FS#67658 - [filesystem] polkit doesn't detect groups of systemd-homed users

Attached to Project: Arch Linux
Opened by Chandradeep Dey (chandradeepdey) - Friday, 21 August 2020, 15:52 GMT
Last edited by Sébastien Luttringer (seblu) - Tuesday, 19 January 2021, 01:42 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Additional info:
* package version(s) - 0.117-1

Steps to reproduce:
Create a systemd-homed user with -G wheel.
Try to launch something that opens a polkit authentication agent.

Observation:
It asks for root password.

Correct behaviour:
Asking for user password, since the user is a member of wheel.

Workarounds:
gpasswd --add-ing the user to wheel
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Tuesday, 19 January 2021, 01:42 GMT
Reason for closing:  Fixed
Additional comments about closing:  filesystem-2021.01.19-1
Comment by Chandradeep Dey (chandradeepdey) - Tuesday, 25 August 2020, 11:57 GMT
Fix:
/etc/nsswitch.conf
5: group: files [SUCCESS=merge] systemd
Comment by loqs (loqs) - Friday, 28 August 2020, 22:08 GMT
[1] provides an example nsswitch.conf which merges the groups from files and systemd.

[1] https://www.freedesktop.org/software/systemd/man/nss-systemd.html
Comment by loqs (loqs) - Wednesday, 02 September 2020, 13:08 GMT
Can this please be reassigned to the filesystem package which owns etc/nsswitch.conf.
Comment by Leo P. (jpegxguy) - Sunday, 29 November 2020, 13:43 GMT
Does this change interfere with normal /etc/passwd users? Why isn't it the default for Arch's /etc/nsswitch.conf ?
Comment by loqs (loqs) - Sunday, 29 November 2020, 15:24 GMT
@jpexguy, the change only adds systemd-homed users to query results for group membership. /etc/nsswitch.conf has not been updated since Arch added systemd-homed user support to pambase.
Comment by Leo P. (jpegxguy) - Sunday, 29 November 2020, 15:34 GMT
Yeah but why not make this change so that the polkit bug doesn't happen at all?
Comment by loqs (loqs) - Sunday, 29 November 2020, 19:11 GMT
I requested this bug to be reassigned to the filesystem package so that change can be made [1].

[1] https://bugs.archlinux.org/task/67658#comment192288
Comment by Leo P. (jpegxguy) - Sunday, 29 November 2020, 19:48 GMT
I saw that, but it's been months now
Comment by Sébastien Luttringer (seblu) - Thursday, 24 December 2020, 18:13 GMT
Christmas magic, just being reassigned.
Comment by Leo P. (jpegxguy) - Thursday, 24 December 2020, 18:15 GMT
Ah I wanted to ask because I haven't been able to find info. Would it be considered a security issue, the fact that I can specify being part of the wheel group in a user-writable file (.identity) and the system will allow it?
Comment by Chandradeep Dey (chandradeepdey) - Thursday, 24 December 2020, 18:20 GMT
@jpegxguy - User records need to be signed and the public key of the key pair used for the signature needs to be present in the system. homectl does this automatically for a single system, but some manual work is needed if you need a home directory on USB across multiple systems.

Edit: private key -> public key oops

Loading...