From unknown Fri Mar 29 09:44:21 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#459: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails Reply-To: Mike Gabriel , 459@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 20 Aug 2014 09:35:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 459 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: Received: via spool by 459-submit@bugs.x2go.org id=B459.140852708225796 (code B ref 459); Wed, 20 Aug 2014 09:35:01 +0000 Received: (at 459) by bugs.x2go.org; 20 Aug 2014 09:31:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 29B0A5DB17 for <459@bugs.x2go.org>; Wed, 20 Aug 2014 11:31:16 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C03911F9F; Wed, 20 Aug 2014 11:31:15 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 0DF293BBF5; Wed, 20 Aug 2014 11:31:16 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKpDrQg-HE2D; Wed, 20 Aug 2014 11:31:15 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id B31D63BBF4; Wed, 20 Aug 2014 11:31:15 +0200 (CEST) Received: from m-031.informatik.uni-kiel.de (m-031.informatik.uni-kiel.de [134.245.254.31]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 20 Aug 2014 09:31:15 +0000 Date: Wed, 20 Aug 2014 09:31:15 +0000 Message-ID: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Michael DePaulo , 459@bugs.x2go.org In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.2.0) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.31 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.0 Content-Type: multipart/signed; boundary="=_zcKA2IqlTdpNWRLDTcC5ug1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_zcKA2IqlTdpNWRLDTcC5ug1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Michael, On So 23 M=C3=A4r 2014 17:25:58 CET, Michael DePaulo wrote: > Package: x2goserver > Version: 4.0.1.13 > > Notes: > > 1. I am not sure if this is a bug in x2goserver, x2goserver-xsession, > or in nx-libs. > > 2. PolicyKit depends on ConsoleKit (and on systemd-logind in > newer distros.) > > 3. The behavior seems to be distro-specific and/or app-specific. > > 4. This bug report differs from 458 because PolicyKit authentication > is being called within an app, not when launching the app. This is > part of the PolilcyKit architecture: The apps run unprivileged and > rely on PolicyKit in order to speak to privileged processes that do > the actual task. For example, in test case 2, gpk-application is > launched unprivileged. It uses PolicyKit to speak to the PackageKit > backend, and the PackageKit backend does the package install. > > Test system: > Fedora 20 64-bit > MATE Desktop 1.6.2.1.fc20 - used for all 3 test cases > x2goserver 4.0.1.13.2.fc20 > x2goserver-xsession 4.0.1.13.2.fc20 > nxlibs 3.5.0.22.1-fc20 > (This distro uses logind) > (/usr/libexec/polkit-mate-authentication-agent-1 is launched > automatically when I login over X2Go. This distro is not affected by > bug 457) > > Test Case 1: > Steps: > 1. Launch yumex (from start menu or from console) > 2. Switch to the yumex's "history" tab on the left.. > > Expected result: > A policykit authentication window opens up, I select a user to > authenticate as (myself or root), enter my password, and then the > history is populated within yumex. > > Here is an image of that policykit authentication window: > http://imgur.com/JUZTBHo > > Actual result: > The authentication window does not open up and the history is no > populated. Instead, I get an error message windows. When I click > "Close" on the window, yumex closes. > > Error message: > Fatal Error: polkit-not-authorized > > Could not get polkit autherisation to start backend > > Yum Extender will terminate > > Here's an image of the error message window > http://imgur.com/ABYETM0 > > From the command-line, I can see this output when I select the history ta= b: > 15:53:07 : INFO - YUM: Error executing command as another user: Not=20=20 >=20authorized > 15:53:14 : INFO - yum backend process is ended > 15:53:14 : INFO - yum backend process is ended > > Test Case 2: > Steps: > 1. Launch gpk-application (GNOME "Software Install" AKA "Add/Remove=20=20 >=20Software") > 2. Select to install a single package. > 3. Click "Apply Changes" > > Expected result: A policykit authentication window opens up, I select > a user to authenticate as (myself or root), enter my password, and > then the package is downloaded & installed (over the course of at > least a few seconds), during which a progress bar is displayed. > > Screenshot: > http://imgur.com/lLNof08 > > Actual result: > The authentication window does not open up. The progress bar for the > install completes in about 1 second. The package is not installed. > (Interestingly enough, the package is still selected to be installed, > but the "Apply Changes" and "cancel" button are hidden. This is a bug > in gpk-application, it does not know how to handle policykit having an > error. But this gpk-application bug is besides the point.) > > Screenshot: > http://i.imgur.com/28lCZF5.png > > Also, the command-line does not show any relevant output. > > Test Case 3: > Steps: > 1. Launch virt-manager (AKA "Virtual Machine Manager") > > This test case actually passes! > > Expected & Actual result: > A policykit authentication window opens up, I select a user to > authenticate as (e.g., myself or root), enter my password, and then I > am connected to the local libvirtd instance and see the VMs running. > > Screenshot: > http://imgur.com/mZSgdMW > > Also, the command-line output does not include any details about > PolicyKit (succeeding.) > > Note: Test case 3 fails on CentOS 6.5 64-bit. However, CentOS 6.5 > 64-bit is affected by bug 457, so that precludes running this test > case. I just fixed #458 by exporting $XAUTHORITY in x2goruncommand. Do you have any clue what this issue may be related to? As I don't=20=20 have=20any of the failing apps on Debian, I cannot reproduce your test=20= =20 results=20right away. Any hint, if this issues also occurs on Debian? Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_zcKA2IqlTdpNWRLDTcC5ug1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJT9GrjAAoJEJr0azAldxsxOswP/RzbtmE048n3F3sOVMSSZYrA k+36d+QjKt6qS+ILMmM6OKpTl2ImqW8m1amfCyVS9Cyn3375KdUsDvlzbZmkVM6r Kmn5r724SqyVLLKst1Fnm71eu27PQJQIRupXEEVQ/VzQvnWWN5IMNWYsPwHPlgFN Kmg8/eWS4bLPE6Ybk117sYx7D3k8hPq8SJAQ6YVpFrzlX74G8fbw3HyFy/QDu++C tLZ1vccs1N8wqyJzbgztWT84fOVGNBi+uF45mrwarzFq2sCNiFDagSYkNF8J6+nB Y2VKABJGM9GXNCyWIOXe78+ocrbWlNXK5h34yuFxgHp/bQGDyyaSrD/T5ZGDG6DW /ZOVMil0tlnmwKmr4ML2v+qpyP6Rnu1kpeWK8X3JSAmFAP6HjPmslcDnlLTAB83+ 6brTjHBbbisLjFp5gejFDi9qseaWLhr72vL3wtifLpyL3koZgGj0szfJlNi0N1qE fTCXbhYv3549QW5s37O7xbyI7q8wXx3hfj/BGcp0Otkan0T47oYZlSHDK/9bel6h swjT5A4uQ4EUU9unvAEs/YH5WEssmE7PqiVOrBdDIAjxcHY+Kw3hnZZbaqtOhO8s h56RkA9IwMDsbq/HRsC0o4AeGy6oQkdJuH1joLgjfD1S2GGNbCaDdWEH0KQNIsY9 sC5WlqLBN0w+JJD3KHm+ =q/xg -----END PGP SIGNATURE----- --=_zcKA2IqlTdpNWRLDTcC5ug1--