Bug 202615 - sysutils/polkit wrong permissions
Summary: sysutils/polkit wrong permissions
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ben Woods
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-24 08:48 UTC by rozhuk.im
Modified: 2017-02-15 15:34 UTC (History)
4 users (show)

See Also:
woodsb02: maintainer-feedback-
woodsb02: merge-quarterly+


Attachments
pkg-plist patch (733 bytes, patch)
2015-11-19 17:14 UTC, Lawrence Chen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description rozhuk.im 2015-08-24 08:48:43 UTC
After update i cant shutdown/reboot, even after i create file with rules in: /usr/local/etc/polkit-1/rules.d/

Aug 18 09:22:37 rimwks polkitd[1085]: Loading rules from directory /usr/local/etc/polkit-1/rules.d
Aug 18 09:22:37 rimwks polkitd[1085]: Error opening rules directory: Error opening directory '/usr/local/etc/polkit-1/rules.d': Permission denied (g-file-error-quark, 2)
Aug 18 09:22:37 rimwks polkitd[1085]: Loading rules from directory /usr/local/share/polkit-1/rules.d


ls /usr/local/etc/
...
drwx------   3 root   wheel   512B Aug 18 05:02:57 2015 polkit-1/
...

ls /usr/local/etc/polkit-1/
total 12
drwx------   3 root     wheel   512B Aug 18 05:02:57 2015 ./
drwxr-xr-x  34 root     wheel   2.0K Aug 19 20:04:09 2015 ../
drwx------   2 polkitd  wheel   512B Aug 18 05:03:22 2015 rules.d/
Comment 1 rozhuk.im 2015-09-18 08:37:03 UTC
fix: chown polkitd:wheel /usr/local/etc/polkit-1/
Comment 2 Lawrence Chen 2015-11-19 17:14:46 UTC
Created attachment 163339 [details]
pkg-plist patch

Here's a possible fix to the problem of creating 'rules.d' directory structure under 'polkit-1' that is accessible to only 'polkitd', while the 'polkit-1' directory is only accessible to root.

Alternative perhaps the two directories should have the default perms, to be like 'localauthority' structure.
Comment 3 otacilio.neto 2016-01-05 13:32:25 UTC
The fix suggested is not working on FreeBSD 11 with polkit-0.113_1. Maybe because the structure of dirs has changed.
Comment 4 otacilio.neto 2016-05-22 01:39:14 UTC
I have tested again and I run:

# pkg info -D xfce4-session

Copy the rule suggested to shutdown to:
/usr/local/etc/polkit-1/rules.d/50-HOSTNAME.rules

where HOSTNAME I replace by my hostname.
Replace PUTYOURGROUPHERE by wheel and double check if the user that must can shutdown is in group wheel, otherwise add.

Run

# chown polkitd:wheel /usr/local/etc/polkit-1

An then, I have restarted hald and dbus. So, I did login with my user. The xfce4 nows enable the poweroff button. Click with right button, properties and check restart.

I have tested on FreeBSD 10 and 11 and it works.
Comment 5 commit-hook freebsd_committer 2017-02-12 15:51:11 UTC
A commit references this bug:

Author: woodsb02
Date: Sun Feb 12 15:50:52 UTC 2017
New revision: 433951
URL: https://svnweb.freebsd.org/changeset/ports/433951

Log:
  sysutils/polkit: Fix directory permissions to allow reading config files

  If the $LOCALBASE/etc/polkit-1 directory is owned by root and set 700,
  then polkit which is running as the polkitd user cannot read the config
  files in $LOCALBASE/etc/polkit-1/rules.d/* resulting in this error:

  Loading rules from directory /usr/local/etc/polkit-1/rules.d
  Error opening rules directory: Error opening directory \
  '/usr/local/etc/polkit-1/rules.d': Permission denied \
  (g-file-error-quark, 2)
  Loading rules from directory /usr/local/share/polkit-1/rules.d

  To fix this, change the $LOCALBASE/etc/polkit-1 to be set 755, and the
  $LOCALBASE/etc/polkit-1/localauthority to be set 700.
  This was sense checked with Fedora Linux which does the same, and with
  Debian/Ubuntu which have /etc/polkit-1/localauthority as owned by
  root:polkitd and set 750.

  PR:		202615
  Reported by:	rozhuk.im@gmail.com

Changes:
  head/sysutils/polkit/Makefile
  head/sysutils/polkit/pkg-plist
Comment 6 Ben Woods freebsd_committer 2017-02-12 15:53:32 UTC
Committed the fix to the ports head branch - thanks for reporting this. Will merge to the ports quarterly branch soon.
Comment 7 commit-hook freebsd_committer 2017-02-14 10:34:56 UTC
A commit references this bug:

Author: woodsb02
Date: Tue Feb 14 10:34:30 UTC 2017
New revision: 434073
URL: https://svnweb.freebsd.org/changeset/ports/434073

Log:
  MFH: r433951

  sysutils/polkit: Fix directory permissions to allow reading config files

  If the $LOCALBASE/etc/polkit-1 directory is owned by root and set 700,
  then polkit which is running as the polkitd user cannot read the config
  files in $LOCALBASE/etc/polkit-1/rules.d/* resulting in this error:

  Loading rules from directory /usr/local/etc/polkit-1/rules.d
  Error opening rules directory: Error opening directory \
  '/usr/local/etc/polkit-1/rules.d': Permission denied \
  (g-file-error-quark, 2)
  Loading rules from directory /usr/local/share/polkit-1/rules.d

  To fix this, change the $LOCALBASE/etc/polkit-1 to be set 755, and the
  $LOCALBASE/etc/polkit-1/localauthority to be set 700.
  This was sense checked with Fedora Linux which does the same, and with
  Debian/Ubuntu which have /etc/polkit-1/localauthority as owned by
  root:polkitd and set 750.

  PR:		202615
  Reported by:	rozhuk.im@gmail.com

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2017Q1/
  branches/2017Q1/sysutils/polkit/Makefile
  branches/2017Q1/sysutils/polkit/pkg-plist