policykit cannot grant special priviledges from LDAP-identified administrators

Bug #781737 reported by Loïc Le Page on 2011-05-12
110
This bug affects 21 people
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: policykit-1

I use an LDAP server for centralized identification of local domain users and administrators on ubuntu client workstations.
Local identification is done through the PAM system using pam_ldap module.

When an application asks for special privileges through the policykit system, the list of domain administrators is correctly displayed and privileged user's login/password is correctly checked against the pam_ldap.so module but then polkit-agent-helper-1 cannot send back the authentication token to the DBus interface.

So, remote administrators' identification and privileges escalation work well with local and remote groups, su, sudo and related tools (gksu, gksudo), but nothing never works when privileges escalation goes through the policykit system.

It seems that the reason of this bug comes from polkit-agent-helper-1.
This executable is setuid root to allow communication with DBus (needed to confirm authentication if I've understood well this part of the code).
Unfortunately, during PAM verification some of the PAM modules may revoke permanently process credentials.
This is the case for the pam_ldap module (and maybe for other PAM modules too but I only checked with this one).

Here is an explanation of what occurs in polkitagent/polkitagenthelper-pam.c.
Let's say that we try to get special privileges for user 1000 (who is local or remote, this changes nothing to the issue).
First we try with a local administrator account and then with a remote (LDAP) administrator account.

With the LOCAL administrator account:
- Before pam_authenticate() call, real uid is 1000, effective uid is 0 (polkit-agent-helper-1 is setuid root) and saved uid is 0.
- After pam_authenticate() call, all uids are the same because the local administrator account has been authorized through the pam_unix module and it has not changed process credentials.
As effective uid is still 0, call to send_dbus_message() works well and special privileges have been granted to user 1000.

With the REMOTE (LDAP) administrator account:
- Before pam_authenticate() call, real uid is 1000, effective uid is 0 and saved uid is 0.
- After pam_authenticate() call, real uid is 1000, effective uid is 1000 and saved uid is 1000. The remote administrator has been authorized through the pam_ldap module and this module has revoked permanently process credentials.
As effective uid is now different from 0, call to send_dbus_message() always fails and then it is impossible to grant privileges to user 1000.

I made a little patch that stores process credentials before PAM processing, then forces real uid to 0 to prevent PAM modules from revoking setuid root, and then restores previous process credentials after PAM processing.

I'm not sure this is the best way to resolve this issue but it works well and it may be a good workaround until someone finds a best solution.
I don't think either that it may cause further security issues as polkit-agent-helper-1 is already setuid root, but it may require further investigation on that particular subject.

This patch also corrects a memory leak at the end of conversation_function().

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: policykit-1 0.101-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-9.43-generic 2.6.38.4
Uname: Linux 2.6.38-9-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Thu May 12 16:14:52 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 LANGUAGE=fr_FR:en
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: policykit-1
UpgradeStatus: Upgraded to natty on 2011-05-06 (6 days ago)

Loïc Le Page (loic-le-page) wrote :
tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in policykit-1 (Ubuntu):
status: New → Confirmed
annunaki2k2 (russell-knighton) wrote :

Just to confirm, I have almost exactly the same set-up with LDAP user and an LDAP group of sysadmin etc. and everything else I have configured seems to work, however I always see in the authd.log the following:
Oct 1 13:05:53 bamboo polkit-agent-helper-1[3656]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser=russell rhost= user=russell
Oct 1 13:05:53 bamboo polkit-agent-helper-1[3656]: pam_ldap: error trying to bind as user "uid=russell,ou=people,dc=mps,dc=lan" (Invalid credentials)

this is despite knowing 100% that the credentials are infact valid (afterall, I log on with them just fine...)

I will try out the patch when I get a chance.

Tom Murphy (t-murphy) wrote :

I can verify this patch works on Ubuntu 11.10 amd64. I had the exact same problem. Policykit wouldn't authenticate me when I clicked unlock button. Now it works perfectly. This bug is a real show-stopper in rolling out LDAP to our Ubuntu desktops. Would be nice to get included in the next release of Ubuntu, or even a security update.

Jason Sharp (jsharp) wrote :

I know this is a slightly dead thread, but i'm experiencing the same thing

However, i'm having a problem applying the patch to test with. Some help would be nice! thanks

Ubuntu 11.04 Natty is what i'm using

Loïc Le Page (loic-le-page) wrote :

The easiest way is to recompile the policykit-1 package so as you may install or uninstall the locally patched package using dpkg later on.

To do so you may follow this procedure:

1- Install development tools:
  sudo apt-get install devscripts build-essential

2- Check that source repositories are activated with apt. You can have it through the update manager parameters or by editing the /etc/apt/sources.list file. You should have a line like this:
  deb-src http://fr.archive.ubuntu.com/ubuntu/ natty main restricted
(well, I use the french mirror but your mirror depends on where you are)

3- Get policykit-1 source package and dependencies:
  cd /usr/local/src
  sudo apt-get update
  sudo apt-get source policykit-1
  sudo apt-get build-dep policykit-1

4- Copy the patch file to the policykit-1-0.101 folder and patch the source code:
  sudo cp /path/to/anti-rights-revocation.patch ./policykit-1-0.101
  cd policykit-1-0.101
  sudo patch -p1 < ./anti-rights-revocation.patch

5- Recompile the package:
  sudo debuild -us -uc -b
  cd ..

Here you are, all compiled packages are in /usr/local/src
You can install the patched policykit-1 package locally using dpkg:
  sudo dpkg -i /usr/local/src/policykit-1_0.101-1_amd64.deb

You don't need to install other packages, they are identical to the default system packages as we only patched the polkit-agent-helper-1 binay which is included within the policykit-1_0.101-1_amd64.deb package.

Hope this will help.

Jason Sharp (jsharp) wrote :

This worked great! Thanks for the quick bit of info on compiling from src.

1 more small question...it builds the same version number as you download. How can I update the version number? This way it doesn't conflict when i add it to our internal repo.

Again, thanks for the help! cheers

Jason Sharp (jsharp) wrote :

Ok...so I was able to get the version updated using dch (debchange)

I tested on one of my users and the patch now authenticates LDAP users just great! Thanks

However, when they click cancel, they polkit-agent-helper-1 hangs and never exits

Johan Zaxmy (johan-zaxmy) wrote :

Same problem with Ubuntu 11.10

Loïc Le Page (loic-le-page) wrote :

I have the same problem when clicking on Cancel.
polkit-agent-helper-1 hangs out and must be killed using the console.

Does anyone know if Cancel hangs out too when using the official non-patched version of the program ?
If yes, I will investigate further how my patch could hang the program.
If no, this may be a different bug.

Jason Sharp (jsharp) wrote :

Any luck on the Cancel button? Or is this looking like another bug? I am able to use the cancel button just fine normally

Loïc Le Page (loic-le-page) wrote :

My previous patch is causing an access rights issue in the PAM conversation callback.
The program is stuck when fgets() is accessing stdin as setuid(0) right after the cancel button has been pressed.

I corrected it in the new patch associated with this post.
This is a cumulative patch which includes all modifications.

You can follow the exact same procedure as above to apply it.

Jason Sharp (jsharp) wrote :

Confirmed...this is now 100% functional (or at least what I test it is)

I have only tested for 11.04 natty
I haven't tested for 11.10 oneiric, but if this was a problem in 11.10 i'm assuming it will work for 11.10 as it did for 11.04

Thanks for your help!

I still have the problem on 11.10. policykit-1 is at version 0.102-1 (oneiric).

Symptom:
Logged in as an LDAP user, user is member of "admin" local group as confirmed by the output of "groups". Cannot have update-manager, synaptic, etc. allow changes. From a terminal window, "sudo <command>" (with <command> being synaptic, etc.) executes all right.

Hi, I'm trying to apply the patch list in comment #12 using the method in comment #6 and I'm getting this:

dave@somemachine:/usr/local/src/policykit-1-0.104$ sudo patch -p1 < ./anti-rights-revocation.patch
patching file src/polkitagent/polkitagenthelper-pam.c
Hunk #4 succeeded at 173 (offset -2 lines).
Hunk #5 succeeded at 227 (offset -4 lines).
Hunk #6 FAILED at 245.
Hunk #7 succeeded at 287 (offset -2 lines).
Hunk #8 succeeded at 334 (offset -2 lines).
1 out of 8 hunks FAILED -- saving rejects to file src/polkitagent/polkitagenthelper-pam.c.rej

Is this of any consequence? I'm on Ubuntu 12.04 x86.

I imagine the difference between versions of Ubuntu and therefore Policykit are causing this, as it will not build either. Can the patch please be updated for Ubuntu 12.04 x86? Without it I am still stuck with the behaviour I originally reported in bug https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/892680

polkitagenthelper-pam.c: In function ‘conversation_function’:
polkitagenthelper-pam.c:277:13: warning: statement with no effect [-Wunused-value]
polkitagenthelper-pam.c:290:21: error: ‘saved_credentials’ undeclared (first use in this function)
polkitagenthelper-pam.c:290:21: note: each undeclared identifier is reported only once for each function it appears in
make[5]: *** [polkit_agent_helper_1-polkitagenthelper-pam.o] Error 1
make[5]: Leaving directory `/usr/local/src/policykit-1-0.104/src/polkitagent'
make[4]: *** [all] Error 2
make[4]: Leaving directory `/usr/local/src/policykit-1-0.104/src/polkitagent'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/usr/local/src/policykit-1-0.104/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/policykit-1-0.104'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/usr/local/src/policykit-1-0.104'
dh_auto_build: make -j1 returned exit code 2
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
debuild: fatal error at line 1350:
dpkg-buildpackage -rfakeroot -D -us -uc -b failed

Loïc Le Page (loic-le-page) wrote :

Hi,

This is normal the patch is not working with further versions of policykit as the source code has changed and the patched lines are not at the same offset anymore.

Here is an updated version of my patch adapted to the version 0.104 of policykit.

Hi Loïc,

Thanks very much for this, the patch now compiles cleanly. Unfortunately, it does not resolve my issue (there is no change at all) and I believe that https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/892680 has incorrectly been marked as a duplicate of this one. The critical piece of information is in the original first post for this bug:

"When an application asks for special privileges through the policykit system, the list of domain administrators is correctly displayed..."

I don't even see this - LDAP accounts are not displayed by policykit at all. I'll ask for my bug to be reopened.

Cheers,
Dave

Loïc Le Page (loic-le-page) wrote :

Hi Dave,

I'm not sure your issue is a bug in policykit.
It seems to be more likely a configuration issue.
This is quite tricky to configure SSO on Ubuntu as you need to configure cleanly the LDAP client part of your workstation, the policykit system for rights elevation and PAM for authentication.

Take a look in /etc/polkit-1/localauthority.conf.d
You should have a file called 60-ldap.conf (the number may be different, this is just for ordering scripts execution) containing this text:

[Configuration]
AdminIdentities=unix-group:#####

with ##### the name of your domain/local administrators group. You can provide more than one group if you need to.

Check out that your LDAP client and nsswitch can resolve this group and all accounts within (getent group).

Hope this helps ;)
Loïc

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers