Skip to content

polkit-agent-helper: set CollectMode=inactive-or-failed#557

Closed
bluca wants to merge 1 commit intopolkit-org:mainfrom
bluca:socket_collect_mode
Closed

polkit-agent-helper: set CollectMode=inactive-or-failed#557
bluca wants to merge 1 commit intopolkit-org:mainfrom
bluca:socket_collect_mode

Conversation

@bluca
Copy link
Member

@bluca bluca commented Apr 2, 2025

Ensure that failed helper runs (eg: auth failure) do not leave units behind to accumulate

Follow-up for c007940

@bluca
polkit-agent-helper: set CollectMode=inactive-or-failed
6714683 
Ensure that failed helper runs (eg: auth failure) do not leave
units behind to accumulate

Follow-up for c007940
bluca referenced this pull request Apr 2, 2025
@bluca @jrybar-rh
agent helper: support separate socket-activated service to run withou…
c007940 
…t SETUID

SETUID binaries are considered harmful, as te execution context is
under the control of unprivileged attackers.

Enhance the polkit pam agent helper with a new mode: when running
under systemd, add a socket-activated service that the helper will
run under, as root. The agent talks to this service via AF_UNIX
instead of spawning it, and STDIN/STDOUT are connected as before.
The helper can make use of PID FDs and SO_PEERCRED to reliably
identify the caller. In order to do this, a third version of the
auth D-Bus method is added, that also takes a subject, built using
the PID FD.
If the AF_UNIX socket is not present, the agent will fork the
helper as before, with no changes.

Fixes #169
@jrybar-rh
Copy link
Member

jrybar-rh commented Apr 2, 2025

There seem to be two issues with this approach:

  1. it still leaves the system in degraded state for who knows how long (after local discussion with systemd guys, GC is now event-based instead of time-based). Failed password is not fundamentally an error of the program. The helper finishes correctly in reaction to wrong user interaction. This should not cause unit failure and definitely not send the system to degraded state. Imagine the red flags this raises in some setups. "Degraded? What's happening? Wrong password? Just this?"
  2. GC'ing failed service may clear the system of wrong passwords, but also masks potential real problems with the service. There are many more events with return code 1 in the helper program. Say we cannot init a pam stack. This gets GC'ed few seconds later. Still in journal, but what's the motivation to see journal when system looks ok.

@lnykryn suggested a directive I was looking for, so modifying return codes seemed necessary yet logical: #558

@bluca
Copy link
Member Author

bluca commented Apr 3, 2025

Ok, that sounds fine too to me

@bluca bluca closed this Apr 3, 2025
@bluca bluca deleted the socket_collect_mode branch April 3, 2025 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bluca @jrybar-rh