[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
Maciej, that looks like javascript polkit and I believe we're staying on the pre-javascript version of polkit. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: Invalid Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
Unfortunately it isn't that easy in my case. I need to have every action attempted logged. That will still give it to me, but modifying what's happening by changing what's being requested. So, if a normal user attempts something, the best case is for it to ask for the users password and fail when they don't have permission to do the action, or the password entered is wrong. Second best, is to fall back to asking for the root password. I can deal with the logging inaccuracy. But not always ask for the root password in every case which is what that override will do. I'm going to be needing to implement some custom polkit/apparmour stuff eventually anyway (now that I've seen this), but this came about as I am not a Debian/Ubuntu person. So I hit something that _shouldn't_ have been happening in my mind (hey, no sudoers access, no way to run as root) ... It threw me that it was happening. But thanks to everyone for digging into this with me. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: Invalid Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
Not sure whether removing files that came with distro packages is the best idea long term. I think a better option would be to drop in a custom rule that runs before the default ones. As usual ArchWiki has some examples: https://wiki.archlinux.org/index.php/Polkit#Administrator_identities Specifically, if I'm reading this right, putting the following rule in /etc/polkit-1/rules.d/00-override.rules should be enough: /* Always authenticate Admins by prompting for the root * password, similar to the rootpw option in sudo */ polkit.addAdminRule(function(action, subject) { return ["unix-user:root"]; }); Having this it's easy to build a package that can be later distributed to other workstations. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: Invalid Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
As an addition... If I remove the 51-ubuntu-admin.conf file, when I run `snap install blender --classic`, it pops up a dialog box asking for the "Administrator" password. Entering roots password will install it. This is the behaviour wanted. Not install it with only the users authentication. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: Invalid Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
That's what I want though. I want control through sudoers, not polkit. The file: /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ... still contains: ``` [Configuration] AdminIdentities=unix-user:0 ``` I don't know why you need to say root is an admin, but whatever it's there... And that *should* be the only admin. No other user should have administrative privileges on their own, without using sudo or becoming root. Full stop. This isn't for a single desktop home system, but a corporate controlled system. A user that can install software just because they want to isn't going to fly (or pass Government regulations we need to). And not all admins are created equal. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: Invalid Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
Having no group listed by default would means admin users wouldn't be able to use polkit which is not what we want. https://gitlab.freedesktop.org/polkit/polkit/issues/24 discusses a bit the group checking logic ** Changed in: gnome-software (Ubuntu) Status: New => Invalid ** Bug watch added: gitlab.freedesktop.org/polkit/polkit/issues #24 https://gitlab.freedesktop.org/polkit/polkit/issues/24 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: Invalid Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
Thank You!!! Can you set it like: ``` [Configuration] AdminIdentities= ``` So *nothing* is considered an Admin? That file has `unix-group:sudo;unix-group:admin` ... by default from what I can tell. But at least that I know this thing exists and hey, you can elevate privileges without being in sudoers (Ugh... another thing to restrict for regulations). Does that deal only with the *name* of the group, or what it sees as the GID? I mean, I can make another user named `bob` with a UID of 0 ... so I'm still effectively root even if I'm logged in as bob. Does this work that way with GID's? Or is it looking explicitly at the name only even if the name is irrelevant is actual system usage? Meaning, I can have groups named: Admin, AdminA, AdminB, AdminC with different members but the same GID. In this way anything on the filesystem owned by the `Admin` group, can be accessed by any of the Admin groups since it's the GID that matters. Does PolicyKit take GIDs into account, or just the name? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: New Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
The polkit definition of the admin group is in /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf Did you update that file to reflect that your admin group has a different naming? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: New Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
The above still stands... but that isn't it for `snap` ... I changed all the `isIngroup("sudo")` to use `sudoA` since that's the actually group that's in sudoers... And snap is still letting me install the blender snap in `--classic` mode. So How do you find out what polkit rules are running at any given time? The `io.snapcraft.snapd.manage' action has: ``` auth_admin ``` But where is what `auth_admin` does defined? It *looks* like it's seeing it as a local login and just allowing it. If I log in through SSH and try the same command I get: $ snap install blender --classic error: access denied (try with sudo) Being a locally logged in user does not mean you should have the ability to install software. Again, that's an incorrect assumption being made :/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: New Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
