[SOLVED] Pkexec Authentication Failure

vindicator · 2023-12-31 20:53:27

Systemd: 255
Polkit: 123

Wiped root
Pacman installed: systemd polkit nano grep less
$ sudo systemd-nspawn --directory="<pathToFreshRoot>" --boot --capability=all --network-namespace-path=/run/netns/crud

As userW in "wheel" group.

Fail: Untouched

Dec 31 14:07:10 containerName dbus-daemon[56]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' requested by ':1.13' (uid=0 pid=100 comm="pkexec /usr/bin/pk-example-frobnicate")
Dec 31 14:07:10 containerName systemd[1]: Starting Authorization Manager...
Dec 31 14:07:10 containerName polkitd[104]: Started polkitd version 123
Dec 31 14:07:10 containerName polkitd[104]: Loading rules from directory /etc/polkit-1/rules.d
Dec 31 14:07:10 containerName polkitd[104]: Loading rules from directory /usr/share/polkit-1/rules.d
Dec 31 14:07:10 containerName polkitd[104]: Finished loading, compiling and executing 2 rules
Dec 31 14:07:10 containerName dbus-daemon[56]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Dec 31 14:07:10 containerName systemd[1]: Started Authorization Manager.
Dec 31 14:07:10 containerName polkitd[104]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Dec 31 14:07:10 containerName pkexec[100]: userNameW: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/usr/bin/pk-example-frobnicate]

Fail: Set debugging and logging (redoing from here since I messed something up)

Dec 31 14:34:26 containerName systemd[1]: Starting Authorization Manager...
Dec 31 14:34:26 containerName polkitd[339]: Started polkitd version 123
Dec 31 14:34:26 containerName polkitd[339]: Loading rules from directory /etc/polkit-1/rules.d
Dec 31 14:34:26 containerName polkitd[339]: 14:34:26.547: Loading rules from directory /etc/polkit-1/rules.d
Dec 31 14:34:26 containerName polkitd[339]: 14:34:26.549: Loading rules from directory /usr/share/polkit-1/rules.d
Dec 31 14:34:26 containerName polkitd[339]: Loading rules from directory /usr/share/polkit-1/rules.d
Dec 31 14:34:26 containerName polkitd[339]: Finished loading, compiling and executing 3 rules
Dec 31 14:34:26 containerName polkitd[339]: 14:34:26.549: Finished loading, compiling and executing 3 rules
Dec 31 14:34:26 containerName polkitd[339]: Entering main event loop
Dec 31 14:34:26 containerName polkitd[339]: Connected to the system bus
Dec 31 14:34:26 containerName systemd[1]: Started Authorization Manager.
Dec 31 14:34:26 containerName polkitd[339]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Dec 31 14:34:26 containerName polkitd[339]: 14:34:26.550: Acquired the name org.freedesktop.PolicyKit1 on the system bus

  implicit any:      no
  implicit inactive: no
  implicit active:   auth_admin_keep

-->
Success:

  implicit any:      yes
  implicit inactive: yes
  implicit active:   yes

Dec 31 14:37:39 containerName polkitd[362]: testAction=[Action id='org.freedesktop.policykit.example.pkexec.run-frobnicate' cmdline_short='/usr/bin/pk-example-frobnicate' program='/usr/bin/pk-example-frobnicate' user.display='root' command_line='/usr/bin/pk-example-frobnicate' user='root' polkit.gettext_domain='polkit-1' user.gecos='']
Dec 31 14:37:39 containerName polkitd[362]: testSubject=[Subject pid=93 user='userW' groups=userW,root,wheel seat=null session='689' local=false active=true]
Dec 31 14:37:40 containerName pkexec[371]: pam_unix(polkit-1:session): session opened for user root(uid=0) by userW(uid=1000)
Dec 31 14:37:40 containerName pkexec[371]: userW: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/usr/bin/pk-example-frobnicate]

