Ubuntu
policykit-1 package

localauthority.conf - AdminIdentities: unix-group is ignored

Bug #1853115 reported by Alexander Fieroch
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Allowed users and groups as admins for pkexec are defined in:

  /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf

  [Configuration]
  AdminIdentities=unix-group:sudo;unix-group:admin;unix-group:localadmin

As you can see, I added unix-group:localadmin

My user is localadmin-user1 who is in the local group localadmin. It does not matter if I create a new configuration file
  /etc/polkit-1/localauthority.conf.d/99-myadmins.conf or expand the original 51-ubuntu-admin.conf

  [Configuration]
  AdminIdentities=unix-group:sudo;unix-group:admin;unix-group:localadmin

If I add the user himself instead of his group localadmin the user is listed the allowed list for pkexec.

  [Configuration]
  AdminIdentities=unix-group:sudo;unix-group:admin;unix-user:localadmin-user1

How to reproduce:
- create local user and group (here: localadmin)
- add unix-group:localadmin to /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
- pkexec mount
  -> the local user in group localadmin is not listed
- add unix-user:localadmin-user1 to /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
- pkexec mount
  -> the local user localadmin-user1 is listed

----
Kubuntu 19.10
policykit-1 0.105-26ubuntu1
SSSD for system authorization including domain

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status: New → Confirmed
Revision history for this message
James Paton-Smith (jamesps) wrote :

I am experiencing the same issue on Ubuntu 20.04.4 with the below polkit config, where sysapp is an LDAP group, and we are using SSSD for LDAP login to our machines.

# This file is managed by Puppet. DO NOT EDIT.
[Configuration]
AdminIdentities=unix-group:sysapp;unix-group:sudo;unix-group:admin

When attempting to install software via GUI (snap-store) or update packages, the GUI prompt only accepts authorisation from users in the 'sudo' or 'admin' groups.

Revision history for this message
Vegard Søbstad Alsli (alslinet) wrote (last edit ):

Same problem on my end, also on 20.04

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.