New PolicyKit 0.106 changes configuration file format

Bug #1086783 reported by Marc Deslauriers
32
This bug affects 4 people
Affects Status Importance Assigned to Milestone
policykit-1 (Debian)
Fix Released
Unknown
policykit-1 (Ubuntu)
Medium
Unassigned

Bug Description

From the NEWS file:

This is polkit 0.106. There's a major change in this release which is
a switch from .pkla files (keyfile-format) to .rules files
(JavaScript).

We may want to hold off on the new version because it requires rewriting the configuration files, and adds a dependency on mozjs185, which will need a MIR (and getting a MIR may be problematic)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status: New → Confirmed
Changed in policykit-1 (Debian):
status: Unknown → New
Changed in policykit-1 (Debian):
status: New → Fix Released
Revision history for this message
Jackson Doak (noskcaj) wrote :

version 0.110-3 is now in debian experimental and upstream is at 0.111. Should we wait for debian to call it "polkit" or merge it now?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Do not merge this for now. It is unlikely we will allow an insecure library such as mozjs185 to be included in main, especially for something as security-sensitive as policykit.

Changed in policykit-1 (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Revision history for this message
Leonardo Borda (lborda) wrote :

@mdeslaur

Hi any chance we can revisit this use case again and add mazjs185 through the MIR process for newer Ubuntu versions?

Thank you

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

mozjs hasn't gotten any security updates in _years_, so no, we're not going to be able to support that package in main.

Revision history for this message
Nathan Rennie-Waldock (nathan-renniewaldock) wrote :

Could policykit be updated if it was ported to mozjs45?
It would be good if we could see it updated eventually as the javascript rules are much more flexible (one use would be restricting users to specific domains with libvirt).

tags: added: version-blocked
Revision history for this message
Robert Ancell (robert-ancell) wrote :

An update on the current state of this:
- polkit upstream currently depends on mozjs60
- mozjs60 is in main, but only for the use of GNOME Shell.
- The current polkit Debian/Ubuntu package has 61 patches in it, backporting lots of changes from version 106 to 116.
- There are upstream requests for running polkit without a JS interpreter.
- There is an open MR to switch from mozjs to duktape (https://gitlab.freedesktop.org/polkit/polkit/merge_requests/35).
- Debian experimental has polkit 116 packaged (i.e. with JS backend).
- I've made a proof of concept branch which reinstates the local backend (https://gitlab.freedesktop.org/rancell/polkit/tree/traditional-backend) which works.

It's desirable that we run the latest version in Debian/Ubuntu, which requires one of:
- We re-assess the use of mozjs and decide if it's acceptable in this case.
- We support the switch from mozjs to duktape if that's a safer option.
- We propose the old local backend upstream as an alternative to the JS backend.
- We carry the local backend as a patch on upstream.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

I've made a forum post asking for feedback from users of polkit in Ubuntu (https://discourse.ubuntu.com/t/use-of-javascript-rules-in-polkit/13892). If you have comments please add them there instead of this bug.

Revision history for this message
Sebastien Bacher (seb128) wrote :

@Robert, I would start by getting the security team's input on using mozjs or duktape, if it's a no go from their side then we know what are our options.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.