Bug 609799 - system-config-firewall shows polkit error
system-config-firewall shows polkit error
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: polkit (Show other bugs)
6.0
All Linux
low Severity high
: rc
: ---
Assigned To: David Zeuthen
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-01 03:00 EDT by Miroslav Vadkerti
Modified: 2013-03-05 23:03 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-12 15:38:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
system-config-firewall polkit error (107.88 KB, image/png)
2010-07-01 03:04 EDT, Miroslav Vadkerti
no flags Details

  None (edit)
Description Miroslav Vadkerti 2010-07-01 03:00:23 EDT
Description of problem:
After running system-config-firewall as a non-root user an polkit error appears. See attached screenshot. 

Version-Release number of selected component (if applicable):
system-config-firewall-1.2.25-1.el6.noarch

How reproducible:
In my installation 100%

Steps to Reproduce:
1. Run system-config-fireall as user
  
Actual results:
Error

Expected results:
No error -> ask for root password

Additional info:
Comment 1 Miroslav Vadkerti 2010-07-01 03:01:14 EDT
Polkit version:
polkit-0.96-1.el6.x86_64
Comment 2 Miroslav Vadkerti 2010-07-01 03:04:45 EDT
Created attachment 428188 [details]
system-config-firewall polkit error
Comment 3 Thomas Woerner 2010-07-01 05:42:02 EDT
Please check if there are SELinux errors or DBUS errors and add the output of "rpm -V system-config-firewall"
Comment 4 Miroslav Vadkerti 2010-07-01 15:31:12 EDT
State: Thomas is investigating this issue.

Note to appearance of the bug: 
This bug was observed only when s-c-firewall is launched via ssh -X or in a vnc session. Running it locally on a machine works well.
Comment 5 Thomas Woerner 2010-07-05 06:25:25 EDT
This seems to be a polkit problem.

David, what do you think?
Comment 6 David Zeuthen 2010-07-07 10:51:01 EDT
Why do you think it's a polkit problem? All I see is a long error name. I don't think that's enough to reassign bugs, sorry :-)

Btw, 'ssh -X' or 'vnc session' does not count toward active or local sessions (and are not even in the ConsoleKit database) so I doubt polkit would answer in the affirmative when checking any authorization. In fact, it would default to the value of the <allow_any> element inside the <defaults> element. And this is clearly set to 'no':

  $ pkaction --action-id org.fedoraproject.config.firewall.auth --verbose
  org.fedoraproject.config.firewall.auth:
    description:       Firewall authorization
    message:           Authentication is required to read and modify firewall settings
    vendor:            System Config Firewall
    vendor_url:        http://fedorahosted.org/system-config-firewall
    icon:              
    implicit any:      no
    implicit inactive: no
    implicit active:   auth_admin_keep

so what we're seeing here is just things working correctly.
Comment 7 Thomas Woerner 2010-07-08 09:41:32 EDT
Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive has to be set to auth_admin. And then this will only allow access to the firewall mechanism via VNC and not to other dbus interfaces like for example NetworkManger (used to gather network information). In nearly all projects allow_any and allow_inactive are set to no. Even the PolicyKit Library Reference Manual proposes to do so (see examples). There is word on the impact of using no.

It is also not solving the ssh problem. SSH -X with allow_any: auth_admin, allow_inactive: auth_admin:

$ pkcheck --allow-user-interaction --process $$ --action-id org.fedoraproject.config.firewall.auth 
Authorization requires authentication but no agent is available.

BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use cases.

This is a generic problem in polkit in my opinion. Nothing system-config-firewall can solve.

Reassigning to polkit.
Comment 8 Miroslav Vadkerti 2010-07-10 14:31:13 EDT
any update on this?
Comment 9 David Zeuthen 2010-07-12 15:38:54 EDT
(In reply to comment #7)
> Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive
> has to be set to auth_admin. And then this will only allow access to the
> firewall mechanism via VNC and not to other dbus interfaces like for example
> NetworkManger (used to gather network information). In nearly all projects
> allow_any and allow_inactive are set to no. Even the PolicyKit Library
> Reference Manual proposes to do so (see examples). There is word on the impact
> of using no.
> 
> It is also not solving the ssh problem. SSH -X with allow_any: auth_admin,
> allow_inactive: auth_admin:
> 
> $ pkcheck --allow-user-interaction --process $$ --action-id
> org.fedoraproject.config.firewall.auth 
> Authorization requires authentication but no agent is available.
> 
> BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use
> cases.

Because of how ConsoleKit works - basically, currently, login managers will have to integrate with ConsoleKit so seat and session objects are properly created, maintained and destroyed. To my knowledge that never happened.

> This is a generic problem in polkit in my opinion. Nothing
> system-config-firewall can solve.
> 
> Reassigning to polkit.    

Please understand that polkit is simply just a user of ConsoleKit and there is nothing we can do to make the required ConsoleKit objects appear. You need to open bugs against each login program asking for ConsoleKit integration for this to work. It is useless to just have this bug open against polkit for this purpose so I'm closing it.
Comment 10 Miroslav Vadkerti 2010-07-12 16:37:05 EDT
Reported for openssh:
Bug 613796  - openssh: Add support for registering ConsoleKit sessions on login

Looks like vnc bug on this for fedora was already closed as won't fix. I'm not sure if we will be able to pull this in:
https://bugzilla.redhat.com/show_bug.cgi?id=476402
Comment 11 Miroslav Vadkerti 2010-07-13 03:37:26 EDT
This is already reported for EL6:
Bug 528511 - Can't install software via VNC
Comment 12 Steve Grubb 2010-11-22 16:00:49 EST
I wanted to point something out, there is a session object inside the kernel that is set correctly on gdm and ssh logins. We do that by using a pam module. Could a pam module be written that sets things up so that ssh and consolekit get along?
Comment 13 David Zeuthen 2010-11-24 10:31:37 EST
(In reply to comment #12)
> I wanted to point something out, there is a session object inside the kernel
> that is set correctly on gdm and ssh logins. We do that by using a pam module.
> Could a pam module be written that sets things up so that ssh and consolekit
> get along?

FWIW, the long term plan is to make systemd's PAM module do this and also make systemd track things like VT switches on graphical logins (and a couple of other things). Then we can make polkit get this information from systemd instead of ConsoleKit and then we can retire ConsoleKit altogether.

Note You need to log in before you can comment on or make changes to this bug.