refuses all actions if user is member of a large number of groups
@mbiebl
Submitted by Michael Biebl Assigned to David Zeuthen @david
Description
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696989
PolicyKit refuses all actions for my own user account, but works fine for other accounts:
=== Begin SSH session as sascha.silbe === sascha.silbe@twin:~$ cat /etc/polkit-1/localauthority/50-local.d/90-sudo-allow-everything.pkla [AllowEverythingToSudoGroup] Identity=unix-group:sudo Action=*
from within active ConsoleKit sessions
ResultActive=yes
from within inactive ConsoleKit sessions
ResultInactive=yes
from within non-local ConsoleKit sessions
ResultAny=yes sascha.silbe@twin:~$ id -u 8193 sascha.silbe@twin:~$ getent group sudo sudo:x:27:sascha.silbe,bine sascha.silbe@twin:~$ pkcheck --action-id org.freedesktop.udisks.filesystem-mount --process $$ Not authorized. === End SSH session as sascha.silbe ===
=== Begin SSH session as bine === bine@twin:~$ pkcheck --action-id org.freedesktop.udisks.filesystem-mount --process $$ ; echo $? 0 === End SSH session as bine ===
Apparently polkitd chokes on the large number of groups my account is a member of:
=== Begin === root@twin:~# /usr/lib/policykit-1/polkitd -r Entering main event loop Connected to the system bus Registering null backend at priority -10 Using authority class PolkitBackendLocalAuthority Acquired the name org.freedesktop.PolicyKit1
** (polkitd:20969): WARNING **: skipping unknown tag <_description>
at line 15
** (polkitd:20969): WARNING **: skipping unknown tag <_message>
at line 16
** (polkitd:20969): WARNING **: Error looking up groups for uid 8193: Numerical result out of range
=== End ===
Checking the source (src/polkitbackend/polkitbackendlocalauthority.c:get_groups_for_user()), there's even a TODO entry for this bug:
gid_t groups[512]; int num_groups = 512; [...] /* TODO: should resize etc etc etc */
if (getgrouplist (passwd->pw_name, passwd->pw_gid, groups, &num_groups) < 0) { g_warning ("Error looking up groups for uid %d: %s", uid, g_strerror (errno)); goto out; }
Once the account is a member of more than the hard-coded limit of 512 groups, PolicyKit will not recognise the user at all, therefore refuse all actions for them.
This bug is still present in the latest development version (d6acecdd), now in src/polkitbackend/polkitbackendjsauthority.c:subject_to_jsval().
The reason my user account is part of so many groups is that I'm using the rainbow package extensively to run web browsers and the like with less privileges than my user account and in isolation from each other. For each isolated session, a group is created to enable exchange of files between my user account and the session account (but not between the sessions).
I've set the Severity to Important because PolicyKit refuses to work at all (for this user) once the hard-coded limit is exceeded, rather than just some part of PolicyKit not working as expected or only the first few groups being evaluated to determine whether to grant access.