PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)

Bug #1510824 reported by Dariusz Gadomski on 2015-10-28
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
PolicyKit
Fix Released
Medium
policykit-1 (Ubuntu)
Medium
Dariusz Gadomski
Trusty
Medium
Unassigned
Vivid
Medium
Unassigned
Wily
Medium
Unassigned

Bug Description

[Impact]

 * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level.

 * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed.

* The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules.

[Test Case]

 * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module).

 * Perform a polkit authorization with e.g. pkexec ls

 * Correct authorization should end with a failure with an unrecognized PAM message

[Regression Potential]

 * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component.

* Fix is a backport of an upstream change.

[Other Info]

 * Original bug description:

There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication).

Steps to reproduce:
1. Configure pam_vas client authenticating to a remote server.
2. Perform authentication to cache the credentials.
3. Disconnect from the network where the server is reachable (to force using cached information).
4. Perform an action requiring polkit authentication.

Expected result:
Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Actual result:
Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Probable cause:
The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output:
PAM_TEXT_INFO You have logged in using cached account information. Some network services
will be unavailable.

The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: policykit-1 0.105-4ubuntu2.14.04.1
ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18
Uname: Linux 3.16.0-52-generic x86_64
NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl
ApportVersion: 2.14.1-0ubuntu3.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Oct 28 09:01:37 2015
InstallationDate: Installed on 2015-04-13 (197 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
SourcePackage: policykit-1
UpgradeStatus: No upgrade log present (probably fresh install)

Dariusz Gadomski (dgadomski) wrote :
Changed in policykit-1 (Ubuntu):
assignee: nobody → Dariusz Gadomski (dgadomski)
description: updated
summary: - PolkitAgentSession ignores multiline output (with pam_vas)
+ PolkitAgentSession incorrectly handles multiline output (with pam_vas)
description: updated
summary: - PolkitAgentSession incorrectly handles multiline output (with pam_vas)
+ PolkitAgentSession incorrectly handles multiline output (as observed
+ with pam_vas)

There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication).

Steps to reproduce:
1. Configure pam_vas client authenticating to a remote server.
2. Perform authentication to cache the credentials.
3. Disconnect from the network where the server is reachable (to force using cached information).
4. Perform an action requiring polkit authentication.

Expected result:
Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Actual result:
Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Probable cause:
The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output:
PAM_TEXT_INFO You have logged in using cached account information. Some network services
will be unavailable.

The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization.

Created attachment 119534
Tested patch fixing the issue

Thanks for the patch.

Yes, this is the correct thing to do (polkitagentsession.c:io_watch_have_data is always calling g_strcompress()).

Having the same newline handling and escaping code in three places seems too ugly and unnecessary, though. Would you be willing to update the patch so that polkitagenthelper-pam.c uses the send_to_helper function throughout (modified to do the escaping as necessary), or at least to test such an updated patch?

Changed in policykit-1:
importance: Unknown → Medium
status: Unknown → Incomplete

Miroslav, thanks for taking a look.

Sure, I can improve the patch. I'll attach the new version as soon as it's done.

Created attachment 119643
Refactoring to use send_to_helper

I have refactored the code to make use of send_to_helper instead of duplicating the code.

I've chosen to apply it on top of the previous change to keep 2 different actions (escaping PAM_TEXT_INFO and refactoring) on the same step.

I have done sanity testing to make sure everything works as expected.

Typo, what I've meant in the above comment is that I wanted to avoid doing 2 different actions in the same commit.

Changed in policykit-1:
status: Incomplete → Confirmed

Created attachment 119702
Refactoring to use send_to_helper

Perfect. Committed, thank you!

Changed in policykit-1:
status: Confirmed → Fix Released
description: updated
description: updated
Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for Xenial.

Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for wily.

Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for vivid.

Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for trusty.

Changed in policykit-1 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Vivid):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Wily):
status: New → Triaged
importance: Undecided → Medium
Martin Pitt (pitti) wrote :

Daniel uploaded the SRUs already. I'm committing the fix to Debian so that for xenial we can stay in sync.

Thanks Dariusz!

Removing sponsor subscription.

Changed in policykit-1 (Ubuntu Trusty):
status: Triaged → In Progress
Changed in policykit-1 (Ubuntu Vivid):
status: Triaged → In Progress
Changed in policykit-1 (Ubuntu Wily):
status: Triaged → In Progress
Martin Pitt (pitti) on 2015-11-23
Changed in policykit-1 (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-13ubuntu1

---------------
policykit-1 (0.105-13ubuntu1) xenial; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 14:44:23 +0100

Changed in policykit-1 (Ubuntu):
status: Fix Committed → Fix Released

Hello Dariusz, or anyone else affected,

Accepted policykit-1 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/policykit-1/0.105-4ubuntu3.14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in policykit-1 (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in policykit-1 (Ubuntu Vivid):
status: In Progress → Fix Committed
Chris J Arges (arges) wrote :

Hello Dariusz, or anyone else affected,

Accepted policykit-1 into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/policykit-1/0.105-8ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in policykit-1 (Ubuntu Wily):
status: In Progress → Fix Committed
Chris J Arges (arges) wrote :

Hello Dariusz, or anyone else affected,

Accepted policykit-1 into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/policykit-1/0.105-11ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Istvan (bergkatten) wrote :

 Hi,

I can confirm this works on trusty with pam authenticating with QAS4 in offline mode.

Cheers,
/István

Martin Pitt (pitti) on 2015-11-25
tags: added: verification-done-trusty
Dariusz Gadomski (dgadomski) wrote :

I have prepared a 'broken' pam_unix version printing a multiline text info if it detects the PAM_SERVICE name is polkit-1.
This allows to reproduce the issue and verify the fix.

I've made this broken version available for Vivid and Wily in ppa:dgadomski/lp1510824 and performed the verification for those releases.

In both cases the fix solves the problem and I haven't observed any regressions. Updating tags.

tags: added: verification-done
removed: verification-done-trusty verification-needed

The verification of the Stable Release Update for policykit-1 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-8ubuntu5

---------------
policykit-1 (0.105-8ubuntu5) vivid; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 15:30:03 +0100

Changed in policykit-1 (Ubuntu Vivid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-11ubuntu3

---------------
policykit-1 (0.105-11ubuntu3) wily; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 15:24:53 +0100

Changed in policykit-1 (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-4ubuntu3.14.04.1

---------------
policykit-1 (0.105-4ubuntu3.14.04.1) trusty; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 15:36:30 +0100

Changed in policykit-1 (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.