Fail:

  implicit any:      auth_self
  implicit inactive: yes
  implicit active:   yes

Dec 31 14:39:46 containerName polkitd[382]: testAction=[Action id='org.freedesktop.policykit.example.pkexec.run-frobnicate' cmdline_short='/usr/bin/pk-example-frobnicate' program='/usr/bin/pk-example-frobnicate' user.display='root' command_line='/usr/bin/pk-example-frobnicate' user='root' polkit.gettext_domain='polkit-1' user.gecos='']
Dec 31 14:39:46 containerName polkitd[382]: testSubject=[Subject pid=93 user='userW' groups=userW,root,wheel seat=null session='689' local=false active=true]
Dec 31 14:39:46 containerName polkitd[382]: Registered Authentication Agent for unix-process:93:137870414 (system bus name :1.40 [pkexec /usr/bin/pk-example-frobnicate], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:39:46 containerName polkitd[382]: 14:39:46.499: Registered Authentication Agent for unix-process:93:137870414 (system bus name :1.40 [pkexec /usr/bin/pk-example-frobnicate], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:39:46 containerName polkitd[382]: testAction=[Action id='org.freedesktop.policykit.example.pkexec.run-frobnicate' cmdline_short='/usr/bin/pk-example-frobnicate' program='/usr/bin/pk-example-frobnicate' user.display='root' command_line='/usr/bin/pk-example-frobnicate' user='root' polkit.gettext_domain='polkit-1' user.gecos='']
Dec 31 14:39:46 containerName polkitd[382]: testSubject=[Subject pid=93 user='userW' groups=userW,root,wheel seat=null session='689' local=false active=true]
Dec 31 14:39:46 containerName polkitd[382]: Invalid locale 'en_US.UTF-8'
Dec 31 14:39:46 containerName dbus-daemon[56]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.41' (uid=0 pid=398 comm="/usr/lib/polkit-1/polkit-agent-helper-1 userW")
Dec 31 14:39:46 containerName dbus-daemon[56]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Dec 31 14:39:53 containerName polkitd[382]: Operator of unix-process:93:137870414 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:93:137870414 [-bash] (owned by unix-user:userW)
Dec 31 14:39:53 containerName polkitd[382]: 14:39:53.396: Operator of unix-process:93:137870414 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:93:137870414 [-bash] (owned by unix-user:userW)
Dec 31 14:39:53 containerName pkexec[391]: userW: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/usr/bin/pk-example-frobnicate]
Dec 31 14:39:53 containerName polkitd[382]: Unregistered Authentication Agent for unix-process:93:137870414 (system bus name :1.40, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:39:53 containerName polkitd[382]: 14:39:53.399: Unregistered Authentication Agent for unix-process:93:137870414 (system bus name :1.40, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

  implicit any:      auth_admin
  implicit inactive: yes
  implicit active:   yes

==== AUTHENTICATING FOR org.freedesktop.policykit.example.pkexec.run-frobnicate ====
Authentication is required to run the polkit example program Frobnicate (user=root, user.gecos=, user.display=root, program=/usr/bin/pk-example-frobnicate, command_line=/usr/bin/pk-example-frobnicate)
Authenticating as: userW
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized
vvvvvvvvvvv
Dec 31 14:30:48 containerName polkitd[261]: Operator of unix-process:93:137870414 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:93:137870414 [-bash] (owned by unix-user:userW)
Dec 31 14:30:48 containerName pkexec[271]: userW: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/usr/bin/pk-example-frobnicate]
Dec 31 14:30:48 containerName polkitd[261]: Unregistered Authentication Agent for unix-process:93:137870414 (system bus name :1.32, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Groups:

root:x:0:root,userW
...
wheel:x:998:userW
...
userW:x:1000:
userB:x:1001:

As userB not in any group.

