Bug#1031654: game-data-packager: the heuristic should prefer another tool than pkexec over an SSH connection
Simon McVittie
smcv at debian.org
Mon Feb 20 11:05:14 GMT 2023
On Sun, 19 Feb 2023 at 21:21:22 +0100, Alexandre Detiste wrote:
> Without a PTY:
>
> tchet at brix ~/git/game-data-packager $ ssh localhost game-data-packager soltys --install --install-method apt
> tchet at localhost's password:
> INFO:game_data_packager.build:will not produce "soltys-es-data" because "es" is not in LANGUAGE selection
> INFO:game_data_packager.build:will not produce "soltys-pl-data" because "pl" is not in LANGUAGE selection
> INFO:game_data_packager.download:downloading http://scummvm.org/frs/extras/Soltys/soltys-en-v1.0.zip
> INFO:game_data_packager.packaging.deb:generating package soltys-en-data
> Error creating textual authentication agent: Error opening current controlling terminal for the process (`/dev/tty'): No such device or address
> generated "/home/tchet/soltys-en-data_1.0+72_all.deb"
> using pkexec to obtain root privileges and install the package(s)
In this scenario you don't have a pseudo-terminal, so su wouldn't work
either, and sudo would only work if you have NOPASSWD.
Using sys.stdin.isatty() wouldn't be a great heuristic for avoiding this,
because if game-data-packager is run without a controlling terminal in
a full GUI session like GNOME or KDE Plasma, we want to use pkexec for
its graphical authentication prompt (which will work *more* reliably
than prompting on the terminal in this case).
> ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
> Authentication is needed to run `/usr/bin/apt-get' as the super user
> Authenticating as: root
> Password:
> polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
> ==== AUTHENTICATION FAILED ====
> Error executing command as another user: Not authorized
That's really a pkexec bug, which I've reported as #1031676. This
should work, but currently doesn't. Running something like
"systemctl restart avahi-daemon.service" from a similar TUI session
does work, and successfully prompts for the test user's password,
demonstrating that it's a pkexec bug rather than a polkitd limitation.
Avoiding pkexec in ssh or non-graphical sessions is a possible workaround
for that bug, but given the interactive and graphical nature of games, I'm
not sure that running g-d-p over ssh is such a major use case for it :-)
smcv
More information about the Pkg-games-devel
mailing list