GNOME Bugzilla – Bug 766727
Boxes asks my password to run chmod as root
Last modified: 2016-05-25 15:43:58 UTC
Hello, On my machine, for some reasons one of the VM image in the system libvirt session has 600 mode. When I'm starting gnome-boxes, it immediately prompts me with a polkit dialog asking me my password to run "/bin/chmod" as root. The code is in the ensure_disks_readable() function: argv += "pkexec"; argv += "chmod"; argv += "a+r"; Tbh, I think it's a really bad idea. It might make our user it's normal that some random applications are asking for privileges escalation. If we are doing this too much we'll end up like windows user clicking OK when a random UAC dialog is popping up. Also the dialog is not clear of what will happen, in gnome-shell it just says that it needs the password to run /bin/chmod as privileged user, there is not context, nothing. Changing the mode of a file can have security implication. Shouldn't it be better to have a proper description of why gnome-boxes needs these privileges and only asking for them when the user really wants to import an image from the libvirt system session to the user one?
To be clear: the bug is that the authorization prompt needs a better message. Somthing like "Authentication is required to grant access to this box" would be a better prompt. Users don't know what chmod is anyway.
Well it should state that the privileges are going to be changed on the disk for one of the images. IMHO getting access != changing the mode of a file
Also, it should prompt for the new privileges only when the user is explicitly asking to import the images, not when the application starts
(In reply to Laurent Bigonville from comment #3) > Also, it should prompt for the new privileges only when the user is > explicitly asking to import the images, not when the application starts This should probably be split in a different bug. At startup GtkBuilder instantiates Wizard which creates a WizardSource instance. WizardSource::construct calls update_libvirt_sytem_entry_visibility() which yield new LibvirtSystemImporter (). LibvirtSystemImporter() calls ensure_disks_readable() which in turn will call pkexec.
Ah, it's a fallout of bug#754500, where we decided to only show import option if there are importable VMs and hence the code to ensure readability of images was moved earlier. Gotta think about how to solve this w/o recreating bug#754500.
commit: a6e870ff8af634102f758c8319c8b120cd1a7591 system-importer: Ensure disk reability on import Ensuring disk readability involves elevation of privileges so if we do that on startup, we end up launching a polkit dialog even if user never uses the option of libvirt system VMs. While we should still check for disk images before showing the option to import their VMs from system libvirt, it's best if we only ensure their reabibility when user explicitly asks for import.
reabibility ? :) Thanks! I'll have to try to backport this to the f24 package locally.
I should open a new bug for the description in the pk dialog?
(In reply to Christophe Fergeau from comment #7) > reabibility ? :) I'm still 3, didn't you know that. :) > Thanks! I'll have to try to backport this to the f24 package locally. Cool, I pushed it to gnome-3-20 branch already. I should do another micro release soon. (In reply to Laurent Bigonville from comment #8) > I should open a new bug for the description in the pk dialog? Yes please.
(In reply to Zeeshan Ali (Khattak) from comment #9) > (In reply to Laurent Bigonville from comment #8) > > I should open a new bug for the description in the pk dialog? > > Yes please. Actually, I'm not sure we can solve that. We just launch pkexe commandline and there is no option to tell it what to say to user. I'm not even sure it's an issue now since dialog is shown immediately after user asked to import VMs.