Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 239231

Summary: sys-auth/policykit-0.9 must check that /var/lib/PolicyKit has correct permissions
Product: Gentoo Linux Reporter: Alexandre Rostovtsev (RETIRED) <tetromino>
Component: [OLD] GNOMEAssignee: Gentoo Linux Gnome Desktop Team <gnome>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2008-10-01 08:00:45 UTC 
/var/lib/PolicyKit must have mode 770 and be owned by root:policykit (this is because normal users must only read and write to it via a specific setgid binary, /usr/libexec/polkit-grant-helper). And indeed, this is how the /var/lib/PolicyKit directory is created on a first install of policykit-0.9

Unfortunately, earlier versions of policykit installed /var/lib/PolicyKit directory as owned by polkituser:polkituser, mode 755. When upgrading from an earlier version of policykit to 0.9, the ebuild check that the group and mode for the directory are valid, which leads to authorization failure because polkit-grant-helper can no longer save authorization info for users.

At the minimum, the ebuild should check the group and permissions of /var/lib/PolicyKit print an ewarn if they are incorrect.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2008-10-01 08:03:42 UTC 
> /var/lib/PolicyKit must have mode 770 and be owned by root:policykit

Typo, I meant must have mode 770 and be owned by root:polkituser
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2008-10-01 08:21:51 UTC 
Additionally, the ebuild should check that /var/run/PolicyKit is mode 770, owned by root:polkituser (again, older versions of policykit had /var/run/PolicyKit as mode 755, which leads to authorization failures after upgrading to policykit-0.9),
Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-10-02 22:04:19 UTC 
ok I've pushed something to the overlay, without a bump. It should do the right thing if user had a <0.9 release installed. Please tell me if everything looks ok to you and reopen if it's not.
Comment 4 Andrew D. Keyser (aka Legoguy) 2008-10-29 06:23:25 UTC 
Ebuild fails with this new check; it uses braces inside quotes, expecting the shell to expand the braces (when it doesn't.)

chmod 0770 "${ROOT}var/{lib,run}/PolicyKit" || die "chmod failed"
                       ^       ^

chgrp -R polkituser "${ROOT}var/{lib,run}/PolicyKit" || die "chgrp failed"
                                ^       ^

Removing the quotes works fine, though I'm not sure if it's exactly proper...
Comment 5 Nirbheek Chauhan (RETIRED) gentoo-dev 2008-10-29 10:42:28 UTC 
(In reply to comment #4)
> Ebuild fails with this new check; it uses braces inside quotes, expecting the
> shell to expand the braces (when it doesn't.)

Fixed in the overlay without a bump (not sure if there _should've_ been a bump :p)