the requirement for policykit (and dropping of gksu/gksudo) came with the switch to gnome upstream, its a hard requirement for the desktop nowadays. while the default here might be wrong (and should be reviewed by someone from the desktop team), this is definitely not a snapd related bug. i added a gnome-software task and will close the snapd one ... ** Changed in: snapd (Ubuntu) Status: Incomplete => Invalid ** Also affects: gnome-software (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in gnome-software package in Ubuntu: New Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Invalid Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
I think I may have found it It looks like policykit has some rules with entries like: ``` subject.isInGroup("sudo") ``` That's ... broken. Just being in the `sudo` group should *NOT* let me install software or elevate my priviledges, *ESPECIALLY* if the user isn't actually in the sudoers. It's a broken assumption. I changed the /etc/sudoers file so the `sudo` group does *NOT* have permissions explicitly for this reason. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Incomplete Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
Oliver, > if you are marked as admin in the policyKit setup Where do you find this? Where is the definition for what `auth_admin` does located? From the freedesktop site it *seems* that it's an "Administrative user," which to me is sudoers. As the system admin I'm not defining an admin user anywhere else but sudoers. If it's just by group that's broken all to hell... The freedesktop.org site states[1]: > If the system is configured without a root account it may prompt for a specific user designated as the administrative user: Where do you designate a user as the administrative user outside of putting them in sudoers? I need to implement government regulations. Some users need to be in the admin group from LDAP, but cannot install software on workstations. sudoers *should* control this. The init system has nothing to do with account elevation... unless they're taking that over as well. This was a straight up install from Ubuntu. Nothing in my Salt configurations touch polkit settings. Since I'm doing LDAP login, there's /etc/pam.d entries in files for LDAP auth that polkit uses. Would this be interfering? -J [1] - https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Incomplete Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
I looked at the policy used by PackageKit. I believe gnome-software uses it as a backend, so can you try installing something that is specifically not a snap? At this point, all snapd does is ask PolicyKit whether given the policy, the user can install a package. PolicyKit responds with yes, therefore the installation can proceed. There's not much we can do inside the declared policy, as the defaults are fine IMO. >From my perspective, this should likely be investigated by someone more familiar with PolicyKit to find out why it's treating your user as admin. ** Also affects: policykit-1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Incomplete Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access
policyKit does not involve sudo in any way, it uses systemd-logind from the session to elevate privileges. if you are marked as admin in the policyKit setup you will indeed be able to do admin things no matter what is written in sudoers ;) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1850977 Title: Snap installs software without user having sudo access Status in policykit-1 package in Ubuntu: New Status in snapd package in Ubuntu: Incomplete Bug description: $ lsb_release -rd Description: Ubuntu 18.04.2 LTS Release: 18.04 $ apt-cache policy gnome-software gnome-software: Installed: 3.28.1-0ubuntu4.18.04.8 Candidate: 3.28.1-0ubuntu4.18.04.12 Version table: 3.28.1-0ubuntu4.18.04.12 500 500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages *** 3.28.1-0ubuntu4.18.04.8 100 100 /var/lib/dpkg/status 3.28.1-0ubuntu4 500 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 What I expect to happen: Software is not installed for a user without sudo access. What does happen: I'm logging in with an LDAP user. This user does not have sudo access. When I select software from gnome-software ("Ubuntu Software"), it pops up and asks for my users password. I enter this in, and the software then installs (tested with blender, libreoffice, opencl driver). My user does *not* have sudo access on the system. $ sudo su - [sudo] password for jason: jason is not in the sudoers file. This incident will be reported. It appears these *may* be being installed with Snaps ... which still: How, without having root access, can an unprivileged user install something onto the system? ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-software 3.28.1-0ubuntu4.18.04.8 ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21 Uname: Linux 5.0.0-32-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Nov 1 13:53:03 2019 InstallationDate: Installed on 2019-11-01 (0 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) InstalledPlugins: gnome-software-plugin-flatpak N/A gnome-software-plugin-limba N/A gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8 ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnome-software UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1850977/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp