Red Hat Bugzilla – Bug 609799
system-config-firewall shows polkit error
Last modified: 2013-03-05 23:03:17 EST
Description of problem:
After running system-config-firewall as a non-root user an polkit error appears. See attached screenshot.
Version-Release number of selected component (if applicable):
In my installation 100%
Steps to Reproduce:
1. Run system-config-fireall as user
No error -> ask for root password
Created attachment 428188 [details]
system-config-firewall polkit error
Please check if there are SELinux errors or DBUS errors and add the output of "rpm -V system-config-firewall"
State: Thomas is investigating this issue.
Note to appearance of the bug:
This bug was observed only when s-c-firewall is launched via ssh -X or in a vnc session. Running it locally on a machine works well.
This seems to be a polkit problem.
David, what do you think?
Why do you think it's a polkit problem? All I see is a long error name. I don't think that's enough to reassign bugs, sorry :-)
Btw, 'ssh -X' or 'vnc session' does not count toward active or local sessions (and are not even in the ConsoleKit database) so I doubt polkit would answer in the affirmative when checking any authorization. In fact, it would default to the value of the <allow_any> element inside the <defaults> element. And this is clearly set to 'no':
$ pkaction --action-id org.fedoraproject.config.firewall.auth --verbose
description: Firewall authorization
message: Authentication is required to read and modify firewall settings
vendor: System Config Firewall
implicit any: no
implicit inactive: no
implicit active: auth_admin_keep
so what we're seeing here is just things working correctly.
Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive has to be set to auth_admin. And then this will only allow access to the firewall mechanism via VNC and not to other dbus interfaces like for example NetworkManger (used to gather network information). In nearly all projects allow_any and allow_inactive are set to no. Even the PolicyKit Library Reference Manual proposes to do so (see examples). There is word on the impact of using no.
It is also not solving the ssh problem. SSH -X with allow_any: auth_admin, allow_inactive: auth_admin:
$ pkcheck --allow-user-interaction --process $$ --action-id org.fedoraproject.config.firewall.auth
Authorization requires authentication but no agent is available.
BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use cases.
This is a generic problem in polkit in my opinion. Nothing system-config-firewall can solve.
Reassigning to polkit.
any update on this?
(In reply to comment #7)
> Setting allow_any to auth_admin is not sufficient. Additionally allow_inactive
> has to be set to auth_admin. And then this will only allow access to the
> firewall mechanism via VNC and not to other dbus interfaces like for example
> NetworkManger (used to gather network information). In nearly all projects
> allow_any and allow_inactive are set to no. Even the PolicyKit Library
> Reference Manual proposes to do so (see examples). There is word on the impact
> of using no.
> It is also not solving the ssh problem. SSH -X with allow_any: auth_admin,
> allow_inactive: auth_admin:
> $ pkcheck --allow-user-interaction --process $$ --action-id
> Authorization requires authentication but no agent is available.
> BTW: Why are vnc and ssh not in the ConsoleKit database? These are valid use
Because of how ConsoleKit works - basically, currently, login managers will have to integrate with ConsoleKit so seat and session objects are properly created, maintained and destroyed. To my knowledge that never happened.
> This is a generic problem in polkit in my opinion. Nothing
> system-config-firewall can solve.
> Reassigning to polkit.
Please understand that polkit is simply just a user of ConsoleKit and there is nothing we can do to make the required ConsoleKit objects appear. You need to open bugs against each login program asking for ConsoleKit integration for this to work. It is useless to just have this bug open against polkit for this purpose so I'm closing it.
Reported for openssh:
Bug 613796 - openssh: Add support for registering ConsoleKit sessions on login
Looks like vnc bug on this for fedora was already closed as won't fix. I'm not sure if we will be able to pull this in:
This is already reported for EL6:
Bug 528511 - Can't install software via VNC
I wanted to point something out, there is a session object inside the kernel that is set correctly on gdm and ssh logins. We do that by using a pam module. Could a pam module be written that sets things up so that ssh and consolekit get along?
(In reply to comment #12)
> I wanted to point something out, there is a session object inside the kernel
> that is set correctly on gdm and ssh logins. We do that by using a pam module.
> Could a pam module be written that sets things up so that ssh and consolekit
> get along?
FWIW, the long term plan is to make systemd's PAM module do this and also make systemd track things like VT switches on graphical logins (and a couple of other things). Then we can make polkit get this information from systemd instead of ConsoleKit and then we can retire ConsoleKit altogether.