lists users multiple time when requiring user authentication

Bug #1451815 reported by Sergio Callegari on 2015-05-05
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
One Hundred Papercuts
Medium
Unassigned
policykit-1 (Ubuntu)
Medium
Unassigned
Nominated for Vivid by Alberto Salvia Novella

Bug Description

To reproduce

systemctl restart <some unit>

==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Multiple identities can be used for authentication:
 1. Sergio Callegari (callegar)
 2. Sergio Callegari (callegar)
Choose identity to authenticate as (1-2):

Why is the same identity seen as two different identities?

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: systemd 219-7ubuntu4
ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
Uname: Linux 3.19.0-15-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
CurrentDesktop: KDE
Date: Tue May 5 14:50:15 2015
EcryptfsInUse: Yes
MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-15-generic root=/dev/mapper/DISK00-root ro quiet splash nomodeset video=uvesafb:mode_option=1024x768-16,mtrr=3,scroll=ywrap nomdmonddf nomdmonisw vt.handoff=7
SourcePackage: systemd
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/21/2010
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: P2.10
dmi.board.name: N68-S
dmi.board.vendor: ASRock
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrP2.10:bd04/21/2010:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnN68-S:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: To Be Filled By O.E.M.
dmi.product.version: To Be Filled By O.E.M.
dmi.sys.vendor: To Be Filled By O.E.M.

Sergio Callegari (callegar) wrote :
Martin Pitt (pitti) wrote :

This is the normal policykit text backend. I take it you see the same if you run "pkexec whoami"?

I don't have an immediate idea why there are two choices. What does

  getent passwd |grep callegar

show?

affects: systemd (Ubuntu) → policykit-1 (Ubuntu)
Changed in policykit-1 (Ubuntu):
status: New → Incomplete
summary: - systemctl lists users multiple time when requiring user authentication
+ lists users multiple time when requiring user authentication
Sergio Callegari (callegar) wrote :

Yes, I see the same with the graphical backend. I only reported the text one, since it was easier.

getent passwd | grep callegar

has a single entry for the user

callegar:x:1000:1000:Sergio Callegari:/home/callegar:/bin/bash

Martin Pitt (pitti) wrote :

Another shot into the blue, what does "getent passwd | grep 1000" say? Do you use any kind of remote user database (NIS, LDAP, etc.), or is this a fairly standard desktop install? If you don't have any secret user names or home directory names, would you mind attaching your /etc/passwd and /etc/group (NOT /etc/shadow, that has the encrypted passwords!) so that I can see whether I can reproduce this with these files?

Sergio Callegari (callegar) wrote :
Download full text (4.2 KiB)

With "getent passwd | grep 1000" I get the same single entry as above.

This is a test system, not only there is no NIS and LDAP, but there is a single user right now.

/etc/passwd as follows

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:101:102::/home/syslog:/bin/false
messagebus:x:103:104::/var/run/dbus:/bin/false
polkituser:x:104:105:PolicyKit,,,:/var/run/PolicyKit:/bin/false
hplip:x:106:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:107:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:108:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
saned:x:109:117::/home/saned:/bin/false
callegar:x:1000:1000:Sergio Callegari:/home/callegar:/bin/bash
stunnel4:x:111:123::/var/run/stunnel4:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pulse:x:112:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false
clamav:x:113:125::/var/lib/clamav:/bin/false
postfix:x:102:103::/var/spool/postfix:/bin/false
usbmux:x:114:46:usbmux daemon,,,:/home/usbmux:/bin/false
rtkit:x:115:126:RealtimeKit,,,:/proc:/bin/false
oprofile:x:116:127:OProfile JIT user,,,:/var/lib/oprofile:/bin/bash
colord:x:105:106:colord colour management daemon,,,:/var/lib/colord:/bin/false
dhcpd:x:118:135::/var/run:/bin/false
timidity:x:119:136:TiMidity++ MIDI sequencer service:/etc/timidity:/bin/false
dnsmasq:x:121:65534:dnsmasq,,,:/var/lib/misc:/bin/false
whoopsie:x:122:128::/nonexistent:/bin/false
dcmtk:x:117:139::/var/lib/dcmtk/db:/bin/sh
uuidd:x:100:101::/run/uuidd:/bin/false
gpsd:x:123:20:GPSD system user,,,:/run/gpsd:/bin/false
systemd-timesync:x:124:142:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:125:143:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:126:144:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:127:145:systemd Bus Proxy,,,:/run/systemd:/bin/false
kernoops:x:129:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
speech-dispatcher:x:130:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
sddm:x:120:137:Simple Desktop Display Manager:/var/lib/sddm:/bin/false

Here is /etc/group

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:callegar,syslog
tty:x:5:
disk:x:6:
lp:x:7:callegar
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:callegar
fax:x:21:callegar
voice:x:22:
cdrom:x:24:callegar
flop...

Read more...

For me the issue about getting duplicate names in the output was due to the fact that my user was in both the "admin" and "sudo" group. Seems like polkit first lists all user from the sudo group, then all users from the admin group; not checking if the same user was listed twice.

so after a quick
sudo gpasswd -d $USER admin

The duplicate no longer appear.

Hope this information is helpful.

//Rikard

Sergio Callegari (callegar) wrote :

Hi, thanks for the analysis. The outcome seems quite reasonable.
Can you help me confirming that the "Admin" user is a compatibility leftover from past versions of Ubuntu and that administrators can be safely removed from it?

I have found this

 http://askubuntu.com/questions/43317/what-is-the-difference-between-the-sudo-and-admin-group

and I wonder if it covers all admin tasks or whether there may be old binaries around that still look for "admin".

Martin Pitt (pitti) wrote :

Indeed, I completely forgot about the sudo/admin groups. Indeed "admin" has been the one introduced by Ubuntu since the very beginning; later "sudo" was introduced by Debian, and Ubuntu moved to it. So "admin" can safely be dropped once all sudo users got moved into "sudo".

Changed in policykit-1 (Ubuntu):
status: Incomplete → Triaged
Changed in policykit-1 (Ubuntu):
importance: Undecided → Medium
Changed in hundredpapercuts:
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers