Group-based authorization does not work for inactive session
Group-based authorization works when the process is run by a logged-in user. User-based authorization works when the process is not run by a logged-in user (eg: system service).
Group-based authorization does not seem to work when the process is not run by a logged-in user.
Minimal reproducer on Fedora 35 with polkit 0.120. Nothing relevant in the journal, even with polkitd running with debug logs.
[root@image ~]# adduser foo
[root@image ~]# groupadd bar
[root@image ~]# grep foo /etc/passwd
foo:x:1000:1000::/home/foo:/bin/bash
[root@image ~]# grep bar /etc/group
bar:x:1001:
[root@image ~]# cat <<EOF> /usr/share/polkit-1/actions/org.foo.bar.policy
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="org.foo.bar.baz">
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
EOF
[root@image ~]# cat <<EOF> /etc/polkit-1/rules.d/99-baz.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.foo.bar.baz" && (subject.user == "foo" || subject.isInGroup("bar"))) {
return polkit.Result.YES;
}
})
EOF
[root@image ~]# systemd-run --property User=foo sleep infinity
Running as unit: run-r4cbe42621939486893e2671850646f87.service
[root@image ~]# systemd-run --property Group=bar --property DynamicUser=yes sleep infinity
Running as unit: run-r969d9d65ea894e24933d7fa26a22e409.service
[root@image ~]# systemctl show -p MainPID run-r4cbe42621939486893e2671850646f87.service run-r969d9d65ea894e24933d7fa26a22e409.service
MainPID=570
MainPID=572
[root@image ~]# pkcheck -a org.foo.bar.baz -p 570
[root@image ~]# echo $?
0
[root@image ~]# pkcheck -a org.foo.bar.baz -p 572
Authorization requires authentication and -u wasn't passed.
[root@image ~]# grep Gid /proc/570/status
Gid: 1000 1000 1000 1000
[root@image ~]# grep Uid /proc/570/status
Uid: 1000 1000 1000 1000
[root@image ~]# grep Uid /proc/572/status
Uid: 61572 61572 61572 61572
[root@image ~]# grep Gid /proc/572/status
Gid: 1001 1001 1001 1001
[root@image ~]# cat /etc/os-release
NAME="Fedora Linux"
VERSION="35 (Thirty Five)"
ID=fedora
VERSION_ID=35
VERSION_CODENAME=""
PLATFORM_ID="platform:f35"
PRETTY_NAME="Fedora Linux 35 (Thirty Five)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:35"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f35/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=35
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=35
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"