Arch Linux

Mario156090

Member

Registered: 2018-12-04

Posts: 63

Problem using google authenticator and pkexec from polkit.

Hello, I am using google authenticator package getting from Arch repo. My config works perfectly for sudo, su and another binaries but fail when I use pkexec.

I remember this work one year ago but after a update the config never works.

This is my polkit pam config file.

     /var/lib/google-authenticator  cat /etc/pam.d/polkit-1                                                                         ✔  2m 29s    04:14:08 PM   
#%PAM-1.0
auth       required     pam_google_authenticator.so
#auth      required     pam_google_authenticator.so secret=/tmp/${USER}/
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

     /var/lib/google-authenticator      

And when I tried to use this my journal gets this:

jun 12 16:15:22 msi-arch polkit-kde-authentication-agent-1[1575]: Initiating authentication
jun 12 16:15:22 msi-arch polkit-kde-authentication-agent-1[1575]: Action description has been found
jun 12 16:15:22 msi-arch polkit-kde-authentication-agent-1[1575]: qrc:/qml/QuickAuthDialog.qml:57:5: QML Shortcut: Shortcut: Only binding to one of multiple key bindings associated with 70. Use 'sequences: [ <key> ]' to bind to all of them.
jun 12 16:15:22 msi-arch polkit-kde-authentication-agent-1[1575]: User:  "unix-user:mario"
jun 12 16:15:22 msi-arch polkit-kde-authentication-agent-1[1575]: Trying again
jun 12 16:15:22 msi-arch systemd[1]: Starting Authorization Manager Agent Helper (PID 1575/UID 1000)...
jun 12 16:15:22 msi-arch polkit-1(pam_google_auth)[92291]: Failed to read "/home/mario/.google_authenticator" for "mario": Permission denied
jun 12 16:15:22 msi-arch polkit-kde-authentication-agent-1[1575]: REQUEST
jun 12 16:15:22 msi-arch polkit-1(pam_google_auth)[92291]: No secret configured for user mario, asking for code anyway.
jun 12 16:15:22 msi-arch polkit-kde-authentication-agent-1[1575]: Request:  "Verification code: "  echo:  false

For me is very strange the message:

jun 12 16:15:22 msi-arch polkit-1(pam_google_auth)[92291]: Failed to read "/home/mario/.google_authenticator" for "mario": Permission denied

My user is mario and I can read the file without problems:

     ~  ls -lha /home/mario/.google_authenticator                                                                                           127 ✘  04:19:23 PM   
-r-------- 1 mario mario 198 jun 12 15:23 /home/mario/.google_authenticator

     ~  pwd                                                                                                                                     ✔  04:19:28 PM   
/home/mario

     ~  id                                                                                                                                      ✔  04:19:30 PM   
uid=1000(mario) gid=1000(mario) grupos=1000(mario),50(games),150(wireshark),953(openrazer),958(libvirt-qemu),959(libvirt),983(video),989(lp),990(kvm),998(wheel)

anyone know whats happening?

tekstryder

Member

Registered: 2013-02-14

Posts: 545

Re: Problem using google authenticator and pkexec from polkit.

I remember this work one year ago but after a update the config never works.

Could be due to this change...

• https://gitlab.archlinux.org/archlinux/ … rk_items/5

...which broke the default basic polkit agent.

Mario156090

Member

Registered: 2018-12-04

Posts: 63

Re: Problem using google authenticator and pkexec from polkit.

I remember this work one year ago but after a update the config never works.

Could be due to this change...

• https://gitlab.archlinux.org/archlinux/ … rk_items/5

...which broke the default basic polkit agent.

Hello, is very similar but in my case is only broke when I use google authenticator.

tekstryder

Member

Registered: 2013-02-14

Posts: 545

Re: Problem using google authenticator and pkexec from polkit.

Interesting.

You are still able to elevate user privilege when issuing the console pkexec command, with no extra agents installed?

Mario156090

Member

Registered: 2018-12-04

Posts: 63

Re: Problem using google authenticator and pkexec from polkit.

Interesting.

You are still able to elevate user privilege when issuing the console pkexec command, with no extra agents installed?

Yes, I can.

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 75,933

Re: Problem using google authenticator and pkexec from polkit.

Hello, is very similar but in my case is only broke when I use google authenticator.

Have you tried to re-establish the suid locally anyway?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

tekstryder

Member

Registered: 2013-02-14

Posts: 545

Re: Problem using google authenticator and pkexec from polkit.

Interesting.

You are still able to elevate user privilege when issuing the console pkexec command, with no extra agents installed?

Yes, I can.

Wild.

