This is not good news. But thanks for the message and the insight! On Wed, Jun 8, 2022 at 4:47 PM Piotr Łobacz <piotr.lob...@vm.pl> wrote:
> No, this is a recipe im yocto kirkstone release which you can verify here > https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/polkit. > The yocto team has added this patch for duktape and as I said with it our > polkit rules are not working. > > BR > Piotr > > Pobierz aplikację Outlook dla systemu iOS <https://aka.ms/o0ukef> > ------------------------------ > *Od:* Jan Rybar <jry...@redhat.com> > *Wysłane:* Wednesday, June 8, 2022 4:27:34 PM > *Do:* Piotr Łobacz <piotr.lob...@vm.pl> > *DW:* polkit-devel@lists.freedesktop.org < > polkit-devel@lists.freedesktop.org> > *Temat:* Re: polkit rules are no longer working > > Hello again, > > On Wed, Jun 8, 2022 at 12:34 PM Piotr Łobacz <piotr.lob...@vm.pl> wrote: > > Hi, > So, this is a bug in yocto not polkit. Btw. I was just writting to you > now, that I have switched from duktape to mozjs and yes, it started to work > for me back again. I think I should write to open embedded about this issue. > > This is an important message BTW. How did you make polkit incorporated in > 0.119? Did you apply the patch from upstream? Was polkit configured to use > duktape during build and then it didn't work? > > Thanks for info. > > > BR, > ------------------------------ > *Od:* Jan Rybar <jry...@redhat.com> > *Wysłane:* środa, 8 czerwca 2022 12:29 > *Do:* Piotr Łobacz <piotr.lob...@vm.pl> > *DW:* polkit-devel@lists.freedesktop.org < > polkit-devel@lists.freedesktop.org> > *Temat:* Re: polkit rules are no longer working > > Hi, > > > On Wed, Jun 8, 2022 at 10:41 AM Piotr Łobacz <piotr.lob...@vm.pl> wrote: > > Hi Jan, All, > sorry for late response, but it was quite a challenge for me to backport > old polkit 0.116 from yocto 3.4 with mozjs dependency (it demands version > 0.60 and in kirkstone the lowest is 0.78). More over i had to add fixes for > 0.60 in order to compile it with python 3.10 (in later yocto it was 3.8). > But fortunately I have succeded and I can confirm that our rules are > working. > > I needed to know whether polkit-0.118 or 0.117 break the functionality, > but I can test that with modified rules file of your on Fedora once I find > some time. > > > Now the biggest difference which I have noticed is that polkit recipe has > switched from mozjs to duktape and I have no idea it if implies in any way. > Also, > I haven't checked the other versions between 0.116 and 0.119. > > Duktape is not present in 0.119 yet. Changing mozjs version and one CVE > fixup in dbus communication are the biggest changes in those. > > Cheers. > > > BR > Piotr Lobacz > ------------------------------ > *Od:* polkit-devel <polkit-devel-boun...@lists.freedesktop.org> w imieniu > użytkownika Piotr Łobacz <piotr.lob...@vm.pl> > *Wysłane:* wtorek, 7 czerwca 2022 13:37 > *Do:* Jan Rybar <jry...@redhat.com> > *DW:* polkit-devel@lists.freedesktop.org < > polkit-devel@lists.freedesktop.org> > *Temat:* Re: polkit rules are no longer working > > Hi Jan, > First thx for quick answer. I am currently out, but I will try to do all > the test in the evening and get back to you with all the informations. > > BR > Piotr Lobacz > > Pobierz aplikację Outlook dla systemu iOS <https://aka.ms/o0ukef> > ------------------------------ > *Od:* Jan Rybar <jry...@redhat.com> > *Wysłane:* Tuesday, June 7, 2022 12:41:46 PM > *Do:* Piotr Łobacz <piotr.lob...@vm.pl> > *DW:* polkit-devel@lists.freedesktop.org < > polkit-devel@lists.freedesktop.org> > *Temat:* Re: polkit rules are no longer working > > Hello, > > I'm not aware of anything apparent that should affect that. AFAIK mozjs > changed IIRC twice between those versions and then there was a > vulnerability mitigation. > Can you please provide outputs from journal? > Also, do you happen to have an option to downgrade to 0.118 or lower to > determine the version to blame? > > In case of further questions, don't hesitate to reach out to me. > Thanks. > > Jan Rybar > > On Tue, Jun 7, 2022 at 12:07 PM Piotr Łobacz <piotr.lob...@vm.pl> wrote: > > Hi all, > I am facing an issue with polkit rules for pkexec. Currently when i try to > run an application with pkexec command I'm facing an error: > > Jun 07 09:46:06 eg pkexec[59699]: test: Error executing command as another > user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/root] > [COMMAND=/usr/sbin/nft] > > the rule for this to be run, looks like this: > > polkit.addRule(function(action, subject) { > user_app = [ > '/bin/chmod', > '/bin/chown', > '/bin/rm', > '/sbin/ifconfig', > '/sbin/route', > '/usr/sbin/update-ca-certificates', > '/usr/bin/hostnamectl', > '/usr/bin/iotedge', > '/usr/bin/swupdate', > '/usr/bin/timedatectl', > '/usr/sbin/dmidecode', > '/usr/sbin/eg_reboot', > '/usr/sbin/factory_reset', > '/usr/sbin/grub_console', > '/usr/sbin/nft', > '/usr/sbin/read_admin_keys', > '/usr/sbin/useradd', > '/usr/sbin/userdel' > ]; > if (action.id == "org.freedesktop.policykit.exec" && subject.user == > "tes" && user_app.includes(action.lookup("program"))) { > return polkit.Result.YES; > } > }); > > and is stored in /etc/polkit-1/rules.d/30-sbin-test.rules. This was all > working before, with polkit 0.116, but now we have switched to newer yocto > 4.0 and there is polkit 0.119, with which it stopped working for us. Does > something has changed in the polkitd service and I'm missing it? > > BR > Piotr > > >
