pkexec fails in a non-graphical environment

Marking as notfixing for release. This doesn't mean that it won't get worked on, and Andrea might have an idea what's going on here, but we won't block release on this bug.

Added to Trello: https://trello.com/c/sTIx3fol/288-bug1821415-pkexec-fails-in-a-non-graphical-environment

I proposed a fix upstream [1]. A workaround can be added to apport to workaroud this while polkit is fixed upstream: we could for example spawn pkttyagent manually (a similar approach is used by systemd).

[1] https://gitlab.freedesktop.org/polkit/polkit/merge_requests/28

We reviewed it in the team meeting, while it would be nice to fix we don't believe it's an usecase common/important enough to justify team assignment & tracking, tagging rls-ee-notfixing

The plymouth package hook is using apport's "attach_root_command_outputs" function that same function is also used by the following package hooks: lightdm, shim-signed, ubuntu-release-upgrader, update-manager, synaptic, upgrade-system and all the xorg hooks. So it may be worth working around this is apport.

Lubuntu is suffering what seems to be a related failure although I tracked that down to what I thought was a different upstream bug report. In Lubuntu's case the lxqt-policykit-agent suffers a SIGSEGV as a side-affect (I think) of polkit failing to authorise.

It was originally discovered when, using the GUI, an additional user was added with 'sudo' membership. This broke the subsequent ability of the new user to make any user account changes via the GUI because they'd get an authentication challenge and then failure. That failure seems to exercise a rarely followed code path that causes the SIGSEGV, and is likely unrelated to the underlying policykit issue.
That new 'sudo' member is also prevented from using privileged tools like "gparted".

bug #1828663 "policykit failures due to internal user id mismatch"

sru upload for bionic: needs sru template, and the bug doesn't seem fixed in newer releases?

Can we raise the importance please? It is quite essential to let unprivileged users run certain commands, even if there is not GUI.

Also, it is very confusing when everything is configured correctly, plus the password is correct, and then to get the message "Not authorized", "This incident has been reported."

I don't think we would want to carry the proposed patch as a distro patch. So as long as polkit doesn't have direct support for this, apport should do as systemd does, and spawn pkttyagent (--fallback) itself.

I'll try quickly now to work on an initial patch for this.

See the attached branch, it's a fix for this in apport.

(but I asked for some input there from an apport maintainer, it could be better than I did it)

This bug was fixed in the package apport - 2.20.11-0ubuntu62

---------------
apport (2.20.11-0ubuntu62) hirsute; urgency=medium

  * apport/hookutils.py: spawn pkttyagent so that log files can be gathered as
    root in a non-graphical environment (LP: #1821415). Thanks to Iain Lane
    for the patch.
  * apport/hookutils.py: root access is needed to read the
    casper-md5check.json file so switch to using that. (LP: #1922937)
  * data/general-hooks/ubuntu.py: improving tagging of bugs from images we
    create so that they are tagged $arch-image and better identify Raspberry
    Pi devices (LP: #1920837). Thanks to Dave Jones for the patch.

 -- Brian Murray <email address hidden> Wed, 07 Apr 2021 13:14:04 -0700

Hello Brian, or anyone else affected,

Accepted apport into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu50.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Brian, or anyone else affected,

Accepted apport into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apport/2.20.11-0ubuntu27.17 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apport (2.20.11-0ubuntu27.17) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.11-0ubuntu27.17 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#apport

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

With the version of apport from groovy-proposed this is now fixed.

bdmurray@clean-groovy-amd64:~$ apt-cache policy python3-apport
python3-apport:
  Installed: 2.20.11-0ubuntu50.6
  Candidate: 2.20.11-0ubuntu50.6
  Version table:
 *** 2.20.11-0ubuntu50.6 500
        500 http://192.168.10.7/ubuntu groovy-proposed/main amd64 Packages
        500 http://192.168.10.7/ubuntu groovy-proposed/main i386 Packages
        100 /var/lib/dpkg/status
bdmurray@clean-groovy-amd64:~$ ubuntu-bug plymouth

