Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')

To: 1037295@bugs.debian.org
Subject: Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
From: Simon McVittie <smcv@debian.org>
Date: Sat, 10 Jun 2023 18:14:25 +0100
Message-id: <[🔎] ZISvcShxUjpbfT9x@tautology.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 1037295@bugs.debian.org
In-reply-to: <[🔎] ZISEW+7wbjJq4CFB@tautology.pseudorandom.co.uk>
References: <[🔎] ZISEW+7wbjJq4CFB@tautology.pseudorandom.co.uk> <[🔎] ZISEW+7wbjJq4CFB@tautology.pseudorandom.co.uk>

Control: user pkg-utopia-maintainers@lists.alioth.debian.org
Control: usertags -1 + pkla-without-js

On Sat, 10 Jun 2023 at 15:10:35 +0100, Simon McVittie wrote:
> * Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
>   release-day testing)
>   - KDE has a similar issue with slightly different steps to start the
>     installer, probably all desktops' variants are affected

GNOME, KDE and LXQT are affected.

MATE, Cinnamon and LXDE don't seem to be, because those desktops still
pull in the legacy policykit-1 package.

> If this is not the intended behaviour, the solution would be:
> 
> - drop a file similar to /usr/share/doc/polkitd/examples/50-local-allow.rules
>   into /usr/share/polkit-1/rules.d (if it's owned by a .deb) or into
>   /etc/polkit-1/rules.d (if it's created on an ad-hoc basis by scripts)
> 
> - use that file to configure polkitd to allow whatever action Calamares
>   is using, without authentication (polkit.Result.YES), for either the
>   live user or all members of the sudo group
> 
> - when installing with Calamares, make sure that file is not included in
>   the installed system

I see why this has happened. I did a mass-bug-filing for packages that
*contain* files in /var/lib/polkit-1/localauthority, but my search didn't
find live-config, because it creates the file programmatically.

Desktop environments that still pull in the legacy policykit-1 package
in bookworm are unaffected, because live-config does create a file that
will be read by polkitd-pkla.

In https://sources.debian.org/src/live-config/11.0.3%2Bnmu1/components/1080-policykit/:

> 	if ! pkg_is_installed "policykit-1" || \

This should now be polkitd, not policykit-1. policykit-1 is now a
transitional package.

> cat > /etc/PolicyKit/PolicyKit.conf << EOF

I don't think this file has been used for years.

> 	<define_admin_auth group="adm"/>

If this file *is* still used, the group you'll want here is 'sudo'.

> [Live CD user permissions]
> Identity=unix-user:${LIVE_USERNAME}
> Action=*
> ResultAny=no
> ResultInactive=no
> ResultActive=yes

This should be replaced by something very similar to
/usr/share/doc/polkitd/examples/50-local-allow.rules.
I tried this on the GNOME live image (not tested on KDE or LXQT but
should work equally well):

sudo tee /etc/polkit-1/rules.d/50-live.rules >/dev/null <<EOF
polkit.addRule(function(action, subject) {
    if (subject.isInGroup("sudo")) {
        return polkit.Result.YES;
    }
    return polkit.Result.NOT_HANDLED;
});
EOF

Or you could use subject.user === "live" if you'd prefer. This is
JavaScript, so the "===" is intentionally three equals signs, not a typo.

    smcv

Reply to:

Follow-Ups:
- Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
  - From: Roland Clobus <rclobus@rclobus.nl>

References:
- Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
Next by Date: i386 bookworm image
Previous by thread: Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
Next by thread: Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
Index(es):
- Date
- Thread