desktop-packages team mailing list archive

Thread
Date
[Bug 1510824] Please test proposed package

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Chris J Arges <1510824@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Nov 2015 21:14:31 -0000
Reply-to: Bug 1510824 <1510824@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hello Dariusz, or anyone else affected,

Accepted policykit-1 into vivid-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/policykit-1/0.105-8ubuntu5 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: policykit-1 (Ubuntu Wily)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1510824

Title:
  PolkitAgentSession incorrectly handles multiline output (as observed
  with pam_vas)

Status in PolicyKit:
  Fix Released
Status in policykit-1 package in Ubuntu:
  Fix Released
Status in policykit-1 source package in Trusty:
  Fix Committed
Status in policykit-1 source package in Vivid:
  Fix Committed
Status in policykit-1 source package in Wily:
  Fix Committed

Bug description:
  [Impact]

   * Some PAM modules produce output of more than 1 line (e.g.
  PAM_TEXT_INFO may contain newlines in the message content). Polkit
  authentication agent is prepared to receive only single-line messages
  so it treats each line as a separate message. It fails to recognize
  the type of message for all of them except the first - hence failed
  authorization even if it was successful on the PAM-level.

   * The PAM specification does not require the modules to send only
  single-line messages. Thus, polkit needs to be fixed.

  * The helper component should escape (g_strescape) all messages before
  sending it up to the authentication agent. This way everything will be
  read as a single line and then unescaped to restore it's formatting
  with no changes required in PAM modules.

  [Test Case]

   * Use a pam module that returns a multi-line PAM_TEXT_INFO message on
  successful authentication (may require to artificially modify a pam
  module).

   * Perform a polkit authorization with e.g. pkexec ls

   * Correct authorization should end with a failure with an
  unrecognized PAM message

  [Regression Potential]

   * Fix makes advantage of the fact that polkit authentication agent
  already un-escapess (g_strcompress) all input from the helper
  component.

  * Fix is a backport of an upstream change.

  [Other Info]

   * Original bug description:

  There is an error observed when Ubuntu is configured to perform
  authentication via pam_vas (Vintela Authentication Services by Dell)
  in a disconnected mode (using cached authentication).

  Steps to reproduce:
  1. Configure pam_vas client authenticating to a remote server.
  2. Perform authentication to cache the credentials.
  3. Disconnect from the network where the server is reachable (to force using cached information).
  4. Perform an action requiring polkit authentication.

  Expected result:
  Authentication succeeds accompanied by the following message "You have logged in using cached account information.  Some network services will be unavailable".

  Actual result:
  Authentication fails accompanied by the following message "You have logged in using cached account information.  Some network services will be unavailable".

  Probable cause:
  The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output:
  PAM_TEXT_INFO You have logged in using cached account information.  Some network services
  will be unavailable.

  The 'will be unavailable.' part is interpreted as an unknown message
  and causes failed authorization.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: policykit-1 0.105-4ubuntu2.14.04.1
  ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18
  Uname: Linux 3.16.0-52-generic x86_64
  NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.14.1-0ubuntu3.18
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Oct 28 09:01:37 2015
  InstallationDate: Installed on 2015-04-13 (197 days ago)
  InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
  SourcePackage: policykit-1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/policykit-1/+bug/1510824/+subscriptions
References

[Bug 1510824] [NEW] PolkitAgentSession ignores multiline output (with pam_vas)
From: Dariusz Gadomski, 2015-10-28