Ubuntu
policykit-1 package

policykit failures due to internal user id mismatch

Bug #1828663 reported by Marco Pagnoni
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
PolicyKit
New
Unknown
lubuntu-meta (Ubuntu)
Invalid
Undecided
Unassigned
lxqt-policykit (Ubuntu)
Invalid
Undecided
Unassigned
policykit-1 (Ubuntu)
Confirmed
Undecided
Unassigned
polkit-qt-1 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

After adding a second user to the sudo group any authentication in the QT applications menu fails, till I manually remove the second user from the sudo group by issuing deluser chiara sudo in terminal window.

Lubuntu 19.04
(fresh install, in italian)
1)open the preferences/LXQt settins/user and groups menu from the application menu
2)add new user, before saving add it to sudo group; save (password asked for user currently logged on, as expected - then new user password asked, user created -all ok)
3)restart system
4) log in as newly created user; open the same interface preferences/LXQt settins/user and groups; try changing the full name field (properties of your own user): logged user password asked (and... why? User two is changing himself)
5)popup showed: "Error executing command as another user: Not authorized" & user unchanged.
6)if you exit session, reenter with the first user, also him is now unable to use interface ti change users via interface
7)using terminal, delete second user from sudo group
8)restart system
9)athenticated interface working again.

It happened me both at home on a phisical laptop and on a virtual machine at office, where I could do it all twice.

By the way, also plasma-discover tells me I haven't the right to update/install when I have two sudoers (tried at home to remove second sudoer to fix it, and it worked)

So it seems that the authentication mechanism of the QT graphical interface fails when there are more then one sudoer on the system - but only for applications started from the application menu.
Launching the same application via terminal (sudo plasma-discovery) works.

commands issued by the interface (which lead to "unauthorized" error:

--change user
pkexec --disable-internal-agent lxqt-admin-user-helper usermod -c marco marcop

--plasma-discover
polkit-agent-helper-1 marcop

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1828663/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Paul White (paulw2u)
tags: added: disco
affects: ubuntu → lubuntu-meta (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lubuntu-meta (Ubuntu):
status: New → Confirmed
Revision history for this message
Glen Shrubsall (stinkeye) wrote :

See the same error with two admin accounts.
synaptic-pkexec brings up the admin confirmation dialog but fails to authorize.
"Error executing command as another user: Not authorized"

Removed second user account with admin privileges and synaptic started.

TJ (tj)
Changed in lubuntu-meta (Ubuntu):
assignee: nobody → TJ (tj)
status: Confirmed → In Progress
Revision history for this message
TJ (tj) wrote :

There's a SIGSEGV; gdb bt full attached.

#0 0x00007f1d14271201 in g_type_check_instance_is_fundamentally_a
    (type_instance=type_instance@entry=0x55b74c6fd010, fundamental_type=fundamental_type@entry=0x50 [GObject]) at ../../../gobject/gtype.c:4025
        node = <optimized out>
#1 0x00007f1d14251399 in g_object_unref (_object=0x55b74c6fd010) at ../../../gobject/gobject.c:3243
        _g_boolean_var_ = <optimized out>
        object = 0x55b74c6fd010
        __FUNCTION__ = "g_object_unref"
#2 0x00007f1d15b5ab9c in PolkitQt1::Agent::Session::Private::completed(_PolkitAgentSession*, int, void*) ()
    at /lib/x86_64-linux-gnu/libpolkit-qt5-agent-1.so.1
#6 0x00007f1d142699f6 in <emit signal ??? on instance 0x55b74c84d760 [PolkitAgentSession]> (instance=0x55b74c84d760, detailed_signal=<optimized out>)
    at ../../../gobject/gsignal.c:3487

Changed in lxqt-policykit (Ubuntu):
status: New → Confirmed
Revision history for this message
TJ (tj) wrote :

Looks like there may be two problems but I'm not familiar enough with the code bases to figure it out.

1) should a user already a member of "sudo" group even be prompted to select the user they wish to authenticate as?

2) when they do something goes wrong and there's a SIGSEGV which looks like it may be caused in libpolkit-qt5

Revision history for this message
TJ (tj) wrote :

I've found that there appears to be a fundamental bug in policykit and have added the upstream bug report covering it, which has been around for several years but the developers don't seem able to come up with a fix for.

Tests done using the Lubuntu 19.10 Live ISO (June 24th 2019 build) where an additional user "test" is created with the same supplementary group memberships as the "lubuntu" user. Both have passwords set so that these tests can be done over SSH as well as at the console, or in the GUI.

The fact that "pkexec" itself is broken proves that lxqt nor the qt-policykit code is at fault here.

test@lubuntu:~$ groups
test adm cdrom sudo dip plugdev lpadmin

$ sudo ls -l /root/
[sudo] password for test:
total 0
-rw-r--r-- 1 root root 0 Jun 26 23:35 file

test@lubuntu:~$ pkexec ls -l /root/

==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/ls' as the super user
Multiple identities can be used for authentication:
 1. Lubuntu2,,, (lubuntu)
 2. Test3,,, (test)
Choose identity to authenticate as (1-2): 2
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie

lubuntu@lubuntu:~$ groups
lubuntu adm cdrom sudo dip plugdev lpadmin sambashare

lubuntu@lubuntu:~$ sudo ls -l /root/
total 0
-rw-r--r-- 1 root root 0 Jun 26 23:35 grep

lubuntu@lubuntu:~$ pkexec ls -l /root/
Error executing command as another user: Not authorized

This incident has been reported.

summary: - lubuntu 19.04 QT interfaces not properly working where more then one
- sudoer configured
+ policykit failures due to internal user id mismatch
Changed in lubuntu-meta (Ubuntu):
status: In Progress → Invalid
Changed in lxqt-policykit (Ubuntu):
status: Confirmed → Invalid
Changed in policykit-1 (Ubuntu):
status: New → Confirmed
Changed in lubuntu-meta (Ubuntu):
assignee: TJ (tj) → nobody
Revision history for this message
TJ (tj) wrote :

Using gparted (which requires root access to the block storage devices) "test" user fails whilst original "lubuntu" user is successful:

# In "lubuntu" user's GUI terminal emulator:

lubuntu@lubuntu:~$ gparted
localuser:root being added to access control list
======================
libparted : 3.2
======================
localuser:root being removed from access control list

# In "test" user's GUI terminal emulator:

test@lubuntu:~$ gparted
localuser:root being added to access control list
Error executing command as another user: Not authorized

This incident has been reported.
localuser:root being removed from access control list

Revision history for this message
TJ (tj) wrote :

Possibly related to Bug #1821415 "pkexec fails in a non-graphical environment"

Bug Watch Updater (bug-watch-updater)
Changed in policykit-1:
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in polkit-qt-1 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.