 05 21:40:29 EEEEE systemd-hostnamed[116881]: Changed static hostname to 'EEEEE'

Oct 05 21:40:29 EEEEE systemd-resolved[748]: System hostname changed to 'EEEEE'.

Oct 05 21:40:29 EEEEE NetworkManager[899]: <info>  [1601948429.6806] hostname: hostname changed from "WWWWW" to "EEEEE"

Oct 05 21:40:29 EEEEE NetworkManager[899]: <info>  [1601948429.6807] policy: set-hostname: current hostname was changed outside NetworkManager: 'EEEEE'

Oct 05 21:40:29 EEEEE polkitd[851]: Unregistered Authentication Agent for unix-process:116983:2426974 (system bus name :1.1668, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Oct 05 21:40:35 EEEEE systemd[1]: systemd-timedated.service: Succeeded.

░░ Subject: Unit succeeded

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ The unit systemd-timedated.service has successfully entered the 'dead' state.

Oct 05 21:40:35 EEEEE audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:35 EEEEE audit: BPF prog-id=118 op=UNLOAD

Oct 05 21:40:35 EEEEE audit: BPF prog-id=117 op=UNLOAD

Oct 05 21:40:35 EEEEE audit: BPF prog-id=116 op=UNLOAD

Oct 05 21:40:39 EEEEE systemd[1]: NetworkManager-dispatcher.service: Succeeded.

░░ Subject: Unit succeeded

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ The unit NetworkManager-dispatcher.service has successfully entered the 'dead' state.

Oct 05 21:40:39 EEEEE audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:52 EEEEE systemd[1]: fprintd.service: Succeeded.

░░ Subject: Unit succeeded

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ The unit fprintd.service has successfully entered the 'dead' state.

Oct 05 21:40:52 EEEEE audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'


Oct 05 21:40:59 EEEEE systemd[1]: systemd-hostnamed.service: Succeeded.

░░ Subject: Unit succeeded

░░ Defined-By: systemd

░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel

░░ 

░░ The unit systemd-hostnamed.service has successfully entered the 'dead' state.

Oct 05 21:40:59 EEEEE audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Oct 05 21:40:59 EEEEE audit: BPF prog-id=120 op=UNLOAD

Oct 05 21:40:59 EEEEE audit: BPF prog-id=119 op=UNLOAD







--------------------------------

In the gnome-control-center, I confiredm that settings such as data-time is automatically greyed if user is removed from wheel group, and automatically editable is added back to wheel group. No passwords asked.

Comment 9 Ganapathi Kamath 2020-10-06 02:53:05 UTC
I will eventually delete the below file later, as it makes no difference. 
# cat /etc/polkit-1/localauthority.conf.d/99-wheel.conf 
[Configuration]
AdminIdentities=unix-group:wheel


# /usr/bin/pkla-admin-identities
unix-group:wheel

For some reason the following javascript rule installed by polkit-pkla-compat is not doing its job 

# cat /etc/polkit-1/rules.d/49-polkit-pkla-compat.rules 
polkit.addAdminRule(function(action, subject) {
	polkit.log('Starting1 pkla-admin-identities\n');
	// Let exception, if any, propagate to the JS authority
	var res = polkit.spawn(['/usr/bin/pkla-admin-identities']);
	polkit.log('Got1 "' + res.replace(/\n/g, '\\n') + '"\n');
	if (res == '')
		return null;
	var identities = res.split('\n');
	//polkit.log('Identities: ' + identities.join(',') + '\n');
	if (identities[identities.length - 1] == '')
		identities.pop()
	//polkit.log('Returning: ' + identities.join(',') + '\n');
	return identities;
});

polkit.addRule(function(action, subject) {
	var params = ['/usr/bin/pkla-check-authorization',
		      subject.user, subject.local ? 'true' : 'false',
		      subject.active ? 'true' : 'false', action.id];
	polkit.log('Starting2 ' + params.join(' ') + '\n');
	var res = polkit.spawn(params);
	polkit.log('Got2 "' + res.replace(/\n/g, '\\n') + '"\n');
	if (res == '')
		return null;
	return res.replace(/\n$/, '');
});

# /usr/bin/pkla-check-authorization gana true true org.freedesktop.hostname1.set-static-hostname
# echo $?
0
# 



$ hh=EEEEE$RANDOM ; echo $hh ; hostnamectl set-hostname $hh &
EEEEE2612
[1] 119459
$ echo $!
119459

# journalctl -xf 
Oct 05 22:42:03 EEEEE2612 polkitd[118981]: <no filename>:22: Got2 ""
Oct 05 22:42:03 EEEEE2612 polkitd[118981]: <no filename>:20: Starting2 /usr/bin/pkla-check-authorization gana true true org.freedesktop.hostname1.set-static-hostname
Oct 05 22:42:03 EEEEE2612 polkitd[118981]: <no filename>:22: Got2 ""
Oct 05 22:42:03 EEEEE24487 systemd-resolved[748]: System hostname changed to 'EEEEE24487'.



below: I could be wrong
I think, in the rule the pkla-check-authorization should returned AUTH_ADMIN_KEEP. 
I think pkla-check-authorization is short circuiting check, returning '', which cause rule to return null, which perhaps causes polkit to do default behavior of allowing wheel passwordless.

