New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabling service unit as regular user through PolicyKit permissions does not work #2517

Open
jwarnier opened this Issue Oct 26, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@jwarnier

jwarnier commented Oct 26, 2018

Issue Report

Bug

Container Linux Version

$ cat /etc/os-release
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1855.4.0
VERSION_ID=1855.4.0
BUILD_ID=2018-09-11-0003
PRETTY_NAME="Container Linux by CoreOS 1855.4.0 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

Environment

AWS EC2

Expected Behavior

Using the following rule file for PolicyKit, any user in the wheel group, or the ci user is allowed to start/stop/restart a service (unit).

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.systemd1.manage-units" || action.id == "org.freedesktop.systemd1.manage-unit-files") {
	var unit = action.lookup("unit");
        if (unit == "admin.service" ||
            unit == "admin-postgres.service" ||
            unit == "admin-postgres-backup.service" ||
            unit == "admin-postgres-backup.timer") {
              var verb = action.lookup("verb");
              polkit.log("action=" + action);
              polkit.log("subject=" + subject);
              polkit.log("verb=" + verb);
              if ((verb == "start" || verb == "stop" || verb == "restart" || verb == "enable" || verb == "disable") &&
                 (subject.isInGroup("wheel") || subject.user == "ci")) {
                  return polkit.Result.YES;
              }
        }
    }
});

Actual Behavior

The same user is not allowed to enable or disable the same service unit (this is particularly bad for timers).
It keeps asking for an interactive password (which the user does not have).

Reproduction Steps

  1. set the above rule as a new file with a .rules extension in /etc/polkit-1/rules.d
  2. try to systemctl enable admin
  3. systemctl disable admin
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ===
Authentication is required to manage system service or unit files.
Authenticating as: root
Password:

Other Information

Any hint about where (even in the code) to look by myself for the features or inner workings of org.freedesktop.systemd1.manage-unit-files and org.freedesktop.systemd1.manage-units would probably help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment