libpolkit requires files from policykit for polkit_context_init to work

Bug #275432 reported by Tomas Cassidy on 2008-09-28
62
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ConsoleKit
Fix Released
Medium
PolicyKit
Invalid
Medium
consolekit (Ubuntu)
High
Martin Pitt
Intrepid
Undecided
Unassigned
Jaunty
High
Martin Pitt
policykit (Debian)
Fix Released
Unknown
policykit (Ubuntu)
High
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
High
Unassigned

Bug Description

I just noticed this error while reading through syslog after upgrading from 8.04.1 to Intrepid.

Sep 28 22:10:01 acheron console-kit-daemon[13695]: CRITICAL: cannot initialize libpolkit

see https://bugs.edge.launchpad.net/ubuntu/+source/consolekit/+bug/275432/comments/16
for an explanation

Related branches

James Westby (james-w) wrote :

Hi,

I wonder if this was just a temporary thing caused by the upgrade.
Does this message show up only once? If you reboot does it
appear again?

Thanks,

James

Changed in consolekit:
status: New → Incomplete
Tomas Cassidy (tomas-cassidy) wrote :

I just read the syslog for today and I noticed that the message is appearing approximately every 10 minutes.

James Westby (james-w) wrote :

Hi,

I assume you've rebooted since the upgrade?

Are you able to use policykit from other applications? Does
polkit-auth work for you? System->Administration->Users and Groups?

Thanks,

James

Tomas Cassidy (tomas-cassidy) wrote :

I should have mentioned earlier in the summary that I'm running Ubuntu Server, so I'm not entirely sure where policykit is used (if at all). As for the first question, I have rebooted many times since the upgrade and see the message every time.

James Westby (james-w) wrote :

Hi,

Thanks for the clarification, could you please find out which policykit
packages you have installed?

  dpkg -l \*polkit\* \*policykit\*

Thanks,

James

$ dpkg -l \*polkit\* \*policykit\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libpolkit2 0.9-1ubuntu2 library for accessing PolicyKit
No packages found matching *policykit*.

apt-get install policy-kit will fix that up for you. Not sure why intrepid needs it and hardy does not. Also running server edition on my end.

Tomas Cassidy (tomas-cassidy) wrote :

I can confirm that installing "policykit" appears to resolve the issue. I haven't noticed the error since installing this package. If the policykit package is required by Intrepid, it should be added as a dependency to one of the metapackages.

Matt Jamison (oneloveamaru) wrote :

Hardy has the console-kit-daemon installed by default but does not need the policykit to run without errors in the syslog. With Intrepid, it has the console-kit-daemon installed by default and writes errors to the syslog WITHOUT policykit installed. I do not believe policykit is a dependency of console-kit-daemon, it may just be a library it needs. When I get to work monday, I will look into it more, since I have a hardy and intrepid server up and running now.

James Westby (james-w) wrote :

Hi,

Can you kill any running console-kit-daemon processes and
then launch one with

  POLKIT_DEBUG=1

in the environment (bear in mind that sudo will strip this, so
doing it from a "sudo -s" shell would be better).

This should help pinpoint the problem.

In Intrepid consolekit now depends on policykit, but I would
assume that libpolkit would be sufficient. I'm interested why
it doesn't seem to be.

Thanks,

James

Matt Jamison (oneloveamaru) wrote :

With a fresh new installation of Intrepid today, console-kit is installed and policykit is not, so how is policykit a dependency of console-kit?

Also, libpolkit is not installed by default on Intrepid, nor is it installed by default on Hardy.

I ran console-kit-daemon with POLKIT_DEBUG=1 but I get nothing extra in my syslog or daemon.log but syslog:Oct 6 16:53:55 ubuntu console-kit-daemon[18563]: CRITICAL: cannot initialize libpolkit

Something else you would like me to try?

I noticed that I had a console-kit-daemon process running so I killed
that. This was before I uninstalled policykit for this test. After
uninstalling policykit (libpolkit2 still installed), I was unable to
start the console-kit-daemon process from a "sudo -s" shell. The same
error message was appearing in syslog each time I tried to start the
process.

Oct 7 09:26:53 ubuntu console-kit-daemon[20399]: CRITICAL: cannot
initialize libpolkit

After reinstalling policykit, the console-kit-daemon process started fine.

Matt,

  apt-cache show consolekit | grep Depends
  Depends: ..., libpolkit2 (>= 0.7), ...

