[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
This bug was fixed in the package policykit-1 - 0.105-8ubuntu5 --- policykit-1 (0.105-8ubuntu5) vivid; urgency=medium * Fix handling of multi-line helper output. (LP: #1510824) -- Dariusz GadomskiFri, 20 Nov 2015 15:30:03 +0100 ** Changed in: policykit-1 (Ubuntu Vivid) Status: Fix Committed => Fix Released ** Changed in: policykit-1 (Ubuntu Wily) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: Fix Released Status in policykit-1 source package in Vivid: Fix Released Status in policykit-1 source package in Wily: Fix Released Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
This bug was fixed in the package policykit-1 - 0.105-11ubuntu3 --- policykit-1 (0.105-11ubuntu3) wily; urgency=medium * Fix handling of multi-line helper output. (LP: #1510824) -- Dariusz GadomskiFri, 20 Nov 2015 15:24:53 +0100 ** Changed in: policykit-1 (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: Fix Released Status in policykit-1 source package in Vivid: Fix Released Status in policykit-1 source package in Wily: Fix Released Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
This bug was fixed in the package policykit-1 - 0.105-4ubuntu3.14.04.1 --- policykit-1 (0.105-4ubuntu3.14.04.1) trusty; urgency=medium * Fix handling of multi-line helper output. (LP: #1510824) -- Dariusz GadomskiFri, 20 Nov 2015 15:36:30 +0100 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: Fix Released Status in policykit-1 source package in Vivid: Fix Released Status in policykit-1 source package in Wily: Fix Released Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
I have prepared a 'broken' pam_unix version printing a multiline text info if it detects the PAM_SERVICE name is polkit-1. This allows to reproduce the issue and verify the fix. I've made this broken version available for Vivid and Wily in ppa:dgadomski/lp1510824 and performed the verification for those releases. In both cases the fix solves the problem and I haven't observed any regressions. Updating tags. ** Tags removed: verification-done-trusty verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: Fix Committed Status in policykit-1 source package in Vivid: Fix Committed Status in policykit-1 source package in Wily: Fix Committed Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: Fix Committed Status in policykit-1 source package in Vivid: Fix Committed Status in policykit-1 source package in Wily: Fix Committed Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Hi, I can confirm this works on trusty with pam authenticating with QAS4 in offline mode. Cheers, /István -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: Fix Committed Status in policykit-1 source package in Vivid: Fix Committed Status in policykit-1 source package in Wily: Fix Committed Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Hello Dariusz, or anyone else affected, Accepted policykit-1 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/policykit-1/0.105-4ubuntu3.14.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: policykit-1 (Ubuntu Trusty) Status: In Progress => Fix Committed ** Tags added: verification-needed ** Changed in: policykit-1 (Ubuntu Vivid) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: Fix Committed Status in policykit-1 source package in Vivid: Fix Committed Status in policykit-1 source package in Wily: Fix Committed Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
** Changed in: policykit-1 (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Committed Status in policykit-1 source package in Trusty: In Progress Status in policykit-1 source package in Vivid: In Progress Status in policykit-1 source package in Wily: In Progress Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Daniel uploaded the SRUs already. I'm committing the fix to Debian so that for xenial we can stay in sync. Thanks Dariusz! Removing sponsor subscription. ** Changed in: policykit-1 (Ubuntu Trusty) Status: Triaged => In Progress ** Changed in: policykit-1 (Ubuntu Vivid) Status: Triaged => In Progress ** Changed in: policykit-1 (Ubuntu Wily) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Triaged Status in policykit-1 source package in Trusty: In Progress Status in policykit-1 source package in Vivid: In Progress Status in policykit-1 source package in Wily: In Progress Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
This bug was fixed in the package policykit-1 - 0.105-13ubuntu1 --- policykit-1 (0.105-13ubuntu1) xenial; urgency=medium * Fix handling of multi-line helper output. (LP: #1510824) -- Dariusz GadomskiFri, 20 Nov 2015 14:44:23 +0100 ** Changed in: policykit-1 (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Fix Released Status in policykit-1 source package in Trusty: In Progress Status in policykit-1 source package in Vivid: In Progress Status in policykit-1 source package in Wily: In Progress Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
** Changed in: policykit-1 Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: New Status in policykit-1 source package in Trusty: New Status in policykit-1 source package in Vivid: New Status in policykit-1 source package in Wily: New Bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Added SRU proposal for wily. ** Patch added: "wily_policykit-1_0.105-11ubuntu3.debdiff" https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1510824/+attachment/4522624/+files/wily_policykit-1_0.105-11ubuntu3.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: New Status in policykit-1 source package in Trusty: New Status in policykit-1 source package in Vivid: New Status in policykit-1 source package in Wily: New Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Added SRU proposal for Xenial. ** Description changed: + [Impact] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [Test Case] + + * Use a pam module that returns a multi-line PAM_TEXT_INFO message on + successful authentication (may require to artificially modify a pam + module). + + * Perform a polkit authorization with e.g. pkexec ls + + * Correct authorization should end with a failure with an unrecognized + PAM message + + [Regression Potential] + + * Fix makes advantage of the fact that polkit authentication agent + already un-escapess (g_strcompress) all input from the helper component. + + * Fix is a backport of an upstream change. + + [Other Info] + + * Original bug description: + There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) ** Description changed: [Impact] - * An explanation of the effects of the bug on users and + * Some PAM modules produce output of more than 1 line (e.g. + PAM_TEXT_INFO may contain newlines in the message content). Polkit + authentication agent is prepared to receive only single-line messages so + it treats each line as a separate message. It fails to recognize the + type of message for all of them except the first - hence failed + authorization even if it was successful on the PAM-level. - * justification for backporting the fix to the stable release. + * The PAM specification does not require the modules to send only + single-line messages. Thus, polkit needs to be fixed. - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. + * The helper component should escape (g_strescape) all messages before + sending it up to the authentication agent. This way everything will be + read as a single line and then unescaped to restore it's formatting with + no changes required in PAM modules. [Test Case] - * Use a pam module that returns a multi-line PAM_TEXT_INFO message on + * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). - * Perform a polkit authorization with e.g. pkexec ls + * Perform a polkit authorization with e.g. pkexec ls - * Correct authorization should end with a failure with an unrecognized + * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] - * Fix makes advantage of the fact that polkit authentication agent + * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] - - * Original bug description: + + * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Added SRU proposal for trusty. ** Patch added: "trusty_policykit-1_0.105-4ubuntu3.14.04.