Maciej, that looks like javascript polkit and I believe we're staying on
the pre-javascript version of polkit.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1850977
Title:
Snap installs
Unfortunately it isn't that easy in my case. I need to have every action
attempted logged. That will still give it to me, but modifying what's
happening by changing what's being requested.
So, if a normal user attempts something, the best case is for it to ask
for the users password and fail when
Not sure whether removing files that came with distro packages is the
best idea long term. I think a better option would be to drop in a
custom rule that runs before the default ones. As usual ArchWiki has
some examples:
https://wiki.archlinux.org/index.php/Polkit#Administrator_identities
As an addition... If I remove the 51-ubuntu-admin.conf file, when I run
`snap install blender --classic`, it pops up a dialog box asking for the
"Administrator" password.
Entering roots password will install it.
This is the behaviour wanted. Not install it with only the users
authentication.
--
That's what I want though. I want control through sudoers, not polkit.
The file: /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ... still
contains:
```
[Configuration]
AdminIdentities=unix-user:0
```
I don't know why you need to say root is an admin, but whatever it's
there... And
Having no group listed by default would means admin users wouldn't be
able to use polkit which is not what we want.
https://gitlab.freedesktop.org/polkit/polkit/issues/24 discusses a bit
the group checking logic
** Changed in: gnome-software (Ubuntu)
Status: New => Invalid
** Bug watch
Thank You!!!
Can you set it like:
```
[Configuration]
AdminIdentities=
```
So *nothing* is considered an Admin?
That file has `unix-group:sudo;unix-group:admin` ... by default from
what I can tell. But at least that I know this thing exists and hey, you
can elevate privileges without being in
The polkit definition of the admin group is in
/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
Did you update that file to reflect that your admin group has a
different naming?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
The above still stands... but that isn't it for `snap` ... I changed all
the `isIngroup("sudo")` to use `sudoA` since that's the actually group
that's in sudoers...
And snap is still letting me install the blender snap in `--classic`
mode. So How do you find out what polkit rules are running
the requirement for policykit (and dropping of gksu/gksudo) came with
the switch to gnome upstream, its a hard requirement for the desktop
nowadays.
while the default here might be wrong (and should be reviewed by someone
from the desktop team), this is definitely not a snapd related bug. i
added
I think I may have found it It looks like policykit has some rules
with entries like:
```
subject.isInGroup("sudo")
```
That's ... broken. Just being in the `sudo` group should *NOT* let me
install software or elevate my priviledges, *ESPECIALLY* if the user
isn't actually in the sudoers.
Oliver,
> if you are marked as admin in the policyKit setup
Where do you find this? Where is the definition for what `auth_admin`
does located? From the freedesktop site it *seems* that it's an
"Administrative user," which to me is sudoers. As the system admin I'm
not defining an admin user
policyKit does not involve sudo in any way, it uses systemd-logind from
the session to elevate privileges. if you are marked as admin in the
policyKit setup you will indeed be able to do admin things no matter
what is written in sudoers ;)
--
You received this bug notification because you are a
I looked at the policy used by PackageKit. I believe gnome-software uses
it as a backend, so can you try installing something that is
specifically not a snap?
At this point, all snapd does is ask PolicyKit whether given the policy,
the user can install a package. PolicyKit responds with yes,
(Okay... no edit)...
So, I don't have admin access through sudo, but I can still install
software on the system. Even software that snap says "may perform
arbitrary system changes."
Am I uderstanding this right?
What is the best way to have the behaviour being a sudo check? That's
what I would
My user is in the "admin" group, but that's my LDAP group. /etc/sudoers
was changed to have the groups allowed be "sudoA" and "adminA" which my
local user is in.
Does the polkit `auth_admin` *NOT* do an actual sudo check but just look
at the group name? That's ... not good. I'll need to have some
Can you run (this will show a password prompt like during snap
installation):
pkcheck -a io.snapcraft.snapd.manage --process $$ -u ; echo $?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1850977
snapd asks polkit for the authorization, looking at the log, pokit
belives the user is an admin:
ov 05 15:15:46 jms-u18t polkitd(authority=local)[881]: Operator of unix-
session:116 successfully authenticated as unix-user:jason to gain
TEMPORARY authorization for action io.snapcraft.snapd.manage
Seems to be more appropriate to assign this to snapd than gnome-
software.
** Summary changed:
- gnome-software installs software without user having sudo access
+ Snap installs software without user having sudo access
** Tags added: snap
** Package changed: gnome-software (Ubuntu) => snapd
Addition from change
$ apt-cache policy snapd
snapd:
Installed: 2.40+18.04
Candidate: 2.40+18.04
Version table:
*** 2.40+18.04 500
500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.37.4+18.04.1 500
500
20 matches
Mail list logo