I meant that it depends on "policykit" the project, the software,
the abstract, the package depends on libpolkit2, as you can see.

Thanks both of you for trying to debug this. I don't have any
more suggestions at this moment.

Thanks,

James

Matt Jamison (oneloveamaru) wrote :

OK, I understand now. When you have more suggestions, let me know.

James Westby (james-w) wrote :

Hi,

We can narrow down which part of policykit makes this work by installing
it a bit at a time.

Please uninstall policykit such that you have just libpolkit2 installed and
you get the error. Then please find which of the following packages (or
combination thereof) makes consolekit work:

libpolkit-dbus2
libpolkit-grant2
policykit

That will hopefully give us a clue as to what is going on here.

Thanks,

James

James Westby (james-w) wrote :

Hi,

Don't worry about testing, I think I've got it. If you were to perform that test
I think you would find that only installing policykit would fix it.

The problem appears to be this:

src/polkit/polkit-context.c has this:

                /* Watch the /etc/PolicyKit/PolicyKit.conf file */
                pk_context->inotify_config_wd = inotify_add_watch (pk_context->inotify_fd,
                                                                   PACKAGE_SYSCONF_DIR "/PolicyKit/PolicyKit.conf",
                                                                   IN_MODIFY | IN_CREATE | IN_ATTRIB);
                if (pk_context->inotify_config_wd < 0) {
                        polkit_debug ("failed to add watch on file '" PACKAGE_SYSCONF_DIR "/PolicyKit/PolicyKit.conf': %s",
                                   strerror (errno));
                        /* TODO: set error */
                        goto error;
                }

and similar for /var/lib/misc/Policykit.reload.

You can't set an inotify watch on a non-existent file, and these files
are shipped as part of the policykit package.

Therefore currently libpolkit2 requires files from the policykit file to operate,
but doesn't depend on the package.

The inotify_add_watch calls have IN_CREATE, hinting to me that it intends it
to work if they don't exist, but this doesn't have the intended effect. Therefore
I will report this issue upstream.

As well as fixing this in that fashion we can fix it in the packaging, at least
temporarily. However, I can't really think of a way of doing that that doesn't have
headaches.

I'll notify the server team of this.

Thanks,

James

Changed in consolekit:
importance: Undecided → High
status: Incomplete → Triaged
description: updated
James Westby (james-w) wrote :

I just checked fedora's packaging of this (the packaging was originally done
by the policykit author), and they just have one big policykit package, rather
than the split we have.

Perhaps we should follow suit, though I don't know if this would suit the server
team.

Thanks,

James

James Westby (james-w) wrote :

Tomas, Matt,

I'm interested in how you ended up with consolekit installed, do you know?

"aptitude why consolekit" should help with that.

Thanks,

James

Matt Jamison (oneloveamaru) wrote :

I can tell you what it told me but I know it's wrong.

root@:~# aptitude why consolekit
i policykit Depends consolekit

I didn't install policykit until after I got these errors in my syslog. Consolekit came installed with ubuntu server. When I installed it, I did not tell it to install anything extra. I did the bare minimum it would let me.

I seem to be getting the same results as Matt. I didn't install the
policykit package until after I noticed these errors. My install of
Intrepid was upgraded from a new install of 8.04.

James Westby (james-w) wrote :

On Tue, 2008-10-07 at 22:32 +0000, TomasCassidy wrote:
> I seem to be getting the same results as Matt. I didn't install the
> policykit package until after I noticed these errors. My install of
> Intrepid was upgraded from a new install of 8.04.
>

Yeah, sorry guys, I'm assuming you ran the "why" command with
"policykit" installed. Un-installing that once more may give
a better answer.

Thanks,

James

Matt Jamison (oneloveamaru) wrote :

with policy kit uninstalled...

root:~# aptitude why consolekit
i dbus Depends consolekit (>= 0.2.3-3ubuntu2)

James Westby (james-w) wrote :

On Wed, 2008-10-08 at 00:13 +0000, Matt Jamison wrote:
> with policy kit uninstalled...
>
> root:~# aptitude why consolekit
> i dbus Depends consolekit (>= 0.2.3-3ubuntu2)
>

Thanks. It doesn't give a reason for dbus, suggesting that you
installed it yourself, is that the case? Does it give one
if you ask it why dbus is installed?

