`firejail --noprofile` allows gksu(do) but not pkexec

[Fred-Barclay]

I noticed this when trying to build a profile for a program that uses polkit for authentication control.

Running pkexec normally in terminal (not in firejail), I get the standard gui dialog.

$ pkexec bash
<redacted> ~ # id
uid=0(root) gid=0(root) groups=0(root)
<redacted> ~ # exit
exit

Switching to firejail --noprofile, there is no dialog window, and the authentication attempt in the console fails:

$ pkexec bash
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: Fred Barclay,,, (fred)
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

However, gksu still provides its standard dialog and allows privilege escalation:

$ gksu bash
Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files
bash: cannot set terminal process group (27): Inappropriate ioctl for device
bash: no job control in this shell
<redacted> fred # 

(Strangely, bash seems to freeze at this point. But the privileges have definitely been elevated, as this output shows:)

$ gksu id
Gkr-Message: secret service operation failed: The name org.freedesktop.secrets was not provided by any .service files
uid=0(root) gid=0(root) groups=0(root)

This isn't ideal, IMHO. Some programs (like etcher) rely on pkexec, and we should probably support allowing privilege escalation with pkexec as well as gksu (though only super-loose sandboxes like firejail --noprofile, of course. 😄)

Cheers!

[icasdri]

It sounds like gksu doesn't depend on DBus whereas pkexec does. firejail --noprofile likely blocks access to the system DBus socket. A new network namespace might also do it.

[Fred-Barclay]

It sounds like gksu doesn't depend on DBus whereas pkexec does.

Interestingly, I get a different error when allowing dbus access:

$ firejail --protocol=unix --noprofile
Parent pid 4095, child pid 4096
Child process initialized in 12.97 ms
$ pkexec /bin/bash
pkexec must be setuid root

So it looks like it does need at least some access to dbus.

[Ferroin]

Yes, pkexec needs DBus access. It uses PolicyKit, which is a DBus-only service that someone thought was somehow a better idea than sudo when dealing with command execution (it's great for rights delegation when dealing with DBus services, because there really isn't any other option, but it's overkill for regular command execution). On the other hand, gksu is just a graphical frontend for sudo, so it just needs access to X11 to work.

[netblue30]

In my case (Debian stretch), running "pkexec ls /root" in a "firejail --noprofile" crashes. I get this in syslog:

Aug 18 08:59:39 debian kernel: [69861.953292] pkexec[1600]: segfault at 18 ip 00007fc867f01097 sp 00007fc8635ef180 error 4 in libpolkit-agent-1.so.0.0.0[7fc867efb000+9000]

[chiraag-nataraj]

lol PolicyKit is a mess and is half-broken on my end even without using firejail (although maybe it's because of hidepid in my case...). It uses a security-hole-ridden mess called DBus and is somehow supposed to be better than sudo. Ugh.

[chiraag-nataraj]

When I run it, I get the following:

$ firejail --noprofile
$ pkexec ls /root
Error checking for authorization org.freedesktop.policykit.exec: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: process with PID 2 has been replaced

By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well), and apparently the recommended way is to use pkexec now, which currently doesn't work within firejail. I suspect it's due to the PID namespace...

[mulecat]

Any update on this? pkexec not working with firejail there's no way to run applications that require it, such as GameHub.

[rusty-snake]

By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well)

Also on Fedora systems with F29+RPMFusion there is no gksu, gksudo, kdesudo.

[rradar]

just saw that etcher is stated in this issue by @Fred-Barclay

I'm trying to stop etcher from doing calls to networks/internet but I'm not able to get it running properly with firejail (the gui doesn't load properly). Here is my etcher issue witch a screenshot: https://github.com/balena-io/etcher/issues/2772

[chiraag-nataraj]

Based on @rradar's comment, I presume this still an issue with pkexec and we should figure out what to do about it.

[rusty-snake]

8204822861fe997328c94b74a16436d64bfd6eed

[rusty-snake]

$ firejail --noprofile /usr/bin/pkexec
pkexec must be setuid root
# removing force-nonewprivs yes
$ firejail --noprofile /usr/bin/pkexec
Refusing to render service to dead parents.

[odkr]

Is this still unresolved or is it just me?

% firejail --noprofile /usr/bin/pkexec
Parent pid 463947, child pid 463948
Child process initialized in 9.08 ms
Refusing to render service to dead parents.

Parent is shutting down, bye...

firejail --version
firejail version 0.9.58.2

Compile time support:
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - networking support is enabled
    - overlayfs support is disabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

I’m not a fan of polkit either, but it seems that it is here to stay and it would be useful if it could be called from within a firejail.