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1510824/+attachment/4522626/+files/trusty_policykit-1_0.105-4ubuntu3.14.04.1.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: New Status in policykit-1 source package in Trusty: New Status in policykit-1 source package in Vivid: New Status in policykit-1 source package in Wily: New Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Added SRU proposal for vivid. ** Patch added: "vivid_policykit-1_0.105-8ubuntu5.debdiff" https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1510824/+attachment/4522625/+files/vivid_policykit-1_0.105-8ubuntu5.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: New Status in policykit-1 source package in Trusty: New Status in policykit-1 source package in Vivid: New Status in policykit-1 source package in Wily: New Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
** Changed in: policykit-1 (Ubuntu) Status: New => Triaged ** Changed in: policykit-1 (Ubuntu) Importance: Undecided => Medium ** Changed in: policykit-1 (Ubuntu Trusty) Status: New => Triaged ** Changed in: policykit-1 (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: policykit-1 (Ubuntu Vivid) Status: New => Triaged ** Changed in: policykit-1 (Ubuntu Vivid) Importance: Undecided => Medium ** Changed in: policykit-1 (Ubuntu Wily) Status: New => Triaged ** Changed in: policykit-1 (Ubuntu Wily) Importance: Undecided => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Fix Released Status in policykit-1 package in Ubuntu: Triaged Status in policykit-1 source package in Trusty: Triaged Status in policykit-1 source package in Vivid: Triaged Status in policykit-1 source package in Wily: Triaged Bug description: [Impact] * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level. * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed. * The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules. [Test Case] * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module). * Perform a polkit authorization with e.g. pkexec ls * Correct authorization should end with a failure with an unrecognized PAM message [Regression Potential] * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component. * Fix is a backport of an upstream change. [Other Info] * Original bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
** Changed in: policykit-1 Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Confirmed Status in policykit-1 package in Ubuntu: New Status in policykit-1 source package in Trusty: New Status in policykit-1 source package in Vivid: New Status in policykit-1 source package in Wily: New Bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
Launchpad has imported 3 comments from the remote bug at https://bugs.freedesktop.org/show_bug.cgi?id=92886. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2015-11-10T09:42:00+00:00 Dariusz Gadomski wrote: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. Reply at: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1510824/comments/2 On 2015-11-10T09:55:13+00:00 Dariusz Gadomski wrote: Created attachment 119534 Tested patch fixing the issue Reply at: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1510824/comments/3 On 2015-11-10T17:47:20+00:00 Miloslav Trmac wrote: Thanks for the patch. Yes, this is the correct thing to do (polkitagentsession.c:io_watch_have_data is always calling g_strcompress()). Having the same newline handling and escaping code in three places seems too ugly and unnecessary, though. Would you be willing to update the patch so that polkitagenthelper-pam.c uses the send_to_helper function throughout (modified to do the escaping as necessary), or at least to test such an updated patch? Reply at: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1510824/comments/4 ** Changed in: policykit-1 Status: Unknown => Incomplete ** Changed in: policykit-1 Importance: Unknown => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Incomplete Status in policykit-1 package in Ubuntu: New Status in policykit-1 source package in Trusty: New Status in policykit-1 source package in Vivid: New Status in policykit-1 source package in Wily: New Bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18
[Desktop-packages] [Bug 1510824] Re: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)
** Bug watch added: freedesktop.org Bugzilla #92886 https://bugs.freedesktop.org/show_bug.cgi?id=92886 ** Also affects: policykit-1 via https://bugs.freedesktop.org/show_bug.cgi?id=92886 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1510824 Title: PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas) Status in PolicyKit: Unknown Status in policykit-1 package in Ubuntu: New Status in policykit-1 source package in Trusty: New Status in policykit-1 source package in Vivid: New Status in policykit-1 source package in Wily: New Bug description: There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication). Steps to reproduce: 1. Configure pam_vas client authenticating to a remote server. 2. Perform authentication to cache the credentials. 3. Disconnect from the network where the server is reachable (to force using cached information). 4. Perform an action requiring polkit authentication. Expected result: Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Actual result: Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable". Probable cause: The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output: PAM_TEXT_INFO You have logged in using cached account information. Some network services will be unavailable. The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: policykit-1 0.105-4ubuntu2.14.04.1 ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18 Uname: Linux 3.16.0-52-generic x86_64 NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl ApportVersion: 2.14.1-0ubuntu3.18 Architecture: amd64 CurrentDesktop: Unity Date: Wed Oct 28 09:01:37 2015 InstallationDate: Installed on 2015-04-13 (197 days ago) InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) SourcePackage: policykit-1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp