Bug 994729 - Authentication requested twice when opening firewall-config
Authentication requested twice when opening firewall-config
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
19
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
: 1008683 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-07 17:42 EDT by Michael Catanzaro
Modified: 2014-07-04 11:51 EDT (History)
5 users (show)

See Also:
Fixed In Version: firewalld-0.3.5-1.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-02 02:47:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
org.freedesktop.policykit.imply annotation (3.71 KB, patch)
2014-04-25 09:40 EDT, Jiri Popelka
no flags Details | Diff

  None (edit)
Description Michael Catanzaro 2013-08-07 17:42:19 EDT
Description of problem: When opening firewall-config, I'm prompted for authentication twice in a row. (Moreover, the prompts aren't phrased very well.)

First: "System policy prevents to use the firewall policies interface"  (should be: "System policy prevents using the...")

Second: "System policy prevents to change the firewall configuration"  (should be: "System policy prevents changing the...")

polkit allows one rule to imply another, to avoid these kinds of double-prompts. If access to the user interface really needs to be a separate rule (which seems doubtful?), it ought to imply the ability to change the configuration.

Version-Release number of selected component (if applicable): firewall-config 0.3.4-1.fc19


How reproducible: Always
Comment 1 Richard Shaw 2013-09-16 23:14:44 EDT
Me too...
Comment 2 Jiri Popelka 2013-09-17 03:49:14 EDT
*** Bug 1008683 has been marked as a duplicate of this bug. ***
Comment 3 Fedora Update System 2013-09-30 08:35:31 EDT
firewalld-0.3.5-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc20
Comment 4 Fedora Update System 2013-09-30 08:38:37 EDT
firewalld-0.3.5-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc19
Comment 5 Fedora Update System 2013-09-30 22:01:44 EDT
Package firewalld-0.3.5-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.5-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17984/firewalld-0.3.5-1.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-10-02 02:47:27 EDT
firewalld-0.3.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-10-02 21:14:47 EDT
firewalld-0.3.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 s_mao3@yahoo.ca 2013-10-18 22:28:52 EDT
I am using fc19. When I try to open firewall config, it asks me to authencate but it always says " Sorry, that doesn't work. please try agian." even after repeatedly input the correct password. I still can not configure firewall.
Comment 9 Jiri Popelka 2013-10-21 06:53:32 EDT
(In reply to s_mao3@yahoo.ca from comment #8)
> even after repeatedly input the correct password.

That seems like some polkit problem.

Mitr (polkit maintainer), any idea how to debug this ?

> I still can not configure firewall.

As a work-around you can run firewall-config as superuser (root).
Comment 10 Miloslav Trmač 2013-10-21 14:37:08 EDT
(In reply to Jiri Popelka from comment #9)
> (In reply to s_mao3@yahoo.ca from comment #8)
> > even after repeatedly input the correct password.
> 
> That seems like some polkit problem.
> 
> Mitr (polkit maintainer), any idea how to debug this ?

A copy of all log entries from /var/log/{messages,secure} from that timeframe (+- 5 minutes) would be a start.
Comment 11 Jiri Popelka 2014-04-22 06:37:42 EDT
(In reply to Michael Catanzaro from comment #0)
> polkit allows one rule to imply another, to avoid these kinds of
> double-prompts.

Anybody any pointers to examples, doc, etc. ?
Or any ideas how this could be achieved ?
I couldn't find anything like that.

We previously "fixed" [1] this bug by using only one polkit action.
But now I'm tempted to add another polkit action,
but this "double-prompt" problem has prevented me from doing it.

[1] https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=532704bf6800e6914d279c594e97ef6632d730f4
Comment 12 Michael Catanzaro 2014-04-22 09:16:29 EDT
A couple of examples:

org.freedesktop.timedate1.set-time implies both org.freedesktop.timedate1.set-timezone and org.freedesktop.timedate1.set-ntp, since if you have the power to change the system time, you should also be able to perform those other time-related tasks without a separate password prompt. (But not vice-versa.) [1]

org.freedesktop.packagekit.package-install-untrusted implies org.freedesktop.packagekit.package-install, since a user who is trusted to install untrusted packages is surely also trusted to install packages signed by the distribution (but not vice-versa). (Ignore the comments in this example -- some look outdated.) [2]

[1] http://cgit.freedesktop.org/systemd/systemd/tree/src/timedate/org.freedesktop.timedate1.policy.in
[2] https://gitorious.org/packagekit/packagekit/source/a0cb4a0215e3af4998f24537a5704f0ac7620fe7:policy/org.freedesktop.packagekit.policy.in
Comment 13 Jiri Popelka 2014-04-23 07:12:44 EDT
(In reply to Michael Catanzaro from comment #12)
> A couple of examples:

That's exactly it. Thank you !
Comment 14 Jiri Popelka 2014-04-25 09:40:56 EDT
Created attachment 889762 [details]
org.freedesktop.policykit.imply annotation

Thomas, we have 2 choices how to properly solve this bug:

1) Use policykit.imply annotation per attached patch
2) I reallized that PK_ACTION_DIRECT and PK_ACTION_POLICIES are used only for 'runtime' changes. For 'permanent' changes PK_ACTION_CONFIG is used anyway. So the other possibility is to explicitly use PK_ACTION_CONFIG instead of PK_ACTION_DIRECT/PK_ACTION_POLICIES - which is what we've been already doing
since your work-around [1] - but this time I'd explicitly throw out PK_ACTION_DIRECT/PK_ACTION_POLICIES, because
I don't see a reason for having them for runtime changes only.

I prefer the second one.

[1] https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=532704bf6800e6914d279c594e97ef6632d730f4
Comment 15 Jiri Popelka 2014-04-30 12:16:25 EDT
(In reply to Jiri Popelka from comment #14)
> 1) Use policykit.imply annotation per attached patch
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=fa1375fb203c0254c38ac3fd20f64f254fa2b9f2

Note You need to log in before you can comment on or make changes to this bug.