I've found that there appears to be a fundamental bug in policykit and
have added the upstream bug report covering it, which has been around
for several years but the developers don't seem able to come up with a
fix for.
Tests done using the Lubuntu 19.10 Live ISO (June 24th 2019 build) where
an additional user "test" is created with the same supplementary group
memberships as the "lubuntu" user. Both have passwords set so that these
tests can be done over SSH as well as at the console, or in the GUI.
The fact that "pkexec" itself is broken proves that lxqt nor the qt-
policykit code is at fault here.
test@lubuntu:~$ groups
test adm cdrom sudo dip plugdev lpadmin
$ sudo ls -l /root/
[sudo] password for test:
total 0
-rw-r--r-- 1 root root 0 Jun 26 23:35 file
test@lubuntu:~$ pkexec ls -l /root/
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/ls' as the super user
Multiple identities can be used for authentication:
1. Lubuntu2,,, (lubuntu)
2. Test3,,, (test)
Choose identity to authenticate as (1-2): 2
Password:
polkit-agent-helper-1: error response to PolicyKit daemon:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
lubuntu@lubuntu:~$ groups
lubuntu adm cdrom sudo dip plugdev lpadmin sambashare
lubuntu@lubuntu:~$ sudo ls -l /root/
total 0
-rw-r--r-- 1 root root 0 Jun 26 23:35 grep
lubuntu@lubuntu:~$ pkexec ls -l /root/
Error executing command as another user: Not authorized
This incident has been reported.
** Summary changed:
- lubuntu 19.04 QT interfaces not properly working where more then one sudoer
configured
+ policykit failures due to internal user id mismatch
** Changed in: lubuntu-meta (Ubuntu)
Status: In Progress => Invalid
** Changed in: lxqt-policykit (Ubuntu)
Status: Confirmed => Invalid
** Changed in: policykit-1 (Ubuntu)
Status: New => Confirmed
** Changed in: lubuntu-meta (Ubuntu)
Assignee: TJ (tj) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1828663
Title:
policykit failures due to internal user id mismatch
Status in PolicyKit:
Unknown
Status in lubuntu-meta package in Ubuntu:
Invalid
Status in lxqt-policykit package in Ubuntu:
Invalid
Status in policykit-1 package in Ubuntu:
Confirmed
Status in polkit-qt-1 package in Ubuntu:
New
Bug description:
After adding a second user to the sudo group any authentication in the
QT applications menu fails, till I manually remove the second user
from the sudo group by issuing deluser chiara sudo in terminal window.
Lubuntu 19.04
(fresh install, in italian)
1)open the preferences/LXQt settins/user and groups menu from the application
menu
2)add new user, before saving add it to sudo group; save (password asked for
user currently logged on, as expected - then new user password asked, user
created -all ok)
3)restart system
4) log in as newly created user; open the same interface preferences/LXQt
settins/user and groups; try changing the full name field (properties of your
own user): logged user password asked (and... why? User two is changing
himself)
5)popup showed: "Error executing command as another user: Not authorized" &
user unchanged.
6)if you exit session, reenter with the first user, also him is now unable to
use interface ti change users via interface
7)using terminal, delete second user from sudo group
8)restart system
9)athenticated interface working again.
It happened me both at home on a phisical laptop and on a virtual
machine at office, where I could do it all twice.
By the way, also plasma-discover tells me I haven't the right to
update/install when I have two sudoers (tried at home to remove second
sudoer to fix it, and it worked)
So it seems that the authentication mechanism of the QT graphical interface
fails when there are more then one sudoer on the system - but only for
applications started from the application menu.
Launching the same application via terminal (sudo plasma-discovery) works.
commands issued by the interface (which lead to "unauthorized" error:
--change user
pkexec --disable-internal-agent lxqt-admin-user-helper usermod -c marco
marcop
--plasma-discover
polkit-agent-helper-1 marcop
To manage notifications about this bug go to:
https://bugs.launchpad.net/policykit-1/+bug/1828663/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
