[Pkg-utopia-maintainers] Bug#696989: policykit-1: refuses all actions if user is member of a large number of groups

Sun Dec 30 11:43:29 UTC 2012

Package: policykit-1
Version: 0.105-1
Severity: important

Dear Maintainer,

PolicyKit refuses all actions for my own user account, but works fine
for other accounts:

=== Begin SSH session as sascha.silbe ===
sascha.silbe at twin:~$ cat /etc/polkit-1/localauthority/50-local.d/90-sudo-allow-everything.pkla
[AllowEverythingToSudoGroup]
Identity=unix-group:sudo
Action=*
# from within active ConsoleKit sessions
ResultActive=yes
# from within inactive ConsoleKit sessions
ResultInactive=yes
# from within non-local ConsoleKit sessions
ResultAny=yes
sascha.silbe at twin:~$ id -u
8193
sascha.silbe at twin:~$ getent group sudo
sudo:x:27:sascha.silbe,bine
sascha.silbe at twin:~$ pkcheck --action-id org.freedesktop.udisks.filesystem-mount --process $$
Not authorized.
=== End SSH session as sascha.silbe ===

=== Begin SSH session as bine ===
bine at twin:~$ pkcheck --action-id org.freedesktop.udisks.filesystem-mount --process $$ ; echo $?
0
=== End SSH session as bine ===

Apparently polkitd chokes on the large number of groups my account is
a member of:

=== Begin ===
root at twin:~# /usr/lib/policykit-1/polkitd -r
Entering main event loop
Connected to the system bus
Registering null backend at priority -10
Using authority class PolkitBackendLocalAuthority
Acquired the name org.freedesktop.PolicyKit1

** (polkitd:20969): WARNING **: skipping unknown tag <_description> at line 15

** (polkitd:20969): WARNING **: skipping unknown tag <_message> at line 16

** (polkitd:20969): WARNING **: Error looking up groups for uid 8193: Numerical result out of range

=== End ===

Checking the source
(src/polkitbackend/polkitbackendlocalauthority.c:get_groups_for_user()),
there's even a TODO entry for this bug:

  gid_t groups[512];
  int num_groups = 512;
[...]
  /* TODO: should resize etc etc etc */

  if (getgrouplist (passwd->pw_name,
                    passwd->pw_gid,
                    groups,
                    &num_groups) < 0)
    {
      g_warning ("Error looking up groups for uid %d: %s", uid, g_strerror (errno));
      goto out;
    }

Once the account is a member of more than the hard-coded limit of 512
groups, PolicyKit will not recognise the user at all, therefore refuse
all actions for them.

This bug is still present in the latest development version (d6acecd),
now in
src/polkitbackend/polkitbackendjsauthority.c:subject_to_jsval().

The reason my user account is part of so many groups is that I'm using
the rainbow package extensively to run web browsers and the like with
less privileges than my user account and in isolation from each
other. For each isolated session, a group is created to enable
exchange of files between my user account and the session account (but
not between the sessions).

I've set the Severity to Important because PolicyKit refuses to work
at all (for this user) once the hard-coded limit is exceeded, rather
than just some part of PolicyKit not working as expected or only the
first few groups being evaluated to determine whether to grant access.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages policykit-1 depends on:
ii  consolekit             0.4.5-3.1
ii  dbus                   1.6.8-1
ii  libc6                  2.13-37
ii  libexpat1              2.1.0-1
ii  libglib2.0-0           2.33.12+really2.32.4-3
ii  libpam0g               1.1.3-7.1
ii  libpolkit-agent-1-0    0.105-1
ii  libpolkit-backend-1-0  0.105-1
ii  libpolkit-gobject-1-0  0.105-1

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information