Ubuntu
policykit-1 package

PolkitAgentSession incorrectly handles multiline output (as observed with pam_vas)

Bug #1510824 reported by Dariusz Gadomski
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
PolicyKit
Fix Released
Medium
policykit-1 (Ubuntu)
Fix Released
Medium
Dariusz Gadomski
Trusty
Fix Released
Medium
Unassigned
Vivid
Fix Released
Medium
Unassigned
Wily
Fix Released
Medium
Unassigned

Bug Description

[Impact]

 * Some PAM modules produce output of more than 1 line (e.g. PAM_TEXT_INFO may contain newlines in the message content). Polkit authentication agent is prepared to receive only single-line messages so it treats each line as a separate message. It fails to recognize the type of message for all of them except the first - hence failed authorization even if it was successful on the PAM-level.

 * The PAM specification does not require the modules to send only single-line messages. Thus, polkit needs to be fixed.

* The helper component should escape (g_strescape) all messages before sending it up to the authentication agent. This way everything will be read as a single line and then unescaped to restore it's formatting with no changes required in PAM modules.

[Test Case]

 * Use a pam module that returns a multi-line PAM_TEXT_INFO message on successful authentication (may require to artificially modify a pam module).

 * Perform a polkit authorization with e.g. pkexec ls

 * Correct authorization should end with a failure with an unrecognized PAM message

[Regression Potential]

 * Fix makes advantage of the fact that polkit authentication agent already un-escapess (g_strcompress) all input from the helper component.

* Fix is a backport of an upstream change.

[Other Info]

 * Original bug description:

There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication).

Steps to reproduce:
1. Configure pam_vas client authenticating to a remote server.
2. Perform authentication to cache the credentials.
3. Disconnect from the network where the server is reachable (to force using cached information).
4. Perform an action requiring polkit authentication.

Expected result:
Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Actual result:
Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Probable cause:
The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output:
PAM_TEXT_INFO You have logged in using cached account information. Some network services
will be unavailable.

The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: policykit-1 0.105-4ubuntu2.14.04.1
ProcVersionSignature: Ubuntu 3.16.0-52.71~14.04.1-generic 3.16.7-ckt18
Uname: Linux 3.16.0-52-generic x86_64
NonfreeKernelModules: nvidia zfs zunicode zcommon znvpair zavl
ApportVersion: 2.14.1-0ubuntu3.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Oct 28 09:01:37 2015
InstallationDate: Installed on 2015-04-13 (197 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
SourcePackage: policykit-1
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Dariusz Gadomski (dgadomski) wrote :
Dariusz Gadomski (dgadomski)
Changed in policykit-1 (Ubuntu):
assignee: nobody → Dariusz Gadomski (dgadomski)
Dariusz Gadomski (dgadomski)
description: updated
Dariusz Gadomski (dgadomski)
summary: - PolkitAgentSession ignores multiline output (with pam_vas)
+ PolkitAgentSession incorrectly handles multiline output (with pam_vas)
description: updated
summary: - PolkitAgentSession incorrectly handles multiline output (with pam_vas)
+ PolkitAgentSession incorrectly handles multiline output (as observed
+ with pam_vas)
Revision history for this message
In , Dariusz Gadomski (dgadomski) wrote :

There is an error observed when Ubuntu is configured to perform authentication via pam_vas (Vintela Authentication Services by Dell) in a disconnected mode (using cached authentication).

Steps to reproduce:
1. Configure pam_vas client authenticating to a remote server.
2. Perform authentication to cache the credentials.
3. Disconnect from the network where the server is reachable (to force using cached information).
4. Perform an action requiring polkit authentication.

Expected result:
Authentication succeeds accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Actual result:
Authentication fails accompanied by the following message "You have logged in using cached account information. Some network services will be unavailable".

Probable cause:
The PolkitAgentSession part of polkit is designed to interpret only 1-line output, while interaction with pam_vas in the above scenario triggers helper to produce the following 2-line output:
PAM_TEXT_INFO You have logged in using cached account information. Some network services
will be unavailable.

The 'will be unavailable.' part is interpreted as an unknown message and causes failed authorization.

Revision history for this message
In , Dariusz Gadomski (dgadomski) wrote :

Created attachment 119534
Tested patch fixing the issue

Revision history for this message
In , Miloslav Trmac (mitr-redhat) wrote :

Thanks for the patch.

Yes, this is the correct thing to do (polkitagentsession.c:io_watch_have_data is always calling g_strcompress()).

