pkexec crashes when used in FHS environment

[ghost]

Describe the bug

As title says

Steps To Reproduce

Steps to reproduce the behavior:

1. On VScode, try to save a file that requires privilege elevation to be overwritten or created
2. Accept the "Retry as Sudo" prompt
3. See how it immediately says that use didn't give it privileges.
4. Check journalctl -xe, see how pkexec crashed.

Expected behavior

Pkexec shouldn't crash, the prompt for password comes up and the file is saved.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Process 34417 (pkexec) of user 1000 dumped core.

                                                Module /run/wrappers/wrappers.EwsqBaq7vY/pkexec without build-id.
                                                Module /nix/store/4nlgxhb09sdr51nc9hdm8az5b08vzkgx-glibc-2.35-163/lib/libc.so.6 with build>
                                                Module linux-vdso.so.1 with build-id eef6a1e35fa922e4d541ad78554bee988fe5d2ed
                                                Module ld-linux-x86-64.so.2 with build-id db50353a26600bb848b9a5541b1506e0a24cb34b
                                                Stack trace of thread 426:
                                                #0  0x00007f560128abc7 __pthread_kill_implementation (/nix/store/4nlgxhb09sdr51nc9hdm8az5b>
                                                #1  0x00007f560123db46 raise (/nix/store/4nlgxhb09sdr51nc9hdm8az5b08vzkgx-glibc-2.35-163/l>
                                                #2  0x00007f56012284b5 abort (/nix/store/4nlgxhb09sdr51nc9hdm8az5b08vzkgx-glibc-2.35-163/l>
                                                #3  0x000055b027a8785e n/a (/run/wrappers/wrappers.EwsqBaq7vY/pkexec + 0x185e)
                                                ELF object binary architecture: AMD x86-64

Notify maintainers

@jtojnar

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 6.0.10-zen2, NixOS, 23.05 (Stoat), 23.05pre432338.6e51c97f1c8`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.11.1`
 - channels(root): `"nixos"`
 - channels(m911t): `"home-manager"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[jtojnar]

Do you see any assertion errors when you run VSCode in console? Or further down the journal?

Do you use a desktop environment or something custom? If the latter, do you have security.polkit.enable = true; in your NixOS configuration?

[ghost]

Do you see any assertion errors when you run VSCode in console? Or further down the journal?

both no.

Do you use a desktop environment or something custom? If the latter, do you have security.polkit.enable = true; in your NixOS configuration?

I use GNOME, and I do have security.polkit.enable set to true, I remember setting it to true as well to try and fix this, but it didn't work.

[ghost]

sorry for being annoying, but are there any news regarding this? It's a rather annoying bug.

[jtojnar]

I tried it and am unable to reproduce with GNOME and VSCodium:

1. Created and opened a file:

   touch /tmp/test
   sudo chown root:root /tmp/test
   codium /tmp/test

2. Trying to save file shows “Failed to save 'test': Insufficient permissions. Select 'Retry as Sudo' to retry as superuser.”
3. Clicking “Retry as Sudo” shows polkit promt for /nix/store/4xw8n979xpivdc46a9ndcvyhwgif00hz-bash-5.1-p16/bin/bash
4. File is successfully updated.

---

I can reproduce the inability to save the file if I change the ownership to something root cannot write to, e.g. wwwrun:wwwrun:

4. After authenticating to run the request, VSCodium shows

   Failed to save 'test': Command failed: cd "/home/jtojnar/Projects/nixpkgs"; "/run/wrappers/bin/pkexec" --disable-internal-agent /nix/store/4xw8n979xpivdc46a9ndcvyhwgif00hz-bash-5.1-p16/bin/bash -c "echo SUDOPROMPT; \"/nix/store/j9znrxwq9lpk1smkgyrm3qim6shsyn0y-vscodium-1.74.1.22349/lib/vscode/bin/codium\" --file-write \"/home/jtojnar/.config/VSCodium/code-elevated-D0nnd3S0\" \"/tmp/test\""
   Error using --file-write: EACCES: permission denied, open '/tmp/test'

But that is expected and would fail with sudo sh -c "echo foo > /tmp/test" as well.

I am unable to reproduce the crash.

