[Bug 1008344] Re: checks "admin" group membership instead of querying polkit

Bug Watch Updater 1008344 at bugs.launchpad.net
Thu Jan 31 07:38:36 UTC 2013 

Launchpad has imported 1 comments from the remote bug at
https://bugs.freedesktop.org/show_bug.cgi?id=60103.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2013-01-31T06:53:34+00:00 Martin Pitt wrote:

We have an application which shows an "Apply system-wide" button
depending whether or not the user is an administrator. Right now we
define this in terms of being in the "admin" Unix group, and define the
default polkit rules so that "admin" group members are admins.

We would like to move this check from group membership to directly
asking polkit, as this is more robust when e. g. customizing the polkit
configuration for remote authorizations.

The problem is, the current API for checking if a process can get
authorized for a particular action (i. e.
polkit_authority_check_authorization()) has no way of distinguishing if
it's the current user who can authenticate, or whether any admin of the
system can. I. e. if the policy is "auth_admin", then this call, or
pkcheck will always say "Authorization requires authentication and -u
wasn't passed.".

It would be nice if there was either a detail (like
polkit_user_denied=1) in the returned PolkitDetails which would point
that out, or there was a flag like
POLKIT_CHECK_AUTHORIZATION_FLAGS_CALLING_USER_ONLY which would say "no"
if the calling user is not able to authenticate with her credentials.

The agent obviously has access to that information, as it will ask for
the user's password if the user itself is an admin, or present a list of
admins if not. But I don't see this exposed anywhere towards the client.

Reply at: https://bugs.launchpad.net/ubuntu/+source/language-
selector/+bug/1008344/comments/28


** Changed in: policykit
       Status: Unknown => Confirmed

** Changed in: policykit
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to language-selector in Ubuntu.
https://bugs.launchpad.net/bugs/1008344

Title:
  checks "admin" group membership instead of querying polkit

Status in PolicyKit:
  Confirmed
Status in “language-selector” package in Ubuntu:
  Triaged

Bug description:
  In a new install of Ubuntu Precise, I cannot make any system-wide
  changes in the language selector (such as installing languages or
  clicking "Apply System-Wide"), only user-specific changes. All those
  controls for system-wide changes are greyed out, although my user does
  have sudo abilities and I would be able to enter the root password of
  the machine.

  The machine is freshly installed, but with customizations specific to
  our site, e.g. ldap authentication for users. Specifically, my user is
  an ldap user, not a local one, and there is a group in the ldap
  directory which was granted sudo capability by adding it to
  /etc/sudoers. My user is part of that group. sudo on the command line
  and gksudo work fine.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: language-selector-gnome 0.79
  ProcVersionSignature: Ubuntu 3.2.0-24.39-generic 3.2.16
  Uname: Linux 3.2.0-24-generic x86_64
  ApportVersion: 2.0.1-0ubuntu8
  Architecture: amd64
  Date: Mon Jun  4 08:20:04 2012
  PackageArchitecture: all
  ProcEnviron:
   LANGUAGE=en_US:
   TERM=screen-256color
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: language-selector
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/policykit/+bug/1008344/+subscriptions

More information about the foundations-bugs mailing list