PolicyKit authentication error: Only trusted callers (e.g. uid 0) can use CheckAuthorization() and pass details

Bug #685655 reported by Connor Carney on 2010-12-05
46
This bug affects 6 people
Affects Status Importance Assigned to Milestone
PolicyKit GNOME
Expired
High
policykit-1-gnome (Ubuntu)
High
Unassigned

Bug Description

Binary package hint: indicator-datetime

When opening the time and date preferences (time-admin) from the date and time indicator in natty alpha 1, clicking the padlock icon to make changes does not show the authorization dialog. Instead, this error is logged:

polkitgtk-WARNING **: Error obtaining authorization for action id `org.freedesktop.systemtoolsbackends.set': GDBus.Error:org.freedesktop.PolicyKit1.Error.NotAuthorized: Only trusted callers (e.g. uid 0) can use CheckAuthorization() and pass details

The date and time can be edited by launching time-admin with gksudo, but the indicator does not launch it that way.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: indicator-datetime 0.0.6-0ubuntu3
ProcVersionSignature: Ubuntu 2.6.37-5.14-generic-pae 2.6.37-rc2
Uname: Linux 2.6.37-5-generic-pae i686
Architecture: i386
Date: Sun Dec 5 14:24:19 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: indicator-datetime

Connor Carney (cscarney) wrote :
affects: indicator-datetime (Ubuntu) → gnome-system-tools (Ubuntu)
Milan Bouchet-Valat (nalimilan) wrote :

Thanks for the report. Please run
sudo killall polkitd; sudo /usr/lib/policykit-1/polkitd
And reproduce the problem. Then, copy/paste the output of the above command here.

Also, what's the output of
apt-cache policy libpolkit-gobject-1-0 libpolkit-gtk-1-0

Changed in gnome-system-tools (Ubuntu):
status: New → Incomplete
importance: Undecided → Medium
summary: - date and time preferences cannot be edited when launched from the
- indicator
+ Polickit authentication error: Only trusted callers (e.g. uid 0) can use
+ CheckAuthorization() and pass details

Oh, and are you able for example to install software upgrades using updates-manager? Are you able to authenticate from from System->Administration->Network connections?

summary: - Polickit authentication error: Only trusted callers (e.g. uid 0) can use
- CheckAuthorization() and pass details
+ PolicyKit authentication error: Only trusted callers (e.g. uid 0) can
+ use CheckAuthorization() and pass details
Connor Carney (cscarney) wrote :

Output of polkitd when trying to authenticate in time-admin (the password dialog is never displayed):

** (polkitd:1752): DEBUG: system-bus-name::1.56 is inquiring whether unix-process:2283:1752924 is authorized for org.freedesktop.systemtoolsbackends.set
** (polkitd:1752): DEBUG: user of caller is unix-user:connor
** (polkitd:1752): DEBUG: user of subject is unix-user:connor

Authenticating in nm-connection-editor works as expected, and polkitd logs this instead:

** (polkitd:15480): DEBUG: system-bus-name::1.4 is inquiring whether system-bus-name::1.103 is authorized for org.freedesktop.network-manager-settings.system.modify
** (polkitd:15480): DEBUG: user of caller is unix-user:root
** (polkitd:15480): DEBUG: user of subject is unix-user:connor
** (polkitd:15480): DEBUG: checking whether system-bus-name::1.103 is authorized for org.freedesktop.network-manager-settings.system.modify
** (polkitd:15480): DEBUG: 0xb6902e60
** (polkitd:15480): DEBUG: subject is in session /org/freedesktop/ConsoleKit/Session5 (local=1 active=1)
** (polkitd:15480): DEBUG: challenge (implicit_authorization = auth_admin_keep)
** (polkitd:15480): DEBUG:
** (polkitd:15480): DEBUG: using authentication agent for challenge
** (polkitd:18202): DEBUG: In authentication_agent_response for cookie 'cookie0' and identity unix-user:connor
** (polkitd:18202): DEBUG: Authentication complete, is_authenticated = 1
** (polkitd:18202): DEBUG: In check_authorization_challenge_cb
  subject system-bus-name::1.103
  action_id org.freedesktop.network-manager-settings.system.modify
  authentication_success 1

apt-cache policy libpolkit-gobject-1-0 libpolkit-gtk-1-0 produces:

libpolkit-gobject-1-0:
  Installed: 0.99-1
  Candidate: 0.99-1
  Version table:
 *** 0.99-1 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status
libpolkit-gtk-1-0:
  Installed: 0.99-1ubuntu1
  Candidate: 0.99-1ubuntu1
  Version table:
 *** 0.99-1ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status

Milan Bouchet-Valat (nalimilan) wrote :

You mean there's nothing else printed than:
** (polkitd:1752): DEBUG: system-bus-name::1.56 is inquiring whether unix-process:2283:1752924 is authorized for org.freedesktop.systemtoolsbackends.set
** (polkitd:1752): DEBUG: user of caller is unix-user:connor
** (polkitd:1752): DEBUG: user of subject is unix-user:connor

when you click on time-admin's lock button?!

What if you run:
export PID=`pidof gnome-settings-daemon`
pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process $PID

It looks like PolicyKit doesn't allow a non-root user to check for authorizations; or polkit-gtk passes details that are not allowed for a non-root user.

Connor Carney (cscarney) wrote :

That's the only output from polkitd when I click the lock button.

The pkcheck command shows the authentication dialog, then outputs:

polkit\56temporary_authorization_id=tmpauthz0

Connor Carney (cscarney) wrote :
Download full text (8.2 KiB)

Polkit outputs a LOT of stuff from that command:

** (polkitd:2138): DEBUG: system-bus-name::1.66 is inquiring whether unix-process:1647:4313 is authorized for org.freedesktop.systemtoolsbackends.set
** (polkitd:2138): DEBUG: user of caller is unix-user:connor
** (polkitd:2138): DEBUG: user of subject is unix-user:connor
** (polkitd:2138): DEBUG: checking whether unix-process:1647:4313 is authorized for org.freedesktop.systemtoolsbackends.set

** (polkitd:2138): WARNING **: skipping unknown tag <_description> at line 15

** (polkitd:2138): WARNING **: skipping unknown tag <_message> at line 16

** (polkitd:2138): WARNING **: skipping unknown tag <_description> at line 12

** (polkitd:2138): WARNING **: skipping unknown tag <_message> at line 13

** (polkitd:2138): WARNING **: skipping unknown tag <_description> at line 21

** (polkitd:2138): WARNING **: skipping unknown tag <_message> at line 22

** (polkitd:2138): WARNING **: skipping unknown tag <_description> at line 30

** (polkitd:2138): WARNING **: skipping unknown tag <_message> at line 31

** (polkitd:2138): WARNING **: skipping unknown tag <_description> at line 39

** (polkitd:2138): WARNING **: skipping unknown tag <_message> at line 40
** (polkitd:2138): DEBUG: 0x875fc90
** (polkitd:2138): DEBUG: subject is in session /org/freedesktop/ConsoleKit/Session2 (local=1 active=1)
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/10-vendor.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/10-vendor.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/20-org.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/20-org.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/30-site.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/30-site.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/50-local.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/50-local.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/90-mandatory.d'
** (polkitd:2138): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/90-mandatory.d'
** (polkitd:2138): DEBUG: challenge (implicit_authorization = auth_admin_keep)
** (polkitd:2138): DEBUG:
** (polkitd:2138): DEBUG: using authentication agent for challenge
** (polkitd:2138): DEBUG: In authentication_agent_response for cookie 'cookie0' and identity unix-user:connor
** (polkitd:2138): DEBUG: Authentication complete, is_authenticated = 1
** (polkitd:2138): DEBUG: In check_authorization_challenge_cb
  subject unix-process:1647:4313
  action_id org.freedesktop.systemtoolsbackends.set
  authentication_success 1

** (polkitd:2138): DEBUG: system-bus-name::1.5 is inquiring whether system-bus-name::1.29 is authorized for org.freedesktop.NetworkManager.use-user-connections
** (polkitd:2...

Read more...

Milan Bouchet-Valat (nalimilan) wrote :

Thanks. So everything works but the lock buttton, which means it's a bug in polkit-gnome. The good news is, I'm going to stop using it in the gnome-system-tools before the next release since it's not compatible with GTK+ 3. We still need to find out what's going wrong, though - I'll try to get more info from PolicyKit's author.

affects: gnome-system-tools (Ubuntu) → policykit-gnome (Ubuntu)
Changed in policykit-gnome (Ubuntu):
status: Incomplete → Triaged
Changed in policykit-gnome (Ubuntu):
importance: Medium → High
affects: policykit-gnome (Ubuntu) → policykit-1-gnome (Ubuntu)
Milan Bouchet-Valat (nalimilan) wrote :

Could you run
G_DBUS_DEBUG=message time-admin
then try to unlock the dialog, and post the output here? Thanks in advance!

Upstream author says polkit-gtk doesn't pass details to polkitd, so this bug is weird. Anyway, details are not supposed to be passed.

Dmitry Shachnev (mitya57) wrote :

Ok.
All this output (except the last lines) was produced before I clicked the unlock icon.

Thanks for the quick reply. It seems it's an Ubuntu patch that adds details to match the authentication dialog with its parent window. This is no longer allowed by polkitd. I can't find this patch in the repositories, but it really seems it's applied, and we need to get rid of it.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1-gnome - 0.99-1ubuntu2

---------------
policykit-1-gnome (0.99-1ubuntu2) natty; urgency=low

  * debian/patches/03-dialog-focus.patch:
    - Dropped patch, as PolicyKit does not allow non-root applications to set
      details (LP: #685655)
 -- Robert Ancell <email address hidden> Mon, 20 Dec 2010 11:43:46 +1100

Changed in policykit-1-gnome (Ubuntu):
status: Triaged → Fix Released
Changed in policykit-1-gnome:
importance: Unknown → High
status: Unknown → In Progress
Changed in policykit-1-gnome:
status: In Progress → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.