GNOME Bugzilla – Bug 651547
Authentication dialog only asks for the first administrator user's password - doesn't allow others
Last modified: 2012-03-03 02:58:34 UTC
I have three people I want to make admins. I've used the "My Account" area to make them admins and added them to the wheel group. But when I get the authorization from this step: [mcarter@liandra ~]$ epiphany bash: epiphany: command not found... Install package 'epiphany' to provide command 'epiphany'? [N/y] * Running.. * Resolving dependencies.. * Waiting for authentication.. The transaction failed: not-authorized, Failed to obtain authentication. It only asks for my authorization. How do I get it to list the other admins? I've asked on the gnome-shell list but all their suggestions don't seem to work.
I also have this problem. My user, which was created on install, is the one whose password is asked for when installing applications. My wife's account is also selected as "administrator" and we are part of the same groups (the users own group, and wheel) but she has to type my password when installing stuff. Not a big problem for us, but I don't think it's the expected behaviour :)
It effects more than just command line package kit. It's the same for installing printers, mounting drives, you name it. This is major for me as I have users off site. So I can't drive 1 1/2 half to start typing in passwords for the "admins". ;)
This would be a PolicyKit thing then.
Before I log a ticket with PolicyKit. The dialog is Gnome 3ish. Can the dialog handle multiple people as an admin or does PolicyKit specifically control that screen.
(In reply to comment #4) > Before I log a ticket with PolicyKit. No need to file a separate ticket, I CC'd davidz. > The dialog is Gnome 3ish. Can the > dialog handle multiple people as an admin or does PolicyKit specifically > control that screen. The dialog is in gnome-shell itself, but we delegate out to PolicyKit for all of the authorization stuff. http://git.gnome.org/browse/gnome-shell/tree/js/ui/polkitAuthenticationAgent.js
Here's the explanation: if (userNames.length > 1) { log('polkitAuthenticationAgent: Received ' + userNames.length + ' identities that can be used for authentication. Only ' + 'considering the first one.'); } David probably lacked time to implement support for several users (drop-down list widget...)
(In reply to comment #6) > Here's the explanation: > if (userNames.length > 1) { > log('polkitAuthenticationAgent: Received ' + userNames.length + > ' identities that can be used for authentication. Only ' + > 'considering the first one.'); > } > > David probably lacked time to implement support for several users (drop-down > list widget...) No, the designers didn't want a drop-down menu... Not even after I explained this would happen. Take it up with them...
So who do we take it up with?
With mccann on #gnome-shell. Well, maybe we don't need the drop-down menu. How about asking for the current user to authenticate if he has admin rights, and having a "Authenticate as administrator" button that would ask for root password? If the user doesn't have admin rights, then just ask for root password.
I think comment #9 sounds like a good solution. But maybe it should be "authenticate as other user" instead. Not all distributions use a root account, so that should probably be taken into account. Also, maybe I am "administrator", but I don't have the root password, should I not be able to help another non-administrator user to install software?
(In reply to comment #7) > No, the designers didn't want a drop-down menu... Not even after I explained > this would happen. Take it up with them... Can you remember what the reason was? Adding the ui-review keyword so we can get some more feedback.
What does it look like? I don't think we want a drop down but clearly the alternative isn't to show something that isn't sensible and blame the designers.
*** Bug 661831 has been marked as a duplicate of this bug. ***
David: Ping? As Jon said, the current behavior is really suboptimal. The current user should be selected if he has admin rights. Jon: Do you think we want to have a way to authenticate as another admin or as root in that dialog? For example, it could be an "authenticate as root" button.
I think asking the current user if they are an admin makes sense. I don't think it is desirable to authenticate as root here.
PolicyKit has a configuration where it asks for the root password, so we need to have that ability.
(In reply to comment #16) > PolicyKit has a configuration where it asks for the root password, so we need > to have that ability. I think it's already here. Some time ago, I had no admin account on the machine, and I was asked for the root password (with the Shell 3.0.x). (Or are you referring to something different? PK has the concept of auth_self and auth_admin, but they both ask for the user's password - it's just that in the latter, the user must be an admin.)
I'm referring to the context of this bug report. I think prompts should be direct and unambiguous. Especially in cases where you would want to change the prompting text. Something like: "Any of the following users can do what you asked to do but you can't. Are you actually any of the following users? If so, click the username in the menu and then answer the questions asked." doesn't sound good to me. The reason why asking for the admin/root password separately is different than letting the user select a different user to authenticate as is because the root user isn't a person. The fact that it is a user is really only an implementation detail to GNOME. We don't login as this user. We just use the knowledge of the password as a indication of a privilege.