~ ❯ pkexec true
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/true' as the super user
Authenticating as: tekstryder
Password: 
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

Jun 12 18:58:53 systemd[1]: Starting Authorization Manager Agent Helper (PID 1102953/UID 0)...
Jun 12 18:58:55 polkit-agent-helper-1[1102961]: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
Jun 12 18:58:55 polkitd[865]: Operator of unix-process:1052272:27888976 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:1052272:27888976 [/usr/bin/zsh] (owned by unix-user:tekstryder)
Jun 12 18:58:55 pkexec[1102953]: tekstryder: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/1] [CWD=/home/tekstryder] [COMMAND=/usr/bin/true]
Jun 12 18:58:55 systemd[1]: polkit-agent-helper@2-8193-1102953_1059336-0.service: Main process exited, code=exited, status=1/FAILURE
Jun 12 18:58:55 systemd[1]: polkit-agent-helper@2-8193-1102953_1059336-0.service: Failed with result 'exit-code'.
Jun 12 18:58:55 systemd[1]: Failed to start Authorization Manager Agent Helper (PID 1102953/UID 0).

It's been broken for me since commit f2e63152.

Last edited by tekstryder (Yesterday 23:00:49)

Mario156090

Member

Registered: 2018-12-04

Posts: 63

Re: Problem using google authenticator and pkexec from polkit.

Hello, is very similar but in my case is only broke when I use google authenticator.

Have you tried to re-establish the suid locally anyway?

No, never.

Mario156090

Member

Registered: 2018-12-04

Posts: 63

Re: Problem using google authenticator and pkexec from polkit.

Interesting.

You are still able to elevate user privilege when issuing the console pkexec command, with no extra agents installed?

Yes, I can.

Wild.

~ ❯ pkexec true
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/true' as the super user
Authenticating as: tekstryder
Password: 
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

Jun 12 18:58:53 systemd[1]: Starting Authorization Manager Agent Helper (PID 1102953/UID 0)...
Jun 12 18:58:55 polkit-agent-helper-1[1102961]: polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
Jun 12 18:58:55 polkitd[865]: Operator of unix-process:1052272:27888976 FAILED to authenticate to gain authorization for action org.freedesktop.policykit.exec for unix-process:1052272:27888976 [/usr/bin/zsh] (owned by unix-user:tekstryder)
Jun 12 18:58:55 pkexec[1102953]: tekstryder: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/1] [CWD=/home/tekstryder] [COMMAND=/usr/bin/true]
Jun 12 18:58:55 systemd[1]: polkit-agent-helper@2-8193-1102953_1059336-0.service: Main process exited, code=exited, status=1/FAILURE
Jun 12 18:58:55 systemd[1]: polkit-agent-helper@2-8193-1102953_1059336-0.service: Failed with result 'exit-code'.
Jun 12 18:58:55 systemd[1]: Failed to start Authorization Manager Agent Helper (PID 1102953/UID 0).

It's been broken for me since commit f2e63152.

Works perfectly for me that execution.

tekstryder

Member

Registered: 2013-02-14

Posts: 545

Re: Problem using google authenticator and pkexec from polkit.

Sorry to semi-hijack ur thread.

What environment are you in? Hyprland and Sway here.

Also, to be sure, what's the output of:

~ ❯ pacman -Qs 'polk|policykit'
local/polkit 127-3
    Application development toolkit for controlling system-wide privileges

Given that I only use polkit for 2 infrequently-used apps (gparted and gsmartctl), and that simply executing the pkexec with the (redundant) sudo atop, allows the same desired limited-root env, this is purely a curiosity for me.

~ ❯ sudo pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/fake-dummy-placeholder-user gsmartcontrol

...works just fine... doesn't pollute /root with user env... and gives me a chuckle.

Last edited by tekstryder (Yesterday 23:36:52)

Mario156090

Member

Registered: 2018-12-04

Posts: 63

Re: Problem using google authenticator and pkexec from polkit.

Sorry to semi-hijack ur thread.

What environment are you in? Hyprland and Sway here.

Also, to be sure, what's the output of:

~ ❯ pacman -Qs 'polk|policykit'
local/polkit 127-3
    Application development toolkit for controlling system-wide privileges

Given that I only use polkit for 2 infrequently-used apps (gparted and gsmartctl), and that simply executing the pkexec with the (redundant) sudo atop, allows the same desired limited-root env, this is purely a curiosity for me.

~ ❯ sudo pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/fake-dummy-placeholder-user gsmartcontrol

...works just fine... doesn't pollute /root with user env... and gives me a chuckle.

Here the output:

I use kde plasma.

local/polkit 127-3
    Application development toolkit for controlling system-wide privileges
local/polkit-kde-agent 6.6.5-1 (plasma)
    Daemon providing a polkit authentication UI for KDE
local/polkit-qt6 0.201.1-1
    A library that allows developers to access PolicyKit API with a nice Qt-style API

tekstryder

Member

Registered: 2013-02-14

Posts: 545

Re: Problem using google authenticator and pkexec from polkit.

You are still able to elevate user privilege when issuing the console pkexec command, with no extra agents installed?

local/polkit-kde-agent 6.6.5-1 (plasma)
    Daemon providing a polkit authentication UI for KDE

Ah well there ya go. Thanks.

Confirms I'm not entirely crazy.

seth

Member

From: Won't reply 2 private help req

Registered: 2012-09-03

Posts: 75,933

Re: Problem using google authenticator and pkexec from polkit.

@Mario156090
So try to suid it again and whether that helps (not even sure why there's a helper if it doesn't require elevated privileges…)
On a formal note, please avoid bloating the thread w/ unconditional full quotes of previous posts

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc