GNOME Bugzilla – Bug 786013
duplicate authentication prompts
Last modified: 2017-10-03 01:46:21 UTC
gvfs 1.33.90 from GNOME3 Staging PPA nautilus 3.24.2.1 Ubuntu 17.10 Alpha Test Case --------- $ pkill nautilus $ nautilus Browse to / Double-click on /root (which by default only root has read access to that directory) What Happens ------------ I get two authentication prompts. I expected to only get one. Once authenticated, things work as I expect. Test Case 2 ----------- Do Test Case 1, then… Create a text file in that folder that is restricted to only be readable by root. When I double-click on that text file to open with gedit, I also get two authentication prompts.
Thanks for testing of this feature. This is not intended of course, but I am not able to reproduce it on Fedora. Just to be sure, did you restart your laptop (or "pkill gvfs") after update? Can you please provide gvfsd debug log for the mentioned test cases?
Thank you for checking. I rebooted again but I still experience this issue. Here's the output of `journalctl -f` with the first Test Case --------------------------- dbus[909]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' systemd[1]: Starting Hostname Service... dbus[909]: [system] Successfully activated service 'org.freedesktop.hostname1' systemd[1]: Started Hostname Service. gnome-shell[1900]: clutter_actor_is_visible: assertion 'CLUTTER_IS_ACTOR (self)' failed polkit-agent-helper-1[4280]: pam_ecryptfs: pam_sm_authenticate: /home/jeremy is already mounted polkitd(authority=local)[1027]: Operator of unix-session:2 successfully authenticated as unix-user:jeremy to gain TEMPORARY authorization for action org.gtk.vfs.file-operations-helper for unix-process:4275:113723 [/bin/sh -c pkexec /usr/lib/gvfs/gvfsd-admin "$@" --address $DBUS_SESSION_BUS_ADDRESS gvfsd-admin --spawner :1.7 /org/gtk/gvfs/exec_spaw/4] (owned by unix-user:jeremy) pkexec[4276]: pam_unix(polkit-1:session): session opened for user root by (uid=1000) pkexec[4276]: jeremy: Executing command [USER=root] [TTY=unknown] [CWD=/home/jeremy] [COMMAND=/usr/lib/gvfs/gvfsd-admin --spawner :1.7 /org/gtk/gvfs/exec_spaw/4 --address unix:path=/run/user/1000/bus] gnome-shell[1900]: clutter_actor_is_visible: assertion 'CLUTTER_IS_ACTOR (self)' failed polkit-agent-helper-1[4289]: pam_ecryptfs: pam_sm_authenticate: /home/jeremy is already mounted polkitd(authority=local)[1027]: Operator of unix-session:2 successfully authenticated as unix-user:jeremy to gain TEMPORARY authorization for action org.gtk.vfs.file-operations for unix-process:4258:113058 [nautilus] (owned by unix-user:jeremy)
Please do the following: 1/ pkill nautilus; pkill gvfs; GVFS_DEBUG=1 $(find /usr/lib* -name gvfsd 2>/dev/null) >gvfsd.log 2>&1 2/ reproduce the issue 3/ pkill gvfs 4/ provide gvfsd.log
trash: Added new job source 0x55971f203890 (GVfsBackendTrash) trash: Queued new job 0x55971f204020 (GVfsJobMount) trash: send_reply(0x55971f204020), failed=0 () trash: backend_dbus_handler org.gtk.vfs.Mount:CreateFileMonitor (pid=11900) trash: Queued new job 0x55971f204380 (GVfsJobCreateMonitor) trash: send_reply(0x55971f204380), failed=0 () trash: backend_dbus_handler org.gtk.vfs.Mount:CreateFileMonitor (pid=11900) trash: Queued new job 0x55971f204380 (GVfsJobCreateMonitor) trash: send_reply(0x55971f204380), failed=0 () trash: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=11900) trash: Queued new job 0x55971f1f3b70 (GVfsJobQueryInfo) trash: send_reply(0x55971f1f3b70), failed=0 () trash: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=11900) trash: Queued new job 0x55971f1f3c10 (GVfsJobQueryInfo) trash: send_reply(0x55971f1f3c10), failed=0 () admin: Added new job