search

polkit-org / polkit

polkit (formerly PolicyKit) is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes.
Other
67 stars 32 forks source link

/bin:/usr/bin in PATH causes failure in certain GUI apps #194

Open polkit-github-migration-bot opened 1 year ago

polkit-github-migration-bot commented 1 year ago

In gitlab.freedesktop.org by jrw32982 on Mar 23, 2023, 19:58

Link to the original issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/193

Current behaviour, description of the problem

Apparently, the order of /bin and /usr/bin in PATH matters! I was getting failures for multiple apps started from LinuxMint's Menu: mintsources, lightdm-settings, etc. Eventually I tracked it down to the fact that I had /bin:/usr/bin in my PATH (created by my shell profile) rather than /usr/bin:/bin. Once I modified my shell profile, and switched the order of those components in my PATH, and rebooted, the GUI apps started working.

Desired behaviour

Both command lines (see below) should work identically and successfully. Currently, the order of /usr/bin:/bin in PATH is required for apps to work and the order of /bin:/usr/bin causes them to fail. The order shouldn't matter.

For other OSes (where mintsources is not available), you can reproduce with any GUI app requiring use of pkexec and configured in a location like /usr/share/polkit-1/actions/, with an annotation like:

<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/mintsources</annotate>

(Note: /usr/bin/mintsources, rather than /bin/mintsources)

It looks like this is a bug with pkexec and/or the polkit mechanism: pkexec doesn't fully resolve (canonicalize) the path to the executable, a la readlink -f /bin/mintsources, before matching it against the path in the policy. The pkexec documentation says full path of the program where I think it should say canonical full path of the program.

Reproducer

$ ls -ld /bin
lrwxrwxrwx 1 root root 7 Jun 28 2022 /bin -> usr/bin

$ pkexec /usr/bin/mintsources
...GUI prompt for password, then GUI app appears and works...

$ pkexec /bin/mintsources
...GUI prompt for password, then...
(mintSources.py:3926): Gtk-CRITICAL **: 08:24:53.938: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(mintSources.py:3926): Gtk-CRITICAL **: 08:24:53.938: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(mintSources.py:3926): Gtk-CRITICAL **: 08:24:53.938: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
...ABORTS (no GUI app appears)...

Detailed description

polkit 0-105.33, pkexec 0-105-33, LinuxMint 21

See more discussion and bug confirmation at Github LinuxMint Cinnamon and LinuxMint forum

wdoekes commented 3 weeks ago

It gets worse for things that aren't in the PATH and that are moved between distros. See this:

systemd/systemd#34712 - polkit "actions" integration fails for paths moved from /lib to /usr/lib

There calling /lib/systemd/systemd-reply-password (according to spec) does not get us the expected action, while calling /usr/lib/systemd/systemd-reply-password would.

This looks like a flaw in in polkitd.

I think we need either:

Cheers, Walter Doekes OSSO B.V.