Having the same newline handling and escaping code in three places seems too ugly and unnecessary, though. Would you be willing to update the patch so that polkitagenthelper-pam.c uses the send_to_helper function throughout (modified to do the escaping as necessary), or at least to test such an updated patch?

Bug Watch Updater (bug-watch-updater)
Changed in policykit-1:
importance: Unknown → Medium
status: Unknown → Incomplete
Revision history for this message
In , Dariusz Gadomski (dgadomski) wrote :

Miroslav, thanks for taking a look.

Sure, I can improve the patch. I'll attach the new version as soon as it's done.

Revision history for this message
In , Dariusz Gadomski (dgadomski) wrote :

Created attachment 119643
Refactoring to use send_to_helper

I have refactored the code to make use of send_to_helper instead of duplicating the code.

I've chosen to apply it on top of the previous change to keep 2 different actions (escaping PAM_TEXT_INFO and refactoring) on the same step.

I have done sanity testing to make sure everything works as expected.

Revision history for this message
In , Dariusz Gadomski (dgadomski) wrote :

Typo, what I've meant in the above comment is that I wanted to avoid doing 2 different actions in the same commit.

Bug Watch Updater (bug-watch-updater)
Changed in policykit-1:
status: Incomplete → Confirmed
Revision history for this message
In , Dariusz Gadomski (dgadomski) wrote :

Created attachment 119702
Refactoring to use send_to_helper

Revision history for this message
In , Miloslav Trmac (mitr-redhat) wrote :

Perfect. Committed, thank you!

Bug Watch Updater (bug-watch-updater)
Changed in policykit-1:
status: Confirmed → Fix Released
Dariusz Gadomski (dgadomski)
description: updated
description: updated
Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for Xenial.

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for wily.

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for vivid.

Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

Added SRU proposal for trusty.

Mathew Hodson (mhodson)
Changed in policykit-1 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Vivid):
status: New → Triaged
importance: Undecided → Medium
Changed in policykit-1 (Ubuntu Wily):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Martin Pitt (pitti) wrote :

Daniel uploaded the SRUs already. I'm committing the fix to Debian so that for xenial we can stay in sync.

Thanks Dariusz!

Removing sponsor subscription.

Changed in policykit-1 (Ubuntu Trusty):
status: Triaged → In Progress
Changed in policykit-1 (Ubuntu Vivid):
status: Triaged → In Progress
Changed in policykit-1 (Ubuntu Wily):
status: Triaged → In Progress
Martin Pitt (pitti)
Changed in policykit-1 (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-13ubuntu1

---------------
policykit-1 (0.105-13ubuntu1) xenial; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 14:44:23 +0100

Changed in policykit-1 (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Dariusz, or anyone else affected,

Accepted policykit-1 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/policykit-1/0.105-4ubuntu3.14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in policykit-1 (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in policykit-1 (Ubuntu Vivid):
status: In Progress → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Dariusz, or anyone else affected,

Accepted policykit-1 into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/policykit-1/0.105-8ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in policykit-1 (Ubuntu Wily):
status: In Progress → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Dariusz, or anyone else affected,

Accepted policykit-1 into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/policykit-1/0.105-11ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Istvan (bergkatten) wrote :

 Hi,

I can confirm this works on trusty with pam authenticating with QAS4 in offline mode.

Cheers,
/István

Martin Pitt (pitti)
tags: added: verification-done-trusty
Revision history for this message
Dariusz Gadomski (dgadomski) wrote :

I have prepared a 'broken' pam_unix version printing a multiline text info if it detects the PAM_SERVICE name is polkit-1.
This allows to reproduce the issue and verify the fix.

I've made this broken version available for Vivid and Wily in ppa:dgadomski/lp1510824 and performed the verification for those releases.

In both cases the fix solves the problem and I haven't observed any regressions. Updating tags.

tags: added: verification-done
removed: verification-done-trusty verification-needed
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for policykit-1 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-8ubuntu5

---------------
policykit-1 (0.105-8ubuntu5) vivid; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 15:30:03 +0100

Changed in policykit-1 (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-11ubuntu3

---------------
policykit-1 (0.105-11ubuntu3) wily; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 15:24:53 +0100

Changed in policykit-1 (Ubuntu Wily):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-1 - 0.105-4ubuntu3.14.04.1

---------------
policykit-1 (0.105-4ubuntu3.14.04.1) trusty; urgency=medium

  * Fix handling of multi-line helper output. (LP: #1510824)

 -- Dariusz Gadomski <email address hidden> Fri, 20 Nov 2015 15:36:30 +0100

Changed in policykit-1 (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.