[Bug 1510824] [NEW] PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)

Launchpad Bug Tracker 1510824 at bugs.launchpad.net
Fri Nov 20 15:11:02 UTC 2015 

You have been subscribed to a public bug by Dariusz Gadomski (dgadomski):

[Impact]

 * Some PAM modules produce output of more than 1 line (e.g.
PAM_TEXT_INFO may contain newlines in the message content). Polkit
authentication agent is prepared to receive only single-line messages so
it treats each line as a separate message. It fails to recognize the
type of message for all of them except the first - hence failed
authorization even if it was successful on the PAM-level.

 * The PAM specification does not require the modules to send only
single-line messages. Thus, polkit needs to be fixed.

* The helper component should escape (g_strescape) all messages before
sending it up to the authentication agent. This way everything will be
read as a single line and then unescaped to restore it's formatting with
no changes required in PAM modules.

[Test Case]

 * Use a pam module that returns a multi-line PAM_TEXT_INFO message on
successful authentication (may require to artificially modify a pam
module).

 * Perform a polkit authorization with e.g. pkexec ls

 * Correct authorization should end with a failure with an unrecognized
PAM message

[Regression Potential]

 * Fix makes advantage of the fact that polkit authentication agent
already un-escapess (g_strcompress) all input from the helper component.

* Fix is a backport of an upstream change.

[Other Info]

 * Original bug description:

There is an error observed when Ubuntu is configured to perform
authentication via pam_vas (Vintela Authentication Services by Dell) in
a disconnected mode (using cached authentication).

Steps to reproduce:
1. Configure pam_vas client authenticating to a remote server.
2. Perform authentication to cache the credentials.
3. Disconnect from the network where the server is reachable (to force using cached information).
4. Perform an action requiring polkit authentication.

Expected result:
Authentication succeeds accompanied by the following message "You have logged in using cached account information.  Some network services will be unavailable".

Actual result:
Authentication fails accompanied by the following message "You have logged in using cached account information.  Some network services will be unavailable".

Probable cause:
The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output:
PAM_TEXT_INFO You have logged in using cached account information.  Some network services
will be unavailable.

The 'will be unavailable.' part is interpreted as an unknown message and
causes failed authorization.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: policykit-1 0.105-4ubuntu2.14.04.1
ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18
Uname: Linux 3.16.0-52-generic x86_64
NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl
ApportVersion: 2.14.1-0ubuntu3.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Oct 28 09:01:37 2015
InstallationDate: Installed on 2015-04-13 (197 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
SourcePackage: policykit-1
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: policykit-1
     Importance: Medium
         Status: Fix Released

** Affects: policykit-1 (Ubuntu)
     Importance: Undecided
     Assignee: Dariusz Gadomski (dgadomski)
         Status: New

** Affects: policykit-1 (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: policykit-1 (Ubuntu Vivid)
     Importance: Undecided
         Status: New

** Affects: policykit-1 (Ubuntu Wily)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug sts trusty
-- 
PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
https://bugs.launchpad.net/bugs/1510824
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list