We're having this problem, too. On our systems, we have about 10 users, most of whom are admins. For us the ideal behavior would be to ask for the current user's password if that user is an admin. Otherwise, it should give a list of other administrator users. I can't think of any other behavior that would make sense. We are stuck using XFCE because in GNOME 3 only one lucky user can start the Virtual Machine Manager.
If the dialog would just pick the current user instead of a random user, then it would work at least 80% of the time. Right now it's (100/n)% of the time, where n is the number of administrators.
Ok, so clarify what is being proposed as the desired behaviour for the dialog: - if the current user is an administrator, ask for his own password - otherwise, if root is allowed by the system configuration, ask for the root passord - never ask for the different users' password
(In reply to comment #21) > Ok, so clarify what is being proposed as the desired behaviour for the dialog: > > - if the current user is an administrator, ask for his own password > > - otherwise, if root is allowed by the system configuration, ask for the root > passord > > - never ask for the different users' password That probably works for 80% to 90% of users, which isn't as good as the GNOME 2 dialog, but it's 10 times better than what's there right now.
*** Bug 659310 has been marked as a duplicate of this bug. ***
I found the following patch which works for me: http://anti.teamidiot.de/nei/2011/10/gnome_3_authentication_require/
Created attachment 200644 [details] [review] polkitAuthenticationAgent: Re-do user choosing logic Ask for the user's own password and fall back to the root account if that isn't an option.
(In reply to comment #25) > Created an attachment (id=200644) [details] [review] > polkitAuthenticationAgent: Re-do user choosing logic This bug was intended for Google code-in, please remove the task from https://live.gnome.org/GoogleCodeIn/Tasks.
Whoops, sorry, I completely forgot about that. Task removed.
Review of attachment 200644 [details] [review]: ::: js/ui/polkitAuthenticationAgent.js @@ +95,3 @@ + if (idx < 0) { + userName = 'root'; + } Sorry but I don't think that works. If it does, it's more a coincidence / bug and it will probably stop working. Here's the thing: you may only choose to authenticate as one of the passed identities. It may or may not include root (because there may not even be a root password). Did you test the patch?
Could there be a case where we aren't passed either root or the current user? If so, what the hell should we do?
(In reply to comment #29) > Could there be a case where we aren't passed either root or the current user? > If so, what the hell should we do? In that case, it could give a list of all of the users that are returned. Oh, wait--that's what the GNOME 2 dialog did. :)
(In reply to comment #29) > Could there be a case where we aren't passed either root or the current user? Yes. More generally, see the "Administrator Authentication" section of the pklocalauthority man page. There's a copy of it here too http://hal.freedesktop.org/docs/polkit/pklocalauthority.8.html By default we ship /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf which means user 'root' will never appear in the identities_that_can_auth array in the default install even when there is a root password. This is on purpose because a long-term goal is to not have at minimum two passwords per system (the root password and the user password). In fact, if you look at it this way the whole "then ask for the root password" idea is deeply flawed in the first place. > If so, what the hell should we do? Ideally a way for the person in front of the console to choose? Or since the designers don't want that, just choose the first one for the user. (Think of his concrete example: family pc where only user 'mom' and 'user' dad are marked as admins and user 'johnny' is logged in and doing an action that requires a certain amount of privileges. But, anyway, I'm not going to argue here, I'm just trying to explain to people how the low-level stuff works and why they can't have unicorns etc etc.)
(In reply to comment #31) > > Ideally a way for the person in front of the console to choose? Or since the > designers don't want that, just choose the first one for the user. > > (Think of his concrete example: family pc where only user 'mom' and 'user' dad > are marked as admins and user 'johnny' is logged in and doing an action that > requires a certain amount of privileges. But, anyway, I'm not going to argue > here, I'm just trying to explain to people how the low-level stuff works and > why they can't have unicorns etc etc.) If 'johnny' is logged in, I can't think of _any_ reason that the system should randomly pick between 'mom' and 'dad'. It should allow the user to select between them. I know that GNOME is about form over function, but this seems obvious.
If current user have admin right, we should ask him authentication. If current user doesn't have admin right, then requesting a admin user is required. Either drop down (Not really good/secure in enterprise organisation), or asking for that user to be typed in. There is different use case. Home, Business. If in a business, software need to be installed, I would want my IT tech login to have the permissions (and logs), that his account was used to do it. But I wouldn't want to see a dropdown of all the admin in the organisation. In home situation, it will be mostly kid that have restricted account, so mom or dad login should be able to be used. So 99% of the case, the current user will be the user with admin right. So the form that ask for a username would be shown nearly never anyway, making designer happy. For the 1%, we still need to serve them a good solution, and prompting for login/password is the only solution. (What could be done is default to the last admin used for example, BUT have a button that allow to change the user... But I think just asking for the username is the best approche) Technically there is not much else you can really do. Not sure why discussion about this continue.