source 0x561aa75789f0 (GVfsBackendAdmin) admin: Queued new job 0x561aa7589820 (GVfsJobMount) admin: client=:1.125 admin: send_reply(0x561aa7589820), failed=0 () admin: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=11900) admin: Queued new job 0x561aa7578ad0 (GVfsJobQueryInfo) admin: send_reply(0x561aa7578ad0), failed=0 () admin: backend_dbus_handler org.gtk.vfs.Mount:CreateDirectoryMonitor (pid=11900) admin: Queued new job 0x561aa7589ca0 (GVfsJobCreateMonitor) admin: send_reply(0x561aa7589ca0), failed=0 () admin: backend_dbus_handler org.gtk.vfs.Mount:QueryFilesystemInfo (pid=11900) admin: Queued new job 0x561aa7589820 (GVfsJobQueryFsInfo) admin: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=11900) admin: Queued new job 0x561aa7578c10 (GVfsJobQueryInfo) admin: send_reply(0x561aa7589820), failed=0 () admin: send_reply(0x561aa7578c10), failed=0 () admin: backend_dbus_handler org.gtk.vfs.Mount:CreateDirectoryMonitor (pid=11900) admin: Queued new job 0x7febb0002c60 (GVfsJobCreateMonitor) admin: send_reply(0x7febb0002c60), failed=0 () admin: backend_dbus_handler org.gtk.vfs.Mount:Enumerate (pid=11900) admin: Queued new job 0x561aa75870f0 (GVfsJobEnumerate) admin: send_reply(0x561aa75870f0), failed=0 ()
Thanks! I see only the latter polkitd request for nautilus, interesting, but I start getting a clue what might be wrong... pkexec cause the first auth prompt in order to spawn gvfsd-admin as root, second is needed for nautilus (or every other client) in order to access the data over the backend), consequent requests use already running gvfsd-admin, so it works correctly then... The org.freedesktop.policykit.exec.path annotation causes for me that authorization is not requested for gvfsd-admin: https://git.gnome.org/browse/gvfs/tree/daemon/org.gtk.vfs.file-operations.policy.in.in#n11 Do you see the correct gvfsd-admin path in /usr/share/polkit-1/actions/org.gtk.vfs.file-operations.policy ? From brief look in docs, maybe <allow_active>yes</allow_active> should be used for org.gtk.vfs.file-operations-helper action instead of <allow_active>auth_admin_keep</allow_active>... does it work to you if you change it (or you can try to change <allow_inactive> also)? But I am not polkit expert, need more time for going thru the docs. However, I suppose you should see same behavior also before 1.33.90... Cosimo, don't you know?
Setting allow_active to yes in that file worked. I now see just one authentication prompt for the first test case and one authentication prompt for the second test case.
On Debian and Ubuntu, /usr/share/polkit-1/rules.d/org.gtk.vfs.file-operations.rules is only installed to an examples folder. That change was made with this note: "for now we don't want the user to be able to modify files owned by root without entering any password even if they are part of the "sudo" group." (There is another patch to use "sudo" instead of "wheel" since that's the name for the default admin group on Debian-based systems.) I am cc-ing Laurent Bigonville who added that patch to our packaging.
Ah, yes, there is the .rules file, which does basically the same as setting allow_active to yes, but just for wheel/sudo users only... ...but it is not true that this allows users modify files without entering any password as noted by the Debian maintainer! It just allows to spawn the backend without the password, but then each client app needs to authorize anyway. I see that it might be potentially a security issue, but I don't see a better way how to handle this.
Thank you for your help on this issue. We have reverted the org.gtk.vfs.file-operations.rules change in Debian Testing (& Ubuntu 17.10) so I am closing this bug.