Thanks,

James

Tomas Cassidy (tomas-cassidy) wrote :

tom@ubuntu:~$ aptitude why consolekit
i dbus-x11 Depends dbus
i A dbus Depends consolekit (>= 0.2.3-3ubuntu2)
tom@ubuntu:~$ aptitude why dbus
i dbus-x11 Depends dbus
tom@ubuntu:~$ aptitude why dbus-x11
i libdbus-1-3 Recommends dbus
i A dbus Recommends dbus-x11
tom@ubuntu:~$ aptitude why libdbus-1-3
i wpasupplicant Depends libdbus-1-3 (>= 1.1.1)
tom@ubuntu:~$ aptitude why wpasupplicant
i ubuntu-minimal Depends wpasupplicant

I can't seem to recall whether I manually installed dbus myself when
the system was on 8.04.

Tomas Cassidy (tomas-cassidy) wrote :

After searching through the output of "apt-cache rdepends dbus", it looks like it was installed when I installed the 'avahi-daemon' package in 8.04.

Hi,

In

  https://bugs.launchpad.net/bugs/275432

two users reported they were getting errors from consolekit:

  CRITICAL: cannot initialize libpolkit

This was found to be because they had only libpolkit2 installed,
and not the policykit package, as Debian, and hence Ubuntu, splits
the packages.

consolekit reports this error on a failure from polkit_context_init.
That function includes code like

                /* Watch the /etc/PolicyKit/PolicyKit.conf file */
                pk_context->inotify_config_wd = inotify_add_watch (pk_context->inotify_fd,
                                                                   PACKAGE_SYSCONF_DIR "/PolicyKit/PolicyKit.conf",
                                                                   IN_MODIFY | IN_CREATE | IN_ATTRIB);
                if (pk_context->inotify_config_wd < 0) {
                        polkit_debug ("failed to add watch on file '" PACKAGE_SYSCONF_DIR "/PolicyKit/PolicyKit.conf': %s",
                                   strerror (errno));
                        /* TODO: set error */
                        goto error;
                }

if the conf file is not present then the inotify_add_watch call fails
with ENOENT, and so polkit returns an error.

This then causes a problem on minimal debian based systems that only
have libpolkit installed, and not the policykit package that contains
these files. It will also fail if, e.g.the PolicyKit.reload file is
deleted.

It may be that the files are required for the library to work, and so
this is a packaging problem, but I'm not convinced that is the case
for two reasons. Firstly,

                pk_context->config = polkit_config_new (PACKAGE_SYSCONF_DIR "/PolicyKit/PolicyKit.conf", pk_error);
                /* if configuration file was bad, log it */
                if (pk_context->config == NULL) {
                        kit_warning ("failed to load configuration file: %s",
                                     polkit_error_get_error_message (*pk_error));
                        if (pk_error == &pk_error2)
                                polkit_error_free (*pk_error);
                }

if the config file isn't present then polkit_config_new will return
NULL, but this isn't fatal.

Secondly, inotify_add_watch is called with the IN_CREATE flag. This
only has an effect if the path is a directory, but it may indicate
that the intent was to get events on creation of a file at the specified
path. (The way to do that is apparently monitor the parent directory
with that flag and switch on the path name when the events occur).

So, I would appreciate clarification on what situations the code is intended
to work in, so that I can fix the packaging, or we can fix the code.

Thanks,

James

On Wed, 2008-10-08 at 02:20 +0000, TomasCassidy wrote:
> tom@ubuntu:~$ aptitude why consolekit
> i dbus-x11 Depends dbus
> i A dbus Depends consolekit (>= 0.2.3-3ubuntu2)
> tom@ubuntu:~$ aptitude why dbus
> i dbus-x11 Depends dbus
> tom@ubuntu:~$ aptitude why dbus-x11
> i libdbus-1-3 Recommends dbus
> i A dbus Recommends dbus-x11
> tom@ubuntu:~$ aptitude why libdbus-1-3
> i wpasupplicant Depends libdbus-1-3 (>= 1.1.1)
> tom@ubuntu:~$ aptitude why wpasupplicant
> i ubuntu-minimal Depends wpasupplicant
>
>
> I can't seem to recall whether I manually installed dbus myself when
> the system was on 8.04.
>

Thanks, this seems to be the case of libdbus-1-3 recommending
dbus, causing ubuntu-minimal to install dbus, which has been
fixed in later versions.

Thanks,

James

Changed in policykit:
status: Unknown → Confirmed

Just another data-point:

I performed a clean install of 8.10 Beta server.

