plainbox-secure-policy doesn't work over ssh

Bug #1299201 reported by Jeff Lane 
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
PlainBox (Toolkit)
Fix Released
Critical
Zygmunt Krynicki

Bug Description

I have two "systems" running. One is a cloud instance that is updated Trusty, the other is a bare-metal server that I locally provision and install via d-i.

BOTH systems have up-to-date trusty packages on them.
BOTH systems have had c-c-s installed using the following packages: checkbox-ng, plainbox-certification-server.

Both systems are accessed via SSH

In both cases, plainbox-secure-policy prevents the user from running canonical-certification-server.

==========================[ Loading Jobs Definition ]===========================
===============================[ Authentication ]===============================
Error executing command as another user: Not authorized

This incident has been reported.

After some testing today, Daniel confirmed that when logged in locally, the user is able to run c-c-s without issue using the secure policy package. But when logged in via SSH, he encounters the same errors I did. Workaround is to install plainbox-insecure-policy.

here are pacakge versions:
ubuntu@supermicro:~$ dpkg -l |grep plainbox
ii plainbox-provider-certification-server 0.1~dev+bzr2845+pkg3~ubuntu14.04.1 all Server Certification
ii plainbox-provider-checkbox 0.4~dev+bzr2840+pkg1~ubuntu14.04.1 amd64 CheckBox provider for PlainBox
ii plainbox-provider-resource-generic 0.3~dev+bzr2840+pkg2~ubuntu14.04.1 amd64 CheckBox generic resource jobs provider
ii plainbox-secure-policy 0.6~dev+bzr2845+pkg1~ubuntu14.04.1 all policykit policy required to use plainbox (secure version)
ii python3-plainbox 0.6~dev+bzr2845+pkg1~ubuntu14.04.1 all toolkit for software and hardware testing (python3 module)
ubuntu@supermicro:~$ dpkg -l |grep checkbox
ii checkbox-ng 0.3~dev+bzr2845+pkg1~ubuntu14.04.1 all PlainBox based test runner
ii plainbox-provider-checkbox 0.4~dev+bzr2840+pkg1~ubuntu14.04.1 amd64 CheckBox provider for PlainBox
ii python3-checkbox-ng 0.3~dev+bzr2845+pkg1~ubuntu14.04.1 all PlainBox based test runner (Python 3 library)
ii python3-checkbox-support 0.2~dev+bzr2845+pkg1~ubuntu14.04.1 all collection of Python modules used by PlainBox providers

Related branches

Zygmunt Krynicki (zyga)
summary: - plainbox-secure-policy prevents normal user from running c-c-s
+ plainbox-secure-policy doesn't work over ssh
Revision history for this message
Daniel Manrique (roadmr) wrote :

Our policy covers only active sessions:

  <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>

per polkit documentation, SSH counts as an "inactive" session:

" Inactive sessions are generally remote sessions (SSH, VNC, etc.) whereas active sessions are logged directly into the machine on a TTY or an X display. allow_any is the setting encompassing both scenarios. ".

However, I found that I have to make allow_any "auth_admin_keep" for this to work over SSH. This may need some more fiddling but apparently it's possible to solve with some policy settings.

Changed in checkbox:
status: New → Triaged
milestone: none → 2014-apr-11
importance: Undecided → High
Revision history for this message
Daniel Manrique (roadmr) wrote :

Polkit reference manual, for, well, reference:

http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

Revision history for this message
Daniel Manrique (roadmr) wrote :

Of course the reason why the insecure policy works is that it has this:

    <defaults>
      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>

Zygmunt Krynicki (zyga)
affects: checkbox → plainbox
Changed in plainbox:
milestone: 2014-apr-11 → none
milestone: none → 0.6
importance: High → Critical
Zygmunt Krynicki (zyga)
Changed in plainbox:
status: Triaged → In Progress
assignee: nobody → Zygmunt Krynicki (zkrynicki)
Zygmunt Krynicki (zyga)
Changed in plainbox:
status: In Progress → Fix Committed
Daniel Manrique (roadmr)
Changed in plainbox:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.