Authorization not granted with 8cabb1183aea59ccff125d0e2367fe5c8ac50b62 and following

[vmihalko]

In GitLab by @Atsutane on Sep 19, 2023, 16:21

Current behaviour, description of the problem

A non-root user is granted permissions to start, stop and restart a specific systemd service without an interactive password request for the root password. With the previously mentioned commit this no longer works and the password of root is requested.

Desired behaviour

The expected behavior would be rule based authentication:

[testuser@host ~]$ systemctl start polkit_test.service ; echo $?
0
[testuser@host ~]$ 

What happens now is:

[testuser@host ~]$ systemctl start polkit_test.service
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to start 'polkit_test.service'.
Authenticating as: root
Password: 

Reproducer

Create a simple service and define a rule which grants a non-root user permission to manage this without an interactive request for a password not-related to this user.

cat >/etc/systemd/system/polkit_test.service <<EOF
[Unit]
Description=Start as non-root user with polkit rules granting permissions

[Service]
Type=oneshot
ExecStart=/bin/true

[Install]
WantedBy=multi-user.target
EOF

cat >/etc/polkit-1/rules.d/10-test.rules <<EOF
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units") {
        if (subject.user == "testuser" && action.lookup("unit") == "polkit_test.service"  &&
            (action.lookup("verb") == "restart" || action.lookup("verb") == "stop" || action.lookup("verb") == "start")) {
            return polkit.Result.YES;
        }
    }
});
EOF

# optional:
useradd -m testuser

Detailed description

[Version of polkit]: git based 8cabb1183aea59ccff125d0e2367fe5c8ac50b62 [Version of OS]: Arch Linux