Used aptitude to 'update' installed packages, and then installed some additional packages: autofs, nfs, ldap client pkgs, ntp, tftpd
Then, I noticed the log msg ".... console-kit-daemon[13695]: CRITICAL: cannot initialize libpolkit"

aptitude why consolekit --> dbus depends
aptitude why dbus --> dbus-x11 depends
aptitude why dbus-x11 --> dbus recommends

Seems circular to me... I was able to remove dbus-x11, dbus, and consolekit without issue.

James Westby (james-w) wrote :

Hi,

After talking with Michael Biebl, the Debian maintainer, for a while about
the issue it seems like the current situation may well be ok, and the
warning reasonable.

I'll hopefully have a concrete answer in the next few days.

Does anyone use consolekit for anything on their server installs?
Does that still work with this warning?

Thanks,

James

Changed in policykit:
status: Unknown → New
Robert Pendell (shinji257) wrote :

I was searching around about the error mentioned above and found this bug report. I went and did the research and came across alot of the same initiatives. I did a clean cli only based install of Ubuntu 8.10 Server (released version) and also added the OpenSSH server option during install. Afterwards several packages were installed however I do not remember ever installing dbus. For the developers and maintainers I'm sure you all have this but I will post this here. These seem to be pretty critical packages to me and probably installed when I setup the distro.

dbus - simple interprocess messaging system
dbus-x11 - simple interprocess messaging system (X11 deps)
consolekit - framework for defining and tracking users, sessions and seats

I also have libpolkit2 installed but do not know why. If any functions were to be broken what would they be? I can add and remove users or groups via commandline just fine and all my stuff is done on the console. More specifically what does the policykit package provide?

lozd (lozd) wrote :

I have the same problem with a fresh install of 8.10 server. Selected to install openssh and apache during install and thats all. Did a apt-get upgrade nothing else. Error appears every 10 mins in syslog.

Martin Pitt (pitti) on 2008-12-05
Changed in policykit:
assignee: nobody → pitti
status: Triaged → In Progress
Martin Pitt (pitti) wrote :

Ah, should wait for upstream's feedback.

Changed in policykit:
assignee: pitti → nobody
status: In Progress → Confirmed
Steve Langasek (vorlon) wrote :

Hi Martin,

What feedback are you waiting for from upstream?

Moving these files into libpolkit would cause problems (file conflicts) whenever the libpolkit soname changes, so should be avoided if possible.

The code James cites uses a function named 'polkit_debug' - perhaps if this is for debugging only, it should not log anything by default? Or perhaps we should not log debug-priority messages to /var/log/syslog by default.

Either way, from the log it doesn't sound like this functionally impairs the use of the library, is this really an SRU candidate or should we 'wontfix' the per-release tasks?

DaveAbrahams (boostpro) wrote :

If this becomes 'wontfix' then someone please open a bug about the error messages in the log files. The problem, if nothing else, is the many hours people waste trying to diagnose this issue.

Dave Gomboc (davegomboc) wrote :

I have a plain install of Ubuntu 8.10 Server. As ClarkTucker wrote on 2008-10-08, "aptitude why <x>" yields:

consolekit: dbus Depends consolekit (>=0.2.3-3ubuntu2)
dbus: dbus-x11 Depends dbus
dbus-x11: dbus Recommends dbus-x11

I don"t have an X server installed. Can anyone confirm that I may remove consolekit, dbus, and dbus-x11 without any trouble?

Martin Pitt (pitti) on 2009-03-06
Changed in policykit:
assignee: nobody → pitti
status: Confirmed → Triaged
status: Triaged → In Progress
TJ (tj) wrote :

This also affects 9.04 server. I've just done a fresh install and selected just Openssh Server as a package.

Mar 25 10:10:01 PowerEdge6300 console-kit-daemon[3264]: CRITICAL: cannot initialize libpolkit

root@PowerEdge6300:~# aptitude why consolekit
i dbus Depends consolekit (>= 0.2.3-3ubuntu2)
root@PowerEdge6300:~# aptitude why dbus
i dbus-x11 Depends dbus
root@PowerEdge6300:~# aptitude why dbus-x11
i dbus Recommends dbus-x11

There are various situations where polkit_context_init() fails:

 - PolicyKit daemon is not installed. This happens e. g. in a Debian or Ubuntu server installation (we split off the library to minimize dependencies)
 - PolicyKit.conf does not exist or is invalid

Right now, CK aborts with

Sep 28 22:10:01 acheron console-kit-daemon[13695]: CRITICAL: cannot initialize libpolkit

However, I think that's too strong. Even without PK, CK is still useful for session tracking. If this happens, CK should behave as if it was compiled without PK support, not abort completely.

