[Pkg-utopia-maintainers] Bug#1023393: policykit-1: Not prompted to authenticate with my own identity any more

Sam Morris sam at robots.org.uk
Thu Nov 3 15:17:38 GMT 2022 

On 03/11/2022 13:39, Simon McVittie wrote:
> On Thu, 03 Nov 2022 at 11:51:52 +0000, Sam Morris wrote:
>> Here's my configuration:
>>
>>      # cat /etc/polkit-1/localauthority.conf.d/60-sam.conf
>>      [Configuration]
>>      AdminIdentities=unix-user:sam.morris at domain.example.com
> 
> Is that really your Unix/PAM login name, the one you'd get from `id -nu`
> or `su - $user` or similar? Or is your login name something like sam.morris
> or sam?

Yes - the user account lives in an Active Directory domain which is 
projected into the POSIX world by FreeIPA. The user name is the SAM 
Account Name of the user @ The AD domain's DNS FQDN.

> The usual setup with a modern polkit version is that the admin identities
> are handled by /usr/share/polkit-1/rules.d/40-debian-sudo.rules,
> which returns "unix-group:sudo", meaning "any member of the sudo group
> is a local sysadmin".

Having my username in the pklocalauthority like that is sort of a 
workaround for a number of unfortunate things about how polkit 
enumerates groups & because FreeIPA isn't able to put AD users into 
netgroups.

You're right, adding my user to the (local) sudo group will probably do 
the job.

> It's usually unnecessary to configure this, either in the old PKLA
> backend or in the newer JS backend, so the way this interoperates with
> the legacy PKLA configuration is unlikely to be particularly well-tested.
> 
> I wonder whether the problem here might be that 40-debian-sudo.rules is
> sequenced earlier than 49-polkit-pkla-compat.rules, which means only the
> function defined in 40-debian-sudo.rules gets called, and the one in
> 49-polkit-pkla-compat.rules is ignored?

You're right. I actually just commented out the contents of 
40-debian-sudo.rules entirely. polkit immediately reloads the rules and 
my pkcheck command is once again prompting me for my own credentials.

> polkit keeps calling admin rule functions until one returns a non-empty
> result, so only the first one that returns a result (in lexicographic
> order by filename) is practically useful.

Argh, that's a really annoying. I wonder why they don't call all the 
admin rules and collect all of the results...

Anyway, that's all I need to get our systems working sensibly again.

But I suppose this should become a bug against polkitd-pkla since in 
practice its 49-polkit-pkla-compat.rules will never be called since 
40-debian-sudo.rules is called first.

Perhaps one solution would be to renumber to << 40, and ship a 
pklocalauthority config file with 'unix-group:sudo'. This will ensure 
that systems where polkitd-pkla is installed will match the default 
behaviour of systems where it isn't installed.

>      smcv

Thanks for your help! :)

-- 
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

More information about the Pkg-utopia-maintainers mailing list