Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
517 views
Skip to first unread message
Simon McVittie
Jun 10, 2023, 10:20:04 AM6/10/23
to
Source: live-config
Version: 11.0.3+nmu1
Severity: normal
To reproduce:
* Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
release-day testing)
- KDE has a similar issue with slightly different steps to start the
installer, probably all desktops' variants are affected
* Wait for a GNOME desktop
* Click next/skip until gnome-initial-setup goes away
* Press Windows key to go to Overview, and click on "Install Debian"
(Calamares) icon in the dash
Expected result: Calamares installer starts
Actual result: I get a polkit prompt as follows:
Authentication Required
Authentication is required to run the installation program
(logo here)
Debian Live user
[Password__________________]
[ Cancel ] [ Authenticate]
Workaround: enter the password, which is "live". The installer starts.
If this is not the intended behaviour, the solution would be:
- drop a file similar to /usr/share/doc/polkitd/examples/50-local-allow.rules
into /usr/share/polkit-1/rules.d (if it's owned by a .deb) or into
/etc/polkit-1/rules.d (if it's created on an ad-hoc basis by scripts)
- use that file to configure polkitd to allow whatever action Calamares
is using, without authentication (polkit.Result.YES), for either the
live user or all members of the sudo group
- when installing with Calamares, make sure that file is not included in
the installed system
Please ask the polkitd maintainers if more information is needed.
smcv
Version: 11.0.3+nmu1
Severity: normal
To reproduce:
* Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
release-day testing)
- KDE has a similar issue with slightly different steps to start the
installer, probably all desktops' variants are affected
* Wait for a GNOME desktop
* Click next/skip until gnome-initial-setup goes away
* Press Windows key to go to Overview, and click on "Install Debian"
(Calamares) icon in the dash
Expected result: Calamares installer starts
Actual result: I get a polkit prompt as follows:
Authentication Required
Authentication is required to run the installation program
(logo here)
Debian Live user
[Password__________________]
[ Cancel ] [ Authenticate]
Workaround: enter the password, which is "live". The installer starts.
If this is not the intended behaviour, the solution would be:
- drop a file similar to /usr/share/doc/polkitd/examples/50-local-allow.rules
into /usr/share/polkit-1/rules.d (if it's owned by a .deb) or into
/etc/polkit-1/rules.d (if it's created on an ad-hoc basis by scripts)
- use that file to configure polkitd to allow whatever action Calamares
is using, without authentication (polkit.Result.YES), for either the
live user or all members of the sudo group
- when installing with Calamares, make sure that file is not included in
the installed system
Please ask the polkitd maintainers if more information is needed.
smcv
Simon McVittie
Jun 10, 2023, 1:30:03 PM6/10/23
to
Control: user pkg-utopia-...@lists.alioth.debian.org
Control: usertags -1 + pkla-without-js
On Sat, 10 Jun 2023 at 15:10:35 +0100, Simon McVittie wrote:
> * Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
> release-day testing)
> - KDE has a similar issue with slightly different steps to start the
> installer, probably all desktops' variants are affected
GNOME, KDE and LXQT are affected.
MATE, Cinnamon and LXDE don't seem to be, because those desktops still
pull in the legacy policykit-1 package.
> If this is not the intended behaviour, the solution would be:
>
> - drop a file similar to /usr/share/doc/polkitd/examples/50-local-allow.rules
> into /usr/share/polkit-1/rules.d (if it's owned by a .deb) or into
> /etc/polkit-1/rules.d (if it's created on an ad-hoc basis by scripts)
>
> - use that file to configure polkitd to allow whatever action Calamares
> is using, without authentication (polkit.Result.YES), for either the
> live user or all members of the sudo group
>
> - when installing with Calamares, make sure that file is not included in
> the installed system
I see why this has happened. I did a mass-bug-filing for packages that
*contain* files in /var/lib/polkit-1/localauthority, but my search didn't
find live-config, because it creates the file programmatically.
Desktop environments that still pull in the legacy policykit-1 package
in bookworm are unaffected, because live-config does create a file that
will be read by polkitd-pkla.
In https://sources.debian.org/src/live-config/11.0.3%2Bnmu1/components/1080-policykit/:
> if ! pkg_is_installed "policykit-1" || \
This should now be polkitd, not policykit-1. policykit-1 is now a
transitional package.
> cat > /etc/PolicyKit/PolicyKit.conf << EOF
I don't think this file has been used for years.
> <define_admin_auth group="adm"/>
If this file *is* still used, the group you'll want here is 'sudo'.
