[Pkg-utopia-maintainers] Bug#1031676: pkexec's internal polkit agent doesn't work in a ssh or getty session

Simon McVittie smcv at debian.org
Mon Feb 20 10:52:17 GMT 2023 

Package: pkexec
Version: 122-3
Severity: normal

To reproduce:

* Have a user in the sudo group, and default polkitd configuration, so
  they can do root-equivalent things after authenticating as themselves
* Initial state: do not be logged in to the machine at all
* Log in on a text virtual console (getty/login) or with interactive ssh,
  or use `ssh -t machine pkexec ...` to force allocation of a
  pseudo-terminal
* Run: systemctl restart avahi-daemon.service
  (or any other service that is installed and is harmless to restart)
* Run: pkexec true
* Enter the user's correct password whenever prompted to authenticate

Expected result:

* `systemctl restart avahi-daemon.service` prompts for the user's password,
  then restarts avahi-daemon, successfully
* `pkexec true` prompts for the user's password, then runs `true`,
  successfully

Actual result:

systemctl successfully prompts for the user's password, demonstrating
that polkitd is working as intended (so this is a pkexec bug and not a
polkitd bug):

> $ ssh -t testvm systemctl restart avahi-daemon.service
> ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
> Authentication is required to restart 'avahi-daemon.service'.
> Authenticating as: Test User,,, (user)
> Password: <type correct password here>
> ==== AUTHENTICATION COMPLETE ====
> Connection to 192.168.122.143 closed.

but pkexec fails with "No session for cookie":

> $ ssh -t testvm pkexec true
> ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
> Authentication is needed to run `/usr/bin/true' as the super user
> Authenticating as: Test User,,, (user)
> Password: <type correct password here>
> polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
> ==== AUTHENTICATION FAILED ====
> Error executing command as another user: Not authorized
> 
> This incident has been reported.
> Connection to 192.168.122.143 closed.

Logging in on tty6 with getty/login has similar symptoms. I used ssh for
the version quoted here because it was easier to copy/paste.

    smcv

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages pkexec depends on:
ii  libc6                  2.36-8
ii  libglib2.0-0           2.74.5-1
ii  libpam0g               1.5.2-6
ii  libpolkit-agent-1-0    122-3
ii  libpolkit-gobject-1-0  122-3
ii  polkitd                122-3

pkexec recommends no packages.

pkexec suggests no packages.

Versions of packages pkexec is related to:
pn  elogind         <none>
pn  libpam-elogind  <none>
ii  libpam-systemd  252.5-2
ii  systemd         252.5-2

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list