ODP: polkit rules are no longer working

2022-06-09 Thread Piotr Łobacz 
Yes, I agree. That is why i have reported a bug in yocto 
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14829.


Od: Jan Rybar 
Wysłane: czwartek, 9 czerwca 2022 08:43
Do: Piotr Łobacz 
DW: polkit-devel@lists.freedesktop.org 
Temat: Re: polkit rules are no longer working

This is not good news. But thanks for the message and the insight!

On Wed, Jun 8, 2022 at 4:47 PM Piotr Łobacz 
mailto:piotr.lob...@vm.pl>> wrote:
No, this is a recipe im yocto kirkstone release which you can verify here 
https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-extended/polkit.
 The yocto team has added this patch for duktape and as I said with it our 
polkit rules are not working.

BR
Piotr

Pobierz aplikację Outlook dla systemu iOS

Od: Jan Rybar mailto:jry...@redhat.com>>
Wysłane: Wednesday, June 8, 2022 4:27:34 PM
Do: Piotr Łobacz mailto:piotr.lob...@vm.pl>>
DW: 
polkit-devel@lists.freedesktop.org 
mailto:polkit-devel@lists.freedesktop.org>>
Temat: Re: polkit rules are no longer working

Hello again,

On Wed, Jun 8, 2022 at 12:34 PM Piotr Łobacz 
mailto:piotr.lob...@vm.pl>> wrote:
Hi,
So, this is a bug in yocto not polkit. Btw. I was just writting to you now, 
that I have switched from duktape to mozjs and yes, it started to work for me 
back again. I think I should write to open embedded about this issue.
This is an important message BTW. How did you make polkit incorporated in 
0.119? Did you apply the patch from upstream? Was polkit configured to use 
duktape during build and then it didn't work?

Thanks for info.

BR,

Od: Jan Rybar mailto:jry...@redhat.com>>
Wysłane: środa, 8 czerwca 2022 12:29
Do: Piotr Łobacz mailto:piotr.lob...@vm.pl>>
DW: 
polkit-devel@lists.freedesktop.org 
mailto:polkit-devel@lists.freedesktop.org>>
Temat: Re: polkit rules are no longer working

Hi,


On Wed, Jun 8, 2022 at 10:41 AM Piotr Łobacz 
mailto:piotr.lob...@vm.pl>> wrote:
Hi Jan, All,
sorry for late response, but it was quite a challenge for me to backport old 
polkit 0.116 from yocto 3.4 with mozjs dependency (it demands version 0.60 and 
in kirkstone the lowest is 0.78). More over i had to add fixes for 0.60 in 
order to compile it with python 3.10 (in later yocto it was 3.8). But 
fortunately I have succeded and I can confirm that our rules are working.
I needed to know whether polkit-0.118 or 0.117 break the functionality, but I 
can test that with modified rules file of your on Fedora once I find some time.

Now the biggest difference which I have noticed is that polkit recipe has 
switched from mozjs to duktape and I have no idea it if implies in any way. 
Also, I haven't checked the other versions between 0.116 and 0.119.
Duktape is not present in 0.119 yet. Changing mozjs version and one CVE fixup 
in dbus communication are the biggest changes in those.

Cheers.

BR
Piotr Lobacz

Od: polkit-devel 
mailto:polkit-devel-boun...@lists.freedesktop.org>>
 w imieniu użytkownika Piotr Łobacz 
mailto:piotr.lob...@vm.pl>>
Wysłane: wtorek, 7 czerwca 2022 13:37
Do: Jan Rybar mailto:jry...@redhat.com>>
DW: 
polkit-devel@lists.freedesktop.org 
mailto:polkit-devel@lists.freedesktop.org>>
Temat: Re: polkit rules are no longer working

Hi Jan,
First thx for quick answer. I am currently out, but I will try to do all the 
test in the evening and get back to you with all the informations.

BR
Piotr Lobacz

Pobierz aplikację Outlook dla systemu iOS

Od: Jan Rybar mailto:jry...@redhat.com>>
Wysłane: Tuesday, June 7, 2022 12:41:46 PM
Do: Piotr Łobacz mailto:piotr.lob...@vm.pl>>
DW: 
polkit-devel@lists.freedesktop.org 
mailto:polkit-devel@lists.freedesktop.org>>
Temat: Re: polkit rules are no longer working

Hello,

I'm not aware of anything apparent that should affect that. AFAIK mozjs changed 
IIRC twice between those versions and then there was a vulnerability mitigation.
Can you please provide outputs from journal?
Also, do you happen to have an option to downgrade to 0.118 or lower to 
determine the version to blame?

