Package: libpolkit-backend-1-0
Version: 0.105-8
Severity: important
Dear Maintainer,
I am trying to fine-tune the polkit policies on one system I am running. In
particular,
I'd like to not give that system's only user sudo privileges, but still want
the automatic
software upgrades performed through packagekit to Just Work (TM).
However, no matter what I tried, I seem unable to convince polkit to allow
system upgrades
for all locally logged-in users. Here's what I did:
# cat /etc/polkit-1/rules.d/99-local-upgrade.rules
polkit.addRule(function(action, subject) {
polkit.log("DEBUG addRule: action=" + action);
if ((action.id == "org.freedesktop.packagekit.upgrade-system" ||
action.id == "org.freedesktop.packagekit.system-update" ||
action.id == "org.freedesktop.packagekit.trigger-offline-update") &&
subject.active == true && subject.local == true ) {
return polkit.Result.YES;
}
});
I added the polkit.log only to check if the file has any effect at all. The ID
I figured out by
grepping /usr/share/polkit-1/actions for the strings displayed in the UI when I
was asked
to authenticate this action manually. But even if the IDs are wrong, I should
at least see the
debug output.
Now I want to test the rule:
$ pkcheck --action-id org.freedesktop.packagekit.system-update --process
$(pidof konsole) -u USER
polkit\56retains_authorization_after_challenge=true
Not authorized.
The "-u" option is not documented in the manpage, but when I omit it, pkcheck
insists I add it again.
There only message in the log is
Jan 30 15:02:30 HOST polkitd(authority=local)[1129]: Operator of
unix-session:1 FAILED to authenticate to gain authorization
for action org.freedesktop.packagekit.system-update for unix-process:740:3994
[/usr/bin/konsole] (owned by unix-user:USER)
Well, at least I got the ID right. But no message from my own rule.
I then tried adding a syntax error to the file, nothing happened. I rebooted
the system to
make sure the new file is loaded, nothing happened. I moved the file to
/usr/share/polkit-1/rules.d,
nothing happened.
It almost seems as if polkit just entirely ignores all the rules.d files. I
tried to figure out
whether Debian is special here compared to other distros (according to many
docs I found, what I did above
*should* work on Fedora and Arch), without any success. I also looked for local
documentation in
/usr/share/doc/libpolkit-backend-1-0, nothing.
I am pretty much lost now. For now, I guess this system will not get security
updates.
The only explanation I still have for this behavior is that there's a bug in
polkit which makes
it ignore rules.d, hence this report. Any help would be appreciated.
Kind regards,
Ralf
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpolkit-backend-1-0 depends on:
iu libc6 2.19-18+deb8u2
ii libexpat1 2.1.0-6+deb8u1
ii libglib2.0-0 2.42.1-1
ii libpolkit-gobject-1-0 0.105-8
ii libsystemd0 215-17+deb8u2
ii multiarch-support 2.19-18+deb8u1
libpolkit-backend-1-0 recommends no packages.
libpolkit-backend-1-0 suggests no packages.
-- no debconf information