Created an attachment (id=24268)
patch

This patch implements the suggested behaviour. If PK fails to initialize, pol_ctx is unref'ed and kept as NULL. polkit_context_is_caller_authorized() defaults to "NO" if the passed context is NULL, thus when trying to call CK's .Stop() function over D-Bus, the caller gets a proper "not authorized" response.

Although fixing PolicyKit for this case should be possible, it would be a rather intrusive patch, and given its security sensitive nature, I'd rather not remove its defences.

I think it is more appropriate to make ConsoleKit work if PolityKit initialization fails. In that case it should just disable the reboot/halt functionality, just as if it would have been compiled without PK support in the first place.

I reported this as bug 20876, with a tested patch.

I keep this open, though, since fixing it in PK, with a semantics of "always return NO if no configuration is found" would fix the problem more fundamentally, and for all software using PK.

Martin Pitt (pitti) wrote :

Although fixing PolicyKit for this case should be possible, it would be a rather intrusive patch, and given its security sensitive nature, I'd rather remove its defences.

I think it is more appropriate to make ConsoleKit work if PolityKit initialization fails. In that case it should just disable the reboot/halt functionality, just as if it would have been compiled without PK support in the first place.

Changed in consolekit (Ubuntu Jaunty):
assignee: nobody → pitti
status: New → In Progress
Changed in policykit (Ubuntu Jaunty):
assignee: pitti → nobody
status: In Progress → Won't Fix
Changed in consolekit (Ubuntu Jaunty):
importance: Undecided → High
Changed in policykit (Ubuntu Intrepid):
status: New → Won't Fix
Changed in policykit (Ubuntu):
assignee: pitti → nobody
status: In Progress → Won't Fix
Martin Pitt (pitti) wrote :

I updated the upstream bugs accordingly and sent my CK patch to upstream.

Martin Pitt (pitti) wrote :

Fixed consolekit uploaded.

Changed in consolekit (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in consolekit:
status: Unknown → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package consolekit - 0.3.0-2ubuntu3

---------------
consolekit (0.3.0-2ubuntu3) jaunty; urgency=low

  * Add 13-work-without-policykit.patch: If PolicyKit cannot be initialized,
    just disable support for it, do not fail completely. (LP: #275432)

 -- Martin Pitt <email address hidden> Thu, 26 Mar 2009 10:42:26 +0100

Changed in consolekit:
status: Fix Committed → Fix Released

Do you have an updated patch for polkit 1.0?

This patch isn't necessary any more with the polkit 1.0 update. That does:

 #ifdef HAVE_POLKIT
- manager->priv->pol_ctx = polkit_context_new ();
- polkit_context_set_io_watch_functions (manager->priv->pol_ctx, pk_io_add_watch, pk_io_remove_watch);
- if (! polkit_context_init (manager->priv->pol_ctx, NULL)) {
- g_critical ("cannot initialize libpolkit");
- return FALSE;
- }
+ manager->priv->pol_ctx = polkit_authority_get ();
 #endif

I. e. it already removed the g_critical()/return FALSE, which is sort of what my previous patch was doing as well. Since the polkit patch was committed now (thanks!), I close this bug.

Changed in consolekit:
status: Confirmed → Fix Released

This bug report is for the old version of PolicyKit. Closing as all of the code has been rewritten. Please reopen if the bug report applies to the latest version of PolicyKit. Thanks.

Changed in policykit:
status: Confirmed → Invalid
kenji (kenji-tamada) on 2010-02-24
Changed in consolekit (Ubuntu Jaunty):
status: Fix Released → Fix Committed
Martin Pitt (pitti) on 2010-02-24
Changed in consolekit (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in consolekit (Ubuntu Intrepid):
status: New → Won't Fix
Changed in consolekit:
importance: Unknown → Medium
Changed in policykit:
importance: Unknown → Medium
Changed in policykit:
importance: Medium → Unknown
Changed in consolekit:
importance: Medium → Unknown
Changed in policykit:
importance: Unknown → Medium
Changed in consolekit:
importance: Unknown → Medium
Changed in policykit (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.