No polkit authentication agent found since 9.0.0

[feileacan]

sudo-prompt exec fails with "no polkit authentication agent found" on 9.0.0 but succeeds on 8.2.0.

Steps to Reproduce:

npm install [email protected] # or @8.2.0
node ~/node_modules/sudo-prompt/test.js

Output of each command:
9.0.0
8.2.0

This is occurring on a Chromebook but you may be able to repro on any Debian container with the same packages. Installed packages. Passwordless sudo is enabled for all users.

See https://bugs.chromium.org/p/chromium/issues/detail?id=995175 for some more context, exact Chrome OS version and platform, and other details.

[jorangreef]

Thanks @feileacan for the detailed report.

Please would you try rebooting your system and then running the test script for 9.0.0 before doing anything else?

[jorangreef]

This might have something to do with these issues:

https://gitlab.gnome.org/GNOME/gnome-shell/issues/417#note_541769
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/976638/comments/17

In addition to rebooting and running the test script (Option 1 above), please would you also try the following:

Option 2:

"/usr/bin/pkexec" /bin/bash -c "echo SUDOPROMPT; echo hello"

Option 3:

"/usr/bin/pkexec" --disable-internal-agent /bin/bash -c "echo SUDOPROMPT; echo hello"

Option 4:

export SUDO_PROMPT_TEST_ENV="hello"
"/usr/bin/pkexec" --disable-internal-agent /bin/bash -c "echo SUDOPROMPT; echo \"$SUDO_PROMPT_TEST_ENV\""

[feileacan]

Option 1: Same issue
Option 2: Prompts for password. Pressing enter then results in auth failure:

aryanonametyrell@penguin:~$ "/usr/bin/pkexec" /bin/bash -c "echo SUDOPROMPT; echo hello"
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: aryanonametyrell
Password: 

polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

The account has no password:

aryanonametyrell@penguin:~$ sudo grep $USER /etc/shadow
aryanonametyrell:!:18150:0:99999:7:::

The account is locked by default, but I see the same error for unlocked: :: or :*:

If I set a password I get a different error:

aryanonametyrell@penguin:~$ "/usr/bin/pkexec" /bin/bash -c "echo SUDOPROMPT; echo hello"
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/bash' as the super user
Authenticating as: aryanonametyrell
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

Option 3:

aryanonametyrell@penguin:~$ "/usr/bin/pkexec" --disable-internal-agent /bin/bash -c "echo SUDOPROMPT; echo hello"
Error executing command as another user: No authentication agent found.

Option 4:

aryanonametyrell@penguin:~$ export SUDO_PROMPT_TEST_ENV="hello"
aryanonametyrell@penguin:~$ "/usr/bin/pkexec" --disable-internal-agent /bin/bash -c "echo SUDOPROMPT; echo \"$SUDO_PROMPT_TEST_ENV\""
Error executing command as another user: No authentication agent found.

There's no graphical agent installed so pkexec failing when using --disable-internal-agent is expected, but not sure what changed between 8.2.0 and 9.0.0 that it's no longer able to auth.

[jorangreef]

Thanks @feileacan, option 2 is almost exactly what 8.2.0 does, except that 8.2.0 first tries to execute the command with sudo -n:

/usr/bin/sudo -n -E -- echo hello

Also, given that "passwordless sudo is enabled for all users" as you say, pkexec shouldn't be failing for you like it did in option 2 with Error executing command as another user: Not authorized.

I think then that this commit is what caused the issue in pkexec with passwordless sudo environments to be exposed: 8c1a302

It's not a bug in sudo-prompt, but an interaction between passwordless sudo being allowed and pkexec. I will see how we can workaround this.

The change in 8c1a302 was necessary to fix a serious idempotency issue.

[jorangreef]

You might want to take this up in the Chromium issue. This should never fail for a valid password:

/usr/bin/pkexec /bin/bash -c "echo hello"

[feileacan]

Ah, not running via sudo would do it.

As far as I can tell policykit uses its own rules so pkexec doesn't care whether the user has sudo access or not, it still requires auth: https://gitlab.freedesktop.org/polkit/polkit/blob/master/actions/org.freedesktop.policykit.policy.in#L13

Adding a rule for policykit.exec means users are no longer prompted which gets things working again.

As regards the pkexec "No session for cookie" issue, looks like the same problem discussed in NixOS/nixpkgs#18012, using a separate pkttyagent works.

Thanks for the info and investigation.

[jorangreef]

Thanks @feileacan for reporting the issue.

Just to double-check, would you mind giving me the output of running:

/usr/bin/sudo -k
/usr/bin/sudo -n -E echo hello

[feileacan]

aryanonametyrell@penguin:~$ /usr/bin/sudo -k
aryanonametyrell@penguin:~$ /usr/bin/sudo -n -E echo hello
hello

[jorangreef]

Thanks, that confirms that the issue is in pkexec and that sudo -n is a workaround for environments such as yours.

[jorangreef]

Sorry for the delay with this, I will get to it in a few weeks. I know how to solve it and we have a few other changes that have built up which can all go hand-in-hand.