> [Live CD user permissions]
> Identity=unix-user:${LIVE_USERNAME}
> Action=*
> ResultAny=no
> ResultInactive=no
> ResultActive=yes
This should be replaced by something very similar to
/usr/share/doc/polkitd/examples/50-local-allow.rules.
I tried this on the GNOME live image (not tested on KDE or LXQT but
should work equally well):
sudo tee /etc/polkit-1/rules.d/50-live.rules >/dev/null <<EOF
polkit.addRule(function(action, subject) {
if (subject.isInGroup("sudo")) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
EOF
Or you could use subject.user === "live" if you'd prefer. This is
JavaScript, so the "===" is intentionally three equals signs, not a typo.
smcv
Control: usertags -1 + pkla-without-js
On Sat, 10 Jun 2023 at 15:10:35 +0100, Simon McVittie wrote:
> * Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
> release-day testing)
> - KDE has a similar issue with slightly different steps to start the
> installer, probably all desktops' variants are affected
MATE, Cinnamon and LXDE don't seem to be, because those desktops still
pull in the legacy policykit-1 package.
> If this is not the intended behaviour, the solution would be:
>
> - drop a file similar to /usr/share/doc/polkitd/examples/50-local-allow.rules
> into /usr/share/polkit-1/rules.d (if it's owned by a .deb) or into
> /etc/polkit-1/rules.d (if it's created on an ad-hoc basis by scripts)
>
> - use that file to configure polkitd to allow whatever action Calamares
> is using, without authentication (polkit.Result.YES), for either the
> live user or all members of the sudo group
>
> - when installing with Calamares, make sure that file is not included in
> the installed system
*contain* files in /var/lib/polkit-1/localauthority, but my search didn't
find live-config, because it creates the file programmatically.
Desktop environments that still pull in the legacy policykit-1 package
in bookworm are unaffected, because live-config does create a file that
will be read by polkitd-pkla.
In https://sources.debian.org/src/live-config/11.0.3%2Bnmu1/components/1080-policykit/:
> if ! pkg_is_installed "policykit-1" || \
This should now be polkitd, not policykit-1. policykit-1 is now a
transitional package.
> cat > /etc/PolicyKit/PolicyKit.conf << EOF
I don't think this file has been used for years.
> <define_admin_auth group="adm"/>
If this file *is* still used, the group you'll want here is 'sudo'.
> [Live CD user permissions]
> Identity=unix-user:${LIVE_USERNAME}
> Action=*
> ResultAny=no
> ResultInactive=no
> ResultActive=yes
This should be replaced by something very similar to
/usr/share/doc/polkitd/examples/50-local-allow.rules.
I tried this on the GNOME live image (not tested on KDE or LXQT but
should work equally well):
sudo tee /etc/polkit-1/rules.d/50-live.rules >/dev/null <<EOF
polkit.addRule(function(action, subject) {
if (subject.isInGroup("sudo")) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
EOF
Or you could use subject.user === "live" if you'd prefer. This is
JavaScript, so the "===" is intentionally three equals signs, not a typo.
smcv
Roland Clobus
Jun 30, 2023, 10:20:05 AM6/30/23
to
Hello Simon,
On 10/06/2023 19:14, Simon McVittie wrote:
> On Sat, 10 Jun 2023 at 15:10:35 +0100, Simon McVittie wrote:
>> * Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
>> release-day testing)
>> - KDE has a similar issue with slightly different steps to start the
>> installer, probably all desktops' variants are affected
>
> GNOME, KDE and LXQT are affected.
I've proposed a fix for Calamares in #1025552, which is based on your
proposal in this ticket.
If it is accepted there, this ticket can be regarded as a duplicate.
With kind regards,
Roland Clobus
On 10/06/2023 19:14, Simon McVittie wrote:
> On Sat, 10 Jun 2023 at 15:10:35 +0100, Simon McVittie wrote:
>> * Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
>> release-day testing)
>> - KDE has a similar issue with slightly different steps to start the
>> installer, probably all desktops' variants are affected
>
> GNOME, KDE and LXQT are affected.
proposal in this ticket.
If it is accepted there, this ticket can be regarded as a duplicate.
With kind regards,
Roland Clobus
Simon McVittie
Jun 30, 2023, 3:10:05 PM6/30/23
to
password" is not a duplicate of #1025552 "calamares: dependency on
transitional policykit-1 package", they are two separate issues both
triggered by the new polkitd version in bookworm. The fix for #1025552
is to remove the transitional package policykit-1 from Build-Depends,
and replace it with polkitd.
