202615 – sysutils/polkit wrong permissions

Bug 202615 - sysutils/polkit wrong permissions

Summary: sysutils/polkit wrong permissions

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Ben Woods

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-08-24 08:48 UTC by Ivan Rozhuk
Modified:	2017-02-15 15:34 UTC (History)
CC List:	4 users (show)

See Also:

Flags:	woodsb02: maintainer-feedback- woodsb02: merge-quarterly+

Attachments
pkg-plist patch (733 bytes, patch) 2015-11-19 17:14 UTC, Lawrence Chen	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ivan Rozhuk 2015-08-24 08:48:43 UTC

After update i cant shutdown/reboot, even after i create file with rules in: /usr/local/etc/polkit-1/rules.d/

Aug 18 09:22:37 rimwks polkitd[1085]: Loading rules from directory /usr/local/etc/polkit-1/rules.d
Aug 18 09:22:37 rimwks polkitd[1085]: Error opening rules directory: Error opening directory '/usr/local/etc/polkit-1/rules.d': Permission denied (g-file-error-quark, 2)
Aug 18 09:22:37 rimwks polkitd[1085]: Loading rules from directory /usr/local/share/polkit-1/rules.d


ls /usr/local/etc/
...
drwx------   3 root   wheel   512B Aug 18 05:02:57 2015 polkit-1/
...

ls /usr/local/etc/polkit-1/
total 12
drwx------   3 root     wheel   512B Aug 18 05:02:57 2015 ./
drwxr-xr-x  34 root     wheel   2.0K Aug 19 20:04:09 2015 ../
drwx------   2 polkitd  wheel   512B Aug 18 05:03:22 2015 rules.d/

Comment 1 Ivan Rozhuk 2015-09-18 08:37:03 UTC

fix: chown polkitd:wheel /usr/local/etc/polkit-1/

Comment 2 Lawrence Chen 2015-11-19 17:14:46 UTC

Created attachment 163339 [details]
pkg-plist patch

Here's a possible fix to the problem of creating 'rules.d' directory structure under 'polkit-1' that is accessible to only 'polkitd', while the 'polkit-1' directory is only accessible to root.

Alternative perhaps the two directories should have the default perms, to be like 'localauthority' structure.

Comment 3 Otacílio de Araújo Ramos Neto 2016-01-05 13:32:25 UTC

The fix suggested is not working on FreeBSD 11 with polkit-0.113_1. Maybe because the structure of dirs has changed.

Comment 4 Otacílio de Araújo Ramos Neto 2016-05-22 01:39:14 UTC

I have tested again and I run:

# pkg info -D xfce4-session

Copy the rule suggested to shutdown to:
/usr/local/etc/polkit-1/rules.d/50-HOSTNAME.rules

where HOSTNAME I replace by my hostname.
Replace PUTYOURGROUPHERE by wheel and double check if the user that must can shutdown is in group wheel, otherwise add.

Run

# chown polkitd:wheel /usr/local/etc/polkit-1

An then, I have restarted hald and dbus. So, I did login with my user. The xfce4 nows enable the poweroff button. Click with right button, properties and check restart.

I have tested on FreeBSD 10 and 11 and it works.

Comment 5 commit-hook freebsd_committer

2017-02-12 15:51:11 UTC

A commit references this bug:

Author: woodsb02
Date: Sun Feb 12 15:50:52 UTC 2017
New revision: 433951
URL: https://svnweb.freebsd.org/changeset/ports/433951

Log:
  sysutils/polkit: Fix directory permissions to allow reading config files

  If the $LOCALBASE/etc/polkit-1 directory is owned by root and set 700,
  then polkit which is running as the polkitd user cannot read the config
  files in $LOCALBASE/etc/polkit-1/rules.d/* resulting in this error:

  Loading rules from directory /usr/local/etc/polkit-1/rules.d
  Error opening rules directory: Error opening directory \
  '/usr/local/etc/polkit-1/rules.d': Permission denied \
  (g-file-error-quark, 2)
  Loading rules from directory /usr/local/share/polkit-1/rules.d

  To fix this, change the $LOCALBASE/etc/polkit-1 to be set 755, and the
  $LOCALBASE/etc/polkit-1/localauthority to be set 700.
  This was sense checked with Fedora Linux which does the same, and with
  Debian/Ubuntu which have /etc/polkit-1/localauthority as owned by
  root:polkitd and set 750.

  PR:		202615
  Reported by:	rozhuk.im@gmail.com

Changes:
  head/sysutils/polkit/Makefile
  head/sysutils/polkit/pkg-plist

Comment 6 Ben Woods freebsd_committer

2017-02-12 15:53:32 UTC

Committed the fix to the ports head branch - thanks for reporting this. Will merge to the ports quarterly branch soon.

Comment 7 commit-hook freebsd_committer

2017-02-14 10:34:56 UTC

A commit references this bug:

Author: woodsb02
Date: Tue Feb 14 10:34:30 UTC 2017
New revision: 434073
URL: https://svnweb.freebsd.org/changeset/ports/434073

Log:
  MFH: r433951

  sysutils/polkit: Fix directory permissions to allow reading config files

  If the $LOCALBASE/etc/polkit-1 directory is owned by root and set 700,
  then polkit which is running as the polkitd user cannot read the config
  files in $LOCALBASE/etc/polkit-1/rules.d/* resulting in this error:

  Loading rules from directory /usr/local/etc/polkit-1/rules.d
  Error opening rules directory: Error opening directory \
  '/usr/local/etc/polkit-1/rules.d': Permission denied \
  (g-file-error-quark, 2)
  Loading rules from directory /usr/local/share/polkit-1/rules.d

  To fix this, change the $LOCALBASE/etc/polkit-1 to be set 755, and the
  $LOCALBASE/etc/polkit-1/localauthority to be set 700.
  This was sense checked with Fedora Linux which does the same, and with
  Debian/Ubuntu which have /etc/polkit-1/localauthority as owned by
  root:polkitd and set 750.

  PR:		202615
  Reported by:	rozhuk.im@gmail.com

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/sysutils/polkit/Makefile
  branches/2017Q1/sysutils/polkit/pkg-plist