In case of further questions, don't hesitate to reach out to me.
Thanks.

Jan Rybar

On Tue, Jun 7, 2022 at 12:07 PM Piotr Łobacz 
mailto:piotr.lob...@vm.pl>> wrote:
Hi all,
I am facing an issue with polkit rules for pkexec. Currently when i try to run 
an application with pkexec command I'm facing an error:

Jun 07 09:46:06 eg pkexec[59699]: test: Error executing command as another 
user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/root] 
[COMMAND=/usr/sbin/nft]

the rule for this to be run, looks like this:

polkit.addRule(function(action, subject) {
user_app = [
'/bin/chmod',
'/bin/chown',
'/bin/rm',

ODP: polkit rules are no longer working

2022-06-08 Thread Piotr Łobacz 
Hi,
So, this is a bug in yocto not polkit. Btw. I was just writting to you now, 
that I have switched from duktape to mozjs and yes, it started to work for me 
back again. I think I should write to open embedded about this issue.

BR,

Od: Jan Rybar 
Wysłane: środa, 8 czerwca 2022 12:29
Do: Piotr Łobacz 
DW: polkit-devel@lists.freedesktop.org 
Temat: Re: polkit rules are no longer working

Hi,


On Wed, Jun 8, 2022 at 10:41 AM Piotr Łobacz 
mailto:piotr.lob...@vm.pl>> wrote:
Hi Jan, All,
sorry for late response, but it was quite a challenge for me to backport old 
polkit 0.116 from yocto 3.4 with mozjs dependency (it demands version 0.60 and 
in kirkstone the lowest is 0.78). More over i had to add fixes for 0.60 in 
order to compile it with python 3.10 (in later yocto it was 3.8). But 
fortunately I have succeded and I can confirm that our rules are working.
I needed to know whether polkit-0.118 or 0.117 break the functionality, but I 
can test that with modified rules file of your on Fedora once I find some time.

Now the biggest difference which I have noticed is that polkit recipe has 
switched from mozjs to duktape and I have no idea it if implies in any way. 
Also, I haven't checked the other versions between 0.116 and 0.119.
Duktape is not present in 0.119 yet. Changing mozjs version and one CVE fixup 
in dbus communication are the biggest changes in those.

Cheers.

BR
Piotr Lobacz

Od: polkit-devel 
mailto:polkit-devel-boun...@lists.freedesktop.org>>
 w imieniu użytkownika Piotr Łobacz 
mailto:piotr.lob...@vm.pl>>
Wysłane: wtorek, 7 czerwca 2022 13:37
Do: Jan Rybar mailto:jry...@redhat.com>>
DW: 
polkit-devel@lists.freedesktop.org 
mailto:polkit-devel@lists.freedesktop.org>>
Temat: Re: polkit rules are no longer working

Hi Jan,
First thx for quick answer. I am currently out, but I will try to do all the 
test in the evening and get back to you with all the informations.

BR
Piotr Lobacz

Pobierz aplikację Outlook dla systemu iOS

Od: Jan Rybar mailto:jry...@redhat.com>>
Wysłane: Tuesday, June 7, 2022 12:41:46 PM
Do: Piotr Łobacz mailto:piotr.lob...@vm.pl>>
DW: 
polkit-devel@lists.freedesktop.org 
mailto:polkit-devel@lists.freedesktop.org>>
Temat: Re: polkit rules are no longer working

Hello,

I'm not aware of anything apparent that should affect that. AFAIK mozjs changed 
IIRC twice between those versions and then there was a vulnerability mitigation.
Can you please provide outputs from journal?
Also, do you happen to have an option to downgrade to 0.118 or lower to 
determine the version to blame?

In case of further questions, don't hesitate to reach out to me.
Thanks.

Jan Rybar

On Tue, Jun 7, 2022 at 12:07 PM Piotr Łobacz 
mailto:piotr.lob...@vm.pl>> wrote:
Hi all,
I am facing an issue with polkit rules for pkexec. Currently when i try to run 
an application with pkexec command I'm facing an error:

Jun 07 09:46:06 eg pkexec[59699]: test: Error executing command as another 
user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/root] 
[COMMAND=/usr/sbin/nft]

the rule for this to be run, looks like this:

polkit.addRule(function(action, subject) {
user_app = [
'/bin/chmod',
'/bin/chown',
'/bin/rm',
'/sbin/ifconfig',
'/sbin/route',
'/usr/sbin/update-ca-certificates',
'/usr/bin/hostnamectl',
'/usr/bin/iotedge',
'/usr/bin/swupdate',
'/usr/bin/timedatectl',
'/usr/sbin/dmidecode',
'/usr/sbin/eg_reboot',
'/usr/sbin/factory_reset',
'/usr/sbin/grub_console',
'/usr/sbin/nft',
'/usr/sbin/read_admin_keys',
'/usr/sbin/useradd',
'/usr/sbin/userdel'
];
if (action.id == "org.freedesktop.policykit.exec" && 
subject.user == "tes" && user_app.includes(action.lookup("program"))) {
return polkit.Result.YES;
}
});

and is stored in /etc/polkit-1/rules.d/30-sbin-test.rules. This was all working 
before, with polkit 0.116, but now we have switched to newer yocto 4.0 and 
there is polkit 0.119, with which it stopped working for us. Does something has 
changed in the polkitd service and I'm missing it?

BR
Piotr

ODP: polkit rules are no longer working

2022-06-08 Thread Piotr Łobacz 
Hi Jan, All,
sorry for late response, but it was quite a challenge for me to backport old 
polkit 0.116 from yocto 3.4 with mozjs dependency (it demands version 0.60 and 
in kirkstone the lowest is 0.78). More over i had to add fixes for 0.60 in 
order to compile it with python 3.10 (in later yocto it was 3.8). But 
fortunately I have succeded and I can confirm that our rules are working.

Now the biggest difference which I have noticed is that polkit recipe has 
switched from mozjs to duktape and I have no idea it if implies in any way. 
Also, I haven't checked the other versions between 0.116 and 0.119.

BR
Piotr Lobacz

Od: polkit-devel  w imieniu 
użytkownika Piotr Łobacz 
Wysłane: wtorek, 7 czerwca 2022 13:37
Do: Jan Rybar 
DW: polkit-devel@lists.freedesktop.org 
Temat: Re: polkit rules are no longer working

Hi Jan,
First thx for quick answer. I am currently out, but I will try to do all the 
test in the evening and get back to you with all the informations.

BR
Piotr Lobacz

Pobierz aplikację Outlook dla systemu iOS

Od: Jan Rybar 
Wysłane: Tuesday, June 7, 2022 12:41:46 PM
Do: Piotr Łobacz 
DW: polkit-devel@lists.freedesktop.org 
Temat: Re: polkit rules are no longer working

Hello,

I'm not aware of anything apparent that should affect that. AFAIK mozjs changed 
IIRC twice between those versions and then there was a vulnerability mitigation.
Can you please provide outputs from journal?
Also, do you happen to have an option to downgrade to 0.118 or lower to 
determine the version to blame?

In case of further questions, don't hesitate to reach out to me.
Thanks.

Jan Rybar

On Tue, Jun 7, 2022 at 12:07 PM Piotr Łobacz 
mailto:piotr.lob...@vm.pl>> wrote:
Hi all,
I am facing an issue with polkit rules for pkexec. Currently when i try to run 
an application with pkexec command I'm facing an error:

Jun 07 09:46:06 eg pkexec[59699]: test: Error executing command as another 
user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/root] 
[COMMAND=/usr/sbin/nft]

the rule for this to be run, looks like this:

polkit.addRule(function(action, subject) {
user_app = [
'/bin/chmod',
'/bin/chown',
'/bin/rm',
'/sbin/ifconfig',
'/sbin/route',
'/usr/sbin/update-ca-certificates',
'/usr/bin/hostnamectl',
'/usr/bin/iotedge',
'/usr/bin/swupdate',
'/usr/bin/timedatectl',
'/usr/sbin/dmidecode',
'/usr/sbin/eg_reboot',
'/usr/sbin/factory_reset',
'/usr/sbin/grub_console',
'/usr/sbin/nft',
'/usr/sbin/read_admin_keys',
'/usr/sbin/useradd',
'/usr/sbin/userdel'
];
if (action.id == "org.freedesktop.policykit.exec" && 
subject.user == "tes" && user_app.includes(action.lookup("program"))) {
return polkit.Result.YES;
}
});

and is stored in /etc/polkit-1/rules.d/30-sbin-test.rules. This was all working 
before, with polkit 0.116, but now we have switched to newer yocto 4.0 and 
there is polkit 0.119, with which it stopped working for us. Does something has 
changed in the polkitd service and I'm missing it?

BR
Piotr