The additional issue that you described in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025552#21 *is* the
same thing as bug #1037295, and you are correct to say that the solution
is to provide a JavaScript file configuring polkitd to allow the live
user to start Calamares without a password, but that's outside the scope
of #1025552.
I think it would be better to solve this in live-config rather
than in Calamares, by modifying components/1080-policykit
with polkitd configuration similar to what I suggested in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037295#10, because I
don't think we want installing the calamares package onto an ordinary
(non-live) system to give members of the sudo group the ability to
run it without a re-authentication prompt.
smcv
Roland Clobus
Jul 1, 2023, 4:20:05 PM7/1/23
to
Hello Simon, Jonathan,
On 30/06/2023 21:05, Simon McVittie wrote:
...
Ah, I see now.
I agree, that the fix should not be in the Calamares package, because it
would allow users of the sudo group access to Calamares without a
prmompt in scenarios that a not live images.
I have been considering to add a fix to live-build, but the proper
location would indeed be live-config, which ensures that all
live-specific tweaks will disappear after installation of the live image.
Digging deeper:
policykit-1 is a transitional packages for Bookworm, so I guess it will
be removed in Trixie.
I've found the virtual package 'polkit-1-auth-agent' which shows several
packages that would probably need to migrate first (e.g. lxpolkit,
ukui-polkit and possibly phosh, gnome-flashback, gnome-shell and
lxqt-policykit)
Also the script '1080-policykit' in 'live-config' generates a folder
'/etc/PolicyKit', which is old-style.
Which leaves:
* calamares should depend on 'pkexec' (which is explicitly called in the
.desktop entry, and pulls in 'polkitd')
* No specific tweaking for polkit rules in calamares is required
* The script '1080-policykit' in 'live-config' needs to be updated and
live-config be re-released -> MR at [1]
* For the live images in Bookworm, the 'live-config' packages needs to
be updated there as well.
* A test shows whether the update is working:
- Go to https://openqa.debian.net/group_overview/14
- Select the latest BuildXXXX_sid_kde image
- If 'gnome_live-build-apps_startstop' shows 'kparted' as a failed
test, the fix is not working/active
With kind regards,
Roland Clobus
[1] https://salsa.debian.org/live-team/live-config/-/merge_requests/13
On 30/06/2023 21:05, Simon McVittie wrote:
...
> I think it would be better to solve this in live-config rather
> than in Calamares
...
> than in Calamares
Ah, I see now.
I agree, that the fix should not be in the Calamares package, because it
would allow users of the sudo group access to Calamares without a
prmompt in scenarios that a not live images.
I have been considering to add a fix to live-build, but the proper
location would indeed be live-config, which ensures that all
live-specific tweaks will disappear after installation of the live image.
Digging deeper:
policykit-1 is a transitional packages for Bookworm, so I guess it will
be removed in Trixie.
I've found the virtual package 'polkit-1-auth-agent' which shows several
packages that would probably need to migrate first (e.g. lxpolkit,
ukui-polkit and possibly phosh, gnome-flashback, gnome-shell and
lxqt-policykit)
Also the script '1080-policykit' in 'live-config' generates a folder
'/etc/PolicyKit', which is old-style.
Which leaves:
* calamares should depend on 'pkexec' (which is explicitly called in the
.desktop entry, and pulls in 'polkitd')
* No specific tweaking for polkit rules in calamares is required
* The script '1080-policykit' in 'live-config' needs to be updated and
live-config be re-released -> MR at [1]
* For the live images in Bookworm, the 'live-config' packages needs to
be updated there as well.
* A test shows whether the update is working:
- Go to https://openqa.debian.net/group_overview/14
- Select the latest BuildXXXX_sid_kde image
- If 'gnome_live-build-apps_startstop' shows 'kparted' as a failed
test, the fix is not working/active
With kind regards,
Roland Clobus
Simon McVittie
Jul 2, 2023, 9:20:04 AM7/2/23
to
On Sat, 01 Jul 2023 at 22:07:41 +0200, Roland Clobus wrote:
> policykit-1 is a transitional packages for Bookworm, so I guess it will be
> removed in Trixie.
Yes. I already did a mass bug filing back in 2022, before bookworm:
> policykit-1 is a transitional packages for Bookworm, so I guess it will be
> removed in Trixie.
https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-utopia-maintainers%40lists.alioth.debian.org&tag=policykit-1
> Also the script '1080-policykit' in 'live-config' generates a folder
> '/etc/PolicyKit', which is old-style.
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037295#10>.
> * The script '1080-policykit' in 'live-config' needs to be updated and
> live-config be re-released -> MR at [1]
That looks appropriate to me, thanks for providing it!
smcv
0 new messages