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.
.....==== AUTHENTICATING FOR com.ubuntu.apport.root-info ===
Authentication is required to collect system information for this problem report
Authenticating as: Ubuntu,,, (bdmurray)
Password: .....
==== AUTHENTICATION COMPLETE ===

With the version of apport from focal-proposed this is also now fixed.

bdmurray@clean-focal-amd64:~$ apt policy apport
apport:
  Installed: 2.20.11-0ubuntu27.17
  Candidate: 2.20.11-0ubuntu27.17
  Version table:
 *** 2.20.11-0ubuntu27.17 500
        500 http://192.168.10.7/ubuntu focal-proposed/main amd64 Packages
        500 http://192.168.10.7/ubuntu focal-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     2.20.11-0ubuntu27.16 500
        500 http://192.168.10.7/ubuntu focal-updates/main amd64 Packages
        500 http://192.168.10.7/ubuntu focal-updates/main i386 Packages
        500 http://192.168.10.7/ubuntu focal-security/main amd64 Packages
        500 http://192.168.10.7/ubuntu focal-security/main i386 Packages
     2.20.11-0ubuntu27 500
        500 http://192.168.10.7/ubuntu focal/main amd64 Packages
        500 http://192.168.10.7/ubuntu focal/main i386 Packages
bdmurray@clean-focal-amd64:~$ ubuntu-bug plymouth

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.
.....==== AUTHENTICATING FOR com.ubuntu.apport.root-info ===
Authentication is required to collect system information for this problem report
Authenticating as: Ubuntu,,, (bdmurray)
Password: ....
==== AUTHENTICATION COMPLETE ===
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/share/apport/dump_acpi_tables.py' as the super user
Authenticating as: Ubuntu,,, (bdmurray)
Password: ....
==== AUTHENTICATION COMPLETE ===

All autopkgtests for the newly accepted apport (2.20.11-0ubuntu50.6) for groovy have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-release-upgrader/1:20.10.15 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/groovy/update_excuses.html#apport

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

The verification of the Stable Release Update for apport has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package apport - 2.20.11-0ubuntu50.6

---------------
apport (2.20.11-0ubuntu50.6) groovy; urgency=medium

  * data/general-hooks/ubuntu.py: tag bugs from Raspberry Pi images and RISCV
    images appropriately. (LP: #1920837)
  * apport/hookutils.py: spawn pkttyagent so that log files can be gathered as
    root in a non-graphical environment (LP: #1821415). Thanks to Iain Lane
    for the patch.
  * apport/hookutils.py: root access is needed to read the
    casper-md5check.json file so switch to using that. (LP: #1922937)

 -- Brian Murray <email address hidden> Mon, 26 Apr 2021 12:45:36 -0700

This bug was fixed in the package apport - 2.20.11-0ubuntu27.17

---------------
apport (2.20.11-0ubuntu27.17) focal; urgency=medium

  * data/general-hooks/ubuntu.py: tag bugs from Raspberry Pi images and RISCV
    images appropriately. (LP: #1920837)
  * apport/hookutils.py: spawn pkttyagent so that log files can be gathered as
    root in a non-graphical environment (LP: #1821415). Thanks to Iain Lane
    for the patch.
  * apport/hookutils.py: root access is needed to read the
    casper-md5check.json file so switch to using that. (LP: #1922937)

 -- Brian Murray <email address hidden> Mon, 26 Apr 2021 13:28:49 -0700

I am still having this bug.

apport-cli --version
2.20.11

pkexec --version
pkexec version 0.105

user2@computer:~/cm$ pkexec bash
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/bash' as the super user
Multiple identities can be used for authentication:
 1. Administrator,,, (admin)
 2. ,,, (user1)
 3. ,,, (user2)
Choose identity to authenticate as (1-3): 3
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.
user2@computer:~/cm$