[ghost]

Hmmm, I use fish as default shell, could that be the case? For me VScode still fails to save the file. IDK what I could do

[ghost]

just running pkexec works, using the path to the pkexec wrapper that crashes also works...

[ghost]

Ok, this happens only with the fhs vscode. Not the default vscode.

[jtojnar]

I can reproduce it with vscodium-fhs. I never get the polkit prompt, VSCodium says “Failed to save 'test': User did not grant permission.” and the crash you reported gets logged into the journal.

In fact I can reproduce the crash with plain FHS userenv:

$ nix-build --expr 'let pkgs = import ./. {}; in pkgs.buildFHSUserEnv { name = "test"; }'
/nix/store/w33fpy9labig23rh07j2gsxcfqi0497x-test
$ result/bin/test 
test-chrootenv:jtojnar@theo:~/Projects/nixpkgs$ echo foo | /run/wrappers/bin/pkexec tee /tmp/test
Assertion `!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())` in NixOS's wrapper.c failed.
Aborted (core dumped)

This assertion is triggered:

https://github.com/NixOS/nixpkgs/blob/1e4b811793cda222eef4962b7d2dead7b19b6941/nixos/modules/security/wrappers/wrapper.c#L199

[ghost]

fun fact: i also get that assertion output when trying to use sudo in vscode-fhs's integrated terminal

[ghost]

any news regarding this? It's rather annoying.

[johnrichardrinehart]

I updated nixpkgs and I'm having this problem, now. It might be related to #209870 , since it only appeared recently, after updating nixpkgs. But, I can't say for sure. But, vscodium-fhs and vscode-fhs fail to run anything in the terminal (and some of my language servers fail to start presumably for the same reason). Everything is like

$ nix --version                                     
[1]    465 segmentation fault (core dumped)  nix --version

My journalctl -xe logs look like

Apr 13 13:40:47 nixos kernel: nix[3721367]: segfault at 1d83a0 ip 00007f2acb96bee6 sp 00007ffcabf9f2a8 error 4 in libc.so.6[7f2acb95c000+159000] likely on CPU 0 (core 0, socket 0)
Apr 13 13:40:47 nixos kernel: Code: 48 03 04 25 00 00 00 00 c3 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 8b 05 7d 50 1a 00 48 8b 0d fe 4e 1a 00 64 48 8b 00 <48> 8b 00 48 8b 70 38 48 8d 96 00 01 00 00 64 48 89 11 48 8b 78 40
Apr 13 13:40:47 nixos systemd[1]: Started Process Core Dump (PID 3721368/UID 0).
░░ Subject: A start job for unit systemd-coredump@2639-3721368-0.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit systemd-coredump@2639-3721368-0.service has finished successfully.
░░ 
░░ The job identifier is 38350.
Apr 13 13:40:47 nixos systemd-coredump[3721369]: [🡕] Process 3721367 (nix) of user 1000 dumped core.

                                                 Module /nix/store/w67kng09mdbgxbxw9167xaba7332sk7l-krb5-1.20.1/lib/libkrb5support.so.0.1 without build-id.
                                                 Module /nix/store/w67kng09mdbgxbxw9167xaba7332sk7l-krb5-1.20.1/lib/libcom_err.so.3.0 without build-id.
                                                 Module /nix/store/w67kng09mdbgxbxw9167xaba7332sk7l-krb5-1.20.1/lib/libk5crypto.so.3.1 without build-id.
                                                 Module /nix/store/w67kng09mdbgxbxw9167xaba7332sk7l-krb5-1.20.1/lib/libkrb5.so.3.3 without build-id.
                                                 Module /nix/store/by4gv37sharnf370ki60zam5s7qklqqh-bzip2-1.0.8/lib/libbz2.so.1.0.8 without build-id.
                                                 Module /nix/store/5533i5qzsxysjf38p1nlza9g9wvh09wk-xz-5.4.2/lib/liblzma.so.5.4.2 without build-id.
                                                 Module /nix/store/w67kng09mdbgxbxw9167xaba7332sk7l-krb5-1.20.1/lib/libgssapi_krb5.so.2.2 without build-id.
                                                 Module /nix/store/2ldgh1qis9p4zf8bgsdm7897gw8vv36g-zlib-1.2.13/lib/libz.so.1.2.13 without build-id.
                                                 Module /nix/store/g012c53brxmb0if3lpmkjwmxk74hjflh-gcc-12.2.0-lib/lib/libstdc++.so.6.0.30 without build-id.
                                                 Module /nix/store/5w5qpm9z3iyib615pdih6nvk9spv3jbv-gcc-12.2.0-libgcc/lib/libgcc_s.so.1 without build-id.
                                                 Module libattr.so.1 without build-id.
                                                 Module libkeyutils.so.1 without build-id.
                                                 Module libunistring.so.5 without build-id.
                                                 Module libxml2.so.2 without build-id.
                                                 Module libacl.so.1 without build-id.
                                                 Module libbrotlicommon.so.1 without build-id.
                                                 Module libaws-c-common.so.1 without build-id.
                                                 Module libaws-checksums.so.1.0.0 without build-id.
                                                 Module libaws-c-sdkutils.so.1.0.0 without build-id.
                                                 Module libaws-c-cal.so.1.0.0 without build-id.
                                                 Module libaws-c-compression.so.1.0.0 without build-id.
                                                 Module libs2n.so.1 without build-id.
                                                 Module libaws-c-io.so.1.0.0 without build-id.
                                                 Module libaws-c-http.so.1.0.0 without build-id.
                                                 Module libaws-c-auth.so.1.0.0 without build-id.
                                                 Module libaws-c-s3.so.0unstable without build-id.
                                                 Module libaws-c-event-stream.so.1.0.0 without build-id.
                                                 Module libaws-c-mqtt.so.1.0.0 without build-id.
                                                 Module libzstd.so.1 without build-id.
                                                 Module libssh2.so.1 without build-id.
                                                 Module libidn2.so.0 without build-id.
                                                 Module libnghttp2.so.14 without build-id.
                                                 Module libcpuid.so.16 without build-id.
                                                 Module libarchive.so.13 without build-id.
                                                 Module libbrotlidec.so.1 without build-id.
                                                 Module libbrotlienc.so.1 without build-id.
                                                 Module libseccomp.so.2 without build-id.
                                                 Module libaws-crt-cpp.so without build-id.
                                                 Module libaws-cpp-sdk-core.so without build-id.
                                                 Module libaws-cpp-sdk-s3.so without build-id.
                                                 Module libaws-cpp-sdk-transfer.so without build-id.
                                                 Module libboost_context.so.1.79.0 without build-id.
                                                 Module libeditline.so.1 without build-id.
                                                 Stack trace of thread 514:
                                                 #0  0x00007f2acb96bee6 __ctype_init (/nix/store/1n2l5law9g3b77hcfyp50vrhhssbrj5g-glibc-2.37-8/lib/libc.so.6 + 0x31ee6)
                                                 #1  0x00007f2acba89930 __libc_early_init (/nix/store/1n2l5law9g3b77hcfyp50vrhhssbrj5g-glibc-2.37-8/lib/libc.so.6 + 0x14f930)
                                                 #2  0x00007f2accbadf9b dl_main (ld-linux-x86-64.so.2 + 0x20f9b)
                                                 #3  0x00007f2accba9966 _dl_sysdep_start (ld-linux-x86-64.so.2 + 0x1c966)
                                                 #4  0x00007f2accbab525 _dl_start (ld-linux-x86-64.so.2 + 0x1e525)
                                                 #5  0x00007f2accbaa308 _start (ld-linux-x86-64.so.2 + 0x1d308)
                                                 ELF object binary architecture: AMD x86-64
░░ Subject: Process 3721367 (nix) dumped core
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ Documentation: man:core(5)
░░ 
░░ Process 3721367 (nix) crashed and dumped core.
░░ 
░░ This usually indicates a programming error in the crashing program and
░░ should be reported to its vendor as a bug.
Apr 13 13:40:47 nixos systemd[1]: systemd-coredump@2639-3721368-0.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit systemd-coredump@2639-3721368-0.service has successfully entered the 'dead' state.
``

[vcunat]

At a quick glance it sounds more likely to be related to the glibc upgrade.

[johnrichardrinehart]

Yeah, I think so, too. But, I'm kind of lost as to how to fix the fhs derivation. The non-fhs derivation works fine.

[vcunat]

'etcher' has been removed because it depended on an insecure version of Electron