[Pkg-utopia-maintainers] Bug#813217: libpolkit-backend-1-0: rules.d/*.rules files are entirely ignored

Ralf Jung post at ralfj.de
Sat Jan 30 14:27:56 UTC 2016


Package: libpolkit-backend-1-0
Version: 0.105-8
Severity: important

Dear Maintainer,

I am trying to fine-tune the polkit policies on one system I am running. In particular,
I'd like to not give that system's only user sudo privileges, but still want the automatic
software upgrades performed through packagekit to Just Work (TM).

However, no matter what I tried, I seem unable to convince polkit to allow system upgrades
for all locally logged-in users. Here's what I did:

  # cat /etc/polkit-1/rules.d/99-local-upgrade.rules 
  polkit.addRule(function(action, subject) {
    polkit.log("DEBUG addRule: action=" + action);
    if ((action.id == "org.freedesktop.packagekit.upgrade-system" ||
         action.id == "org.freedesktop.packagekit.system-update" ||
         action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
        subject.active == true && subject.local == true ) {
            return polkit.Result.YES;
    }
  });

I added the polkit.log only to check if the file has any effect at all. The ID I figured out by
grepping /usr/share/polkit-1/actions for the strings displayed in the UI when I was asked
to authenticate this action manually. But even if the IDs are wrong, I should at least see the
debug output.

Now I want to test the rule:

  $ pkcheck --action-id org.freedesktop.packagekit.system-update --process $(pidof konsole) -u USER
  polkit\56retains_authorization_after_challenge=true
  Not authorized.

The "-u" option is not documented in the manpage, but when I omit it, pkcheck insists I add it again.
There only message in the log is

  Jan 30 15:02:30 HOST polkitd(authority=local)[1129]: Operator of unix-session:1 FAILED to authenticate to gain authorization
  for action org.freedesktop.packagekit.system-update for unix-process:740:3994 [/usr/bin/konsole] (owned by unix-user:USER)

Well, at least I got the ID right. But no message from my own rule.

I then tried adding a syntax error to the file, nothing happened. I rebooted the system to
make sure the new file is loaded, nothing happened. I moved the file to /usr/share/polkit-1/rules.d,
nothing happened.
It almost seems as if polkit just entirely ignores all the rules.d files. I tried to figure out
whether Debian is special here compared to other distros (according to many docs I found, what I did above
*should* work on Fedora and Arch), without any success. I also looked for local documentation in
/usr/share/doc/libpolkit-backend-1-0, nothing.

I am pretty much lost now. For now, I guess this system will not get security updates.
The only explanation I still have for this behavior is that there's a bug in polkit which makes
it ignore rules.d, hence this report. Any help would be appreciated.

Kind regards,
Ralf

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpolkit-backend-1-0 depends on:
iu  libc6                  2.19-18+deb8u2
ii  libexpat1              2.1.0-6+deb8u1
ii  libglib2.0-0           2.42.1-1
ii  libpolkit-gobject-1-0  0.105-8
ii  libsystemd0            215-17+deb8u2
ii  multiarch-support      2.19-18+deb8u1

libpolkit-backend-1-0 recommends no packages.

libpolkit-backend-1-0 suggests no packages.

-- no debconf information



More information about the Pkg-utopia-maintainers mailing list