Created attachment 200719 [details] [review] polkit: Find the best user to authenticate as We prefer to ask the user for his own password. If PolicyKit is not configured to accept that, try the root password. If PolicyKit does not accept that either, ask for password of the first user that PolicyKit _will_ accept. The last case is a bit broken, but should rarely occur in real-life configurations.
Review of attachment 200719 [details] [review]: A bit of screwy indentation there.
Jon, since the patch above makes the behavior ideal for most cases, what do you think of adding a combo box so that, in cases where there are several admins and the current user is unprivileged, one of the admins can be chosen? This wouldn't affect most desktops and laptops, where the user is an admin, but would really improve the case when you have to select one of the admins, which is quite common e.g. in corporations. That's really a win-win change. Comment 32 and comment 33 explain it perfectly.
Created attachment 200807 [details] [review] polkit: Find the best user to authenticate as We prefer to ask the user for his own password. If PolicyKit is not configured to accept that, try the root password. If PolicyKit does not accept that either, ask for password of the first user that PolicyKit _will_ accept. The last case is a bit broken, but should rarely occur in real-life configurations.
*** Bug 664076 has been marked as a duplicate of this bug. ***
(In reply to comment #37) > Created an attachment (id=200807) [details] [review] > polkit: Find the best user to authenticate as > > We prefer to ask the user for his own password. If PolicyKit > is not configured to accept that, try the root password. If > PolicyKit does not accept that either, ask for password of > the first user that PolicyKit _will_ accept. The last case > is a bit broken, but should rarely occur in real-life > configurations. I tried this patch on top of gnome-shell 3.2.1 I use the following configuration: * 50-localauthority.conf [Configuration] AdminIdentities=unix-user:0 * 51-debian-sudo.conf [Configuration] AdminIdentities=unix-group:sudo The root account is enabled and has a valid pasword. I created a user foo and bar, and added them to group sudo. When logged in as foo, I'll be prompted for foo's password and vice versa. So far so good. If I remove both users from group sudo, I'll be prompted for the root password. If I'm logged in as foo though, and only remove foo from group sudo, I'm prompted for bar's password, but I would expect to be prompted for the root password (and this is what the commit message tells me).
Have you verified which users policykit actually lists in those cases ?
Hi Matthias, (In reply to comment #40) > Have you verified which users policykit actually lists in those cases ? what exactly do you want me to test?
The contents of userNames in the cases that don't work as expected. Might be easiest to add some log() output to the function.
If tested this now. What happens in your case is that polkit only gives us 'bar' as the user. The reason for that is that later localauthority.conf files override earlier ones, so in your configuration, only AdminIdentities=unix-group:sudo takes effect. When I change it to AdminIdentities=unix-group:sudo;unix-user:0 the behaviour is as you expected. Ie polkit reports both bar and root as possible users, and the shell chooses to display root.
(In reply to comment #43) > If tested this now. What happens in your case is that polkit only gives us > 'bar' as the user. The reason for that is that later localauthority.conf files > override earlier ones, so in your configuration, only > AdminIdentities=unix-group:sudo takes effect. When I change it to > > AdminIdentities=unix-group:sudo;unix-user:0 Reading pklocalauthority(8) again, it seems you are right. I thought that polkit would merge the entries from /etc/polkit-1/localauthority.conf.d/ and not override them. What's curious though, if only AdminIdentities=unix-group:sudo is supposed to take effect in my case, why am I prompted for the root password (i.e. AdminIdentities=unix-user:0) if the sudo group is empty? This is either a bug or at least inconsistent with what's documented. I also think, that overriding instead of merging the entries from localauthority.conf.d/ has the negative effect that you can't use something like 52-userA.conf [Configuration] AdminIdentities=unix-user:1001 53-userB.conf [Configuration] AdminIdentities=unix-user:1002 54-userC.conf [Configuration] AdminIdentities=unix-user:1003 But I guess I need to discuss that with davidz directly.
Created attachment 201638 [details] [review] polkit: Find the best user to authenticate as We prefer to ask the user for his own password. If PolicyKit is not configured to accept that, try the root password. If PolicyKit does not accept that either, ask for password of the first user that PolicyKit _will_ accept. The last case is a bit broken, but should rarely occur in real-life configurations.
Just fixed up formatting
Review of attachment 201638 [details] [review]: LGTM.
Could you consider pushing this to gnome-3-2 too? This bug can be highly problematic for some setups, and the fix is quite simple.
The following fix has been pushed: 55d6c5e polkit: Find the best user to authenticate as
Created attachment 201686 [details] [review] polkit: Find the best user to authenticate as We prefer to ask the user for his own password. If PolicyKit is not configured to accept that, try the root password. If PolicyKit does not accept that either, ask for password of the first user that PolicyKit _will_ accept. The last case is a bit broken, but should rarely occur in real-life configurations.