Comment 10 Ganapathi Kamath 2020-10-06 03:25:11 UTC
The above troubleshooting was under the assumption that pkla-check works. 
Perhaps all it does now is return '' as it is being obsoleted and removed.


The snippet by  Zbigniew Jędrzejewski-Szmek in comment 1
is the same as in 
/usr/share/polkit-1/actions/org.freedesktop.hostname1.policy


Perhaps these XML snippets in /usr/share/polkit-1/actions are supposed to be pre-compiled into polkit-kernel, or their javascript equivalents are missing from distribution. The snippet itself says that for changing static hostname, he response="AUTH_ADMIN_KEEP" should be returned. Presently polkit rules are just matches wheel group and behaves like response="YES" (authorization without authentication)

Comment 11 Ganapathi Kamath 2020-10-06 16:37:03 UTC
I created the following file rule and added it to the rules folder
$ cat /etc/polkit-1/rules.d/40-hostname.rules
polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.hostname1.") == 0) {
    if (subject.isInGroup("wheel")) {
      return "auth_admin_keep";
    }else{
      return "no";
    }  
  }
});

If "hostnamectl set-hostname foo" is issued, 
  When user is in wheel group
    in Gui, the gnome-shell UAC asks for password 
    In linux console, the terminal itself prompts for password
  When user is not in wheel group
    the setting of hostname is denied 
The 5 minute 'keep' is redundant because polkit gives 5 minute access per processid, and each time hostnamectl runs with a different process-id and bus-name. 

(user in wheel) $ hostnamectl set-hostname ww
authenticates, asks for user password
(user in wheel) $ 

(user not in wheel) $ hostnamectl set-hostname qq
Could not set property: Access denied
(user not in wheel) $

A polkit authorization type is determined based on a combination of polkit-id, process id and/or bus name. 
A polkit authorization type can be one of: no, yes, auth_self, auth_self_keep, auth_admin, auth_admin_keep 

So I think: 

a) Someone should have created created the javascript defaults for all the commonly known application permissions that are already listed in /usr/share/polkit1/actions. Since there are potentially infinite applications with their own permission needs, this cannot be done for every application at polkit development side. So the problem is that, Policy-rule maintenance is best left to the application developers. 
Understandably, there is some inertia in the application developers in maintaining their own polkit rule. But it can't hurt to have all the basic programs covered. Possible, the app developers already have the polkit rule, but their rpm distribution does not include it. If this is this case hostnamectl, should include the polkit rules as part of its install. As David had mentioned in his blog, different people will have different opinions for security, but some secure starting point should be provided which can be reconfigured to be lenient if prefered.

b) User should not have to handcraft permissions for every polkit check out there. Polkit should also have a helper tool that allows a user to reconfigure policy and make a rule in /etc/polkitl/rules.d.  such as polkit explorer. Selinux does something similar. If something is prevented by selinux, it it logged, There exists tools such as seaudit and sepol are tools can be used to apply suitable access control.

c) The default must not be to authorize without authentication (YES) even as wheel. This seems wrong. The default should be to authenticate as admistrator AUTH_ADMIN or AUTH_ADMIN_KEEP which should be configurable. The current problem, even if security issue with hostnamectl is solved, some other command still has wheel powder without authentication.

d) One alternate strategy I could think of in case that default wheel-Yes-authorization cannot be changed, is 
  - use wheel group only for definite half-root-like admins
  - remove unprivileged user from wheel
  - create a new group tmpadmin/staff 
  - create authorize javascript rules for every rule-id that matters, so that access can be caught by rules that do auth_self or auth_admin before falling onto the AdminRule default.

e) Changing default to wheel-admin-auth authorization, will sort of force those application maintainers to also maintain their own sane use-case preferred polkit-rule. 
The problem on their side may be that not all systems they target use polkit. 

f) The idea used by "sudo", that one should sudo to another privileged user by having knowledge of that privileged account's password is perhaps an obsolete security mechanism. It is best/the new way to authenticate as self or admin, and authorize by role(group) membership. 

g) conclusion: 
   g1) imho the yes-auth default for addAdminRule(), though over-rideable on a case by case basis using rules, is a bug. It is better to err on the side of harder authorization than easy authorization. At least this default should be independently configurable.
   g2) many javascript rules need to be created to provide secure authentications where required. Furthermore, this will allow full-removal of pkla-compat

Comment 12 Ganapathi Kamath 2020-10-06 17:01:33 UTC
I created the following file numerically beyond 50-default.rules

# cat /etc/polkit-1/rules.d/60-def-adminkeep.rules 
polkit.addRule(function(action, subject) {
  if (subject.isInGroup("wheel")) {
    return "auth_admin_keep";
  }else{
    return "no";
  }  
});

It turns out this achieves something similar to changing the default from "admin-group yes authorization" to "admin-group auth_admin_keep authorization" by acting like a catch all for everything before the default is applied.

I confirmed that 
- as user in wheel group,
    - hostnamectl, will has for password before affecting changes 
    - in the gnome-control center, the date-time pane has an "unlock" button at the top, other controls are greyed. Upon clicking unlock, one authenticates, controls are ungreyed, allowing changes. 
- as ordinary user 
    - hostnamectl set-hostname will be denied
    - date-time panel is greyed out with no unlock button

In the brief 15 minutes I have used this, I had one spurious "admin auth" asked by something. It is to be seen if excessive admin auths in desktop is found to be troublesome.


Note You need to log in before you can comment on or make changes to this bug.