Dec 31 14:43:13 containerName polkitd[382]: testAction=[Action id='org.freedesktop.policykit.example.pkexec.run-frobnicate' cmdline_short='/usr/bin/pk-example-frobnicate' program='/usr/bin/pk-example-frobnicate' user.display='root' command_line='/usr/bin/pk-example-frobnicate' user='root' polkit.gettext_domain='polkit-1' user.gecos='']
Dec 31 14:43:13 containerName polkitd[382]: testSubject=[Subject pid=421 user='userB' groups=userB seat=null session='691' local=false active=true]
Dec 31 14:43:13 containerName polkitd[382]: Registered Authentication Agent for unix-process:421:138086551 (system bus name :1.49 [pkexec /usr/bin/pk-example-frobnicate], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:43:13 containerName polkitd[382]: 14:43:13.537: Registered Authentication Agent for unix-process:421:138086551 (system bus name :1.49 [pkexec /usr/bin/pk-example-frobnicate], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:43:13 containerName polkitd[382]: testAction=[Action id='org.freedesktop.policykit.example.pkexec.run-frobnicate' cmdline_short='/usr/bin/pk-example-frobnicate' program='/usr/bin/pk-example-frobnicate' user.display='root' command_line='/usr/bin/pk-example-frobnicate' user='root' polkit.gettext_domain='polkit-1' user.gecos='']
Dec 31 14:43:13 containerName polkitd[382]: testSubject=[Subject pid=421 user='userB' groups=userB seat=null session='691' local=false active=true]
Dec 31 14:43:13 containerName polkitd[382]: Invalid locale 'en_US.UTF-8'
Dec 31 14:43:13 containerName dbus-daemon[56]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.50' (uid=0 pid=432 comm="/usr/lib/polkit-1/polkit-agent-helper-1 userB")
Dec 31 14:43:13 containerName dbus-daemon[56]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Dec 31 14:43:19 containerName polkitd[382]: Operator of unix-process:421:138086551 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:421:138086551 [-bash] (owned by unix-user:userB)
Dec 31 14:43:19 containerName polkitd[382]: 14:43:19.939: Operator of unix-process:421:138086551 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:421:138086551 [-bash] (owned by unix-user:userB)
Dec 31 14:43:19 containerName pkexec[425]: userB: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/usr/bin/pk-example-frobnicate]
Dec 31 14:43:19 containerName polkitd[382]: Unregistered Authentication Agent for unix-process:421:138086551 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:43:19 containerName polkitd[382]: 14:43:19.941: Unregistered Authentication Agent for unix-process:421:138086551 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

  implicit any:      auth_admin
  implicit inactive: yes
  implicit active:   yes

Dec 31 14:45:05 containerName polkitd[442]: testAction=[Action id='org.freedesktop.policykit.example.pkexec.run-frobnicate' cmdline_short='/usr/bin/pk-example-frobnicate' program='/usr/bin/pk-example-frobnicate' user.display='root' command_line='/usr/bin/pk-example-frobnicate' user='root' polkit.gettext_domain='polkit-1' user.gecos='']
Dec 31 14:45:05 containerName polkitd[442]: testSubject=[Subject pid=421 user='userB' groups=userB seat=null session='691' local=false active=true]
Dec 31 14:45:05 containerName polkitd[442]: Registered Authentication Agent for unix-process:421:138086551 (system bus name :1.53 [pkexec /usr/bin/pk-example-frobnicate], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:45:05 containerName polkitd[442]: 14:45:05.648: Registered Authentication Agent for unix-process:421:138086551 (system bus name :1.53 [pkexec /usr/bin/pk-example-frobnicate], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:45:05 containerName polkitd[442]: testAction=[Action id='org.freedesktop.policykit.example.pkexec.run-frobnicate' cmdline_short='/usr/bin/pk-example-frobnicate' program='/usr/bin/pk-example-frobnicate' user.display='root' command_line='/usr/bin/pk-example-frobnicate' user='root' polkit.gettext_domain='polkit-1' user.gecos='']
Dec 31 14:45:05 containerName polkitd[442]: testSubject=[Subject pid=421 user='userB' groups=userB seat=null session='691' local=false active=true]
Dec 31 14:45:05 containerName polkitd[442]: Invalid locale 'en_US.UTF-8'
Dec 31 14:45:05 containerName dbus-daemon[56]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.54' (uid=0 pid=459 comm="/usr/lib/polkit-1/polkit-agent-helper-1 userW")
Dec 31 14:45:05 containerName dbus-daemon[56]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Dec 31 14:45:15 containerName polkitd[442]: Operator of unix-process:421:138086551 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:421:138086551 [-bash] (owned by unix-user:userB)
Dec 31 14:45:15 containerName polkitd[442]: 14:45:15.334: Operator of unix-process:421:138086551 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.example.pkexec.run-frobnicate for unix-process:421:138086551 [-bash] (owned by unix-user:userB)
Dec 31 14:45:15 containerName pkexec[451]: userB: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/usr/bin/pk-example-frobnicate]
Dec 31 14:45:15 containerName polkitd[442]: Unregistered Authentication Agent for unix-process:421:138086551 (system bus name :1.53, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 31 14:45:15 containerName polkitd[442]: 14:45:15.337: Unregistered Authentication Agent for unix-process:421:138086551 (system bus name :1.53, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

2 findings I've noticed:
1) "local=false", though loginctl shows:

...
Remote=no
...
Active=yes
State=active
...

2) "Invalid locale 'en_US.UTF-8'". Red herring?

EDIT0: Follow Seth's link to show the use of the pkttyagent.

Last edited by vindicator (2023-12-31 21:33:09)

seth · 2023-12-31 21:03:59

localectl
locale -a
locale

But that's most likely not the problem.
You want a https://wiki.archlinux.org/title/Polkit … ion_agents
Using the pkexec internal "agent" is possible but convoluted/buggy/dumb: https://bbs.archlinux.org/viewtopic.php … 5#p2028455

vindicator · 2023-12-31 21:31:04

AGH! Yeah, I had seen that already a couple of days ago (except for that link forum link of yours) and had tried it

In any case, that "worked", but I'll experiment more with the bus aspect of it and whatnot because that isn't all that nice to have a console dedicated for the listener.
I already see the .service file for the kde GUI variant. With that PID, I'll be curious to see if that's something that can work from container->host (host running the agent). Thanks.

seth · 2023-12-31 22:29:49

You'll end up developing your own polkit agent (I assume)
If you've no GUI, you could use tmux, horizontally split the terminal and use 3 rows for pkttyagent.

vindicator · 2024-01-01 10:42:09

I'll be sure to keep tmux in mind.
I took another look at the pkexec man and saw:

if no authentication agent is available, then pkexec will register its own textual authentication agent

That leads me to think, that it ought to have worked without using pkttyagent. Bug to report you think?

seth · 2024-01-01 11:00:57

Yes - that thing has been broken since ever: https://gitlab.freedesktop.org/polkit/p … /issues/19

vindicator · 2024-01-01 11:08:53

Oh dear gawd! 10 year old open issue??? Looks to be unrelated though and I may want to go ahead and file this as a bug as well.

...run a command that takes some time to execute...

pk-example-frobnicate isn't a long-running program.
That is disappointing though since it was sounding to be the better/future "sudo".

seth · 2024-01-01 11:16:59

Pretty sure it's the same issue.
The in5ernalnagent does start, you get asked for a password (at least i do) but the communication between pkexec and pkttyagent is broken.
Otoh, starting pkttyagent beforehand allows pkexec to connect to it.

Unfortunately, this requires two ttys, running pkttyagent in the background will stop it and you're just getting an error from pkexec because it cannot register its own agent.

https://imgs.xkcd.com/comics/standards.png
There's also doas...

Arch Linux

#1 2023-12-31 20:53:27

[SOLVED] Pkexec Authentication Failure

#2 2023-12-31 21:03:59

Re: [SOLVED] Pkexec Authentication Failure

#3 2023-12-31 21:31:04

Re: [SOLVED] Pkexec Authentication Failure

#4 2023-12-31 22:29:49

Re: [SOLVED] Pkexec Authentication Failure

#5 2024-01-01 10:42:09

Re: [SOLVED] Pkexec Authentication Failure

#6 2024-01-01 11:00:57

Re: [SOLVED] Pkexec Authentication Failure

#7 2024-01-01 11:08:53

Re: [SOLVED] Pkexec Authentication Failure

#8 2024-01-01 11:16:59

Re: [SOLVED] Pkexec Authentication Failure

Board footer