"Permission denied" when interacting against D-Bus/Polkit with a regular user (but with privileged access)

[q2dg]

Cockpit version: 236
OS: Fedora 33
Page: My own page

I want to change my Timezone from an own module, like this (very obsolete) blog entry (https://cockpit-project.org/blog/using-dbus-from-javascript-in-cockpit.html) and this (not so obsolete but still a little) code example (https://github.com/cockpit-project/cockpit/blob/master/examples/zoner/tz.html) explain The code I've written is this: there's nothing former examples don't do: I've only written a "promised"-syntax for SetTimezone() method and nothing else among a few cosmetical changes..

         <html><head>
	    <title>Time Zone</title>
	    <meta charset="utf-8">
	    <link href="../base1/cockpit.css" type="text/css" rel="stylesheet">
	    <script src="../base1/cockpit.js"></script>
	</head> <body>
	    <div class="pf-c-page">
	        <table class="form-table-ct">
	            <tr>
	                <td><label class="control-label">Current Time Zone:</label></td>
	                <td><span id="current"></span></td>
	            </tr>
	            <tr>
	                <td><label class="control-label" for="newZone">New Time Zone:</label></td>
	                <td><input class="form-control" id="newZone"></td>
	            </tr>
	            <tr>
	                <td><button class="pf-c-button pf-m-primary" id="change">Change</button></td>
			<td><span id="failure"></span></td>
	            </tr>
	        </table>
	    </div>
	    <script>
	        var nova = document.getElementById("newZone");
	        var actual = document.getElementById("current");
	        var fallada = document.getElementById("failure");
		var boto = document.getElementById("change");
	        var servei = cockpit.dbus('org.freedesktop.timedate1');
	        var interf = servei.proxy('org.freedesktop.timedate1','/org/freedesktop/timedate1');
	        function change_zone() {
	            fallada.innerHTML="";
	            interf.SetTimezone(nova.value, true)
	                .catch(change_fail);
	        }
	        function display_zone() { actual.innerHTML=interf.Timezone; }
	        function change_fail(err) { fallada.innerHTML=err.message; }
	        boto.addEventListener("click", change_zone);
	        interf.addEventListener("changed", display_zone);  
	    </script>
	</body> </html>

The problem is that, after logging into Cockpit with a regular user but with administrative powers (in fact, this user can change the timezone via "sudo" executing the command timedatectl set-timezone blabla in a cockpit's server's terminal without problems) when I click on the button to change the timezone written on the textbox, I get a "Permission denied" error.

I've put SELinux in permissive mode, I've added the '{"superuser":"required"}' a a second parameter of cockpit.dbus()...and nothing: the error remains. But when I log into Cockpit as the "root" user, there's no problem: I can change the timezone.

So maybe I've doing something wrong, but it seems Cockpit doesn't scalate well the user's privileges in order to be able to interact with system's DBus channel, I infer. So it seems there's some problem in the authentication against Polkit. Am I wrong?

Thanks a lot in advance.

PD: Looking at Journald, indeed, I see these error messages: polkitd[xxx]: Operator of unix-session:7 FAILED to authenticate to gain authorization for action org.freedesktop.timedate1.set-timezone for system-bus-name::1.302 [cockpit-bridge] (owned by unix-user:usuari)

[marusak]

Is that user in wheel group? Are you in Administrative access (on top of the page)?

[q2dg]

YES!

[martinpitt]

So it seems there's some problem in the authentication against Polkit. Am I wrong?

No, you are right. Polkit authentication does not happen magically. See issue #11033 for fixing this in general.

However, for the time being you really should do

var servei = cockpit.dbus('org.freedesktop.timedate1', { superuser: "try" });

as this is a system service.