/bin:/usr/bin in PATH causes failure in certain GUI apps

[polkit-github-migration-bot]

In gitlab.freedesktop.org by jrw32982 on Mar 23, 2023, 19:58

Link to the original issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/193

Current behaviour, description of the problem

Apparently, the order of /bin and /usr/bin in PATH matters! I was getting failures for multiple apps started from LinuxMint's Menu: mintsources, lightdm-settings, etc. Eventually I tracked it down to the fact that I had /bin:/usr/bin in my PATH (created by my shell profile) rather than /usr/bin:/bin. Once I modified my shell profile, and switched the order of those components in my PATH, and rebooted, the GUI apps started working.

Desired behaviour

Both command lines (see below) should work identically and successfully. Currently, the order of /usr/bin:/bin in PATH is required for apps to work and the order of /bin:/usr/bin causes them to fail. The order shouldn't matter.

For other OSes (where mintsources is not available), you can reproduce with any GUI app requiring use of pkexec and configured in a location like /usr/share/polkit-1/actions/, with an annotation like:

<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/mintsources</annotate>

(Note: /usr/bin/mintsources, rather than /bin/mintsources)

It looks like this is a bug with pkexec and/or the polkit mechanism: pkexec doesn't fully resolve (canonicalize) the path to the executable, a la readlink -f /bin/mintsources, before matching it against the path in the policy. The pkexec documentation says full path of the program where I think it should say canonical full path of the program.

Reproducer

$ ls -ld /bin
lrwxrwxrwx 1 root root 7 Jun 28 2022 /bin -> usr/bin

$ pkexec /usr/bin/mintsources
...GUI prompt for password, then GUI app appears and works...

$ pkexec /bin/mintsources
...GUI prompt for password, then...
(mintSources.py:3926): Gtk-CRITICAL **: 08:24:53.938: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(mintSources.py:3926): Gtk-CRITICAL **: 08:24:53.938: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
(mintSources.py:3926): Gtk-CRITICAL **: 08:24:53.938: _gtk_style_provider_private_get_settings: assertion 'GTK_IS_STYLE_PROVIDER_PRIVATE (provider)' failed
...ABORTS (no GUI app appears)...

Detailed description

polkit 0-105.33, pkexec 0-105-33, LinuxMint 21

See more discussion and bug confirmation at Github LinuxMint Cinnamon and LinuxMint forum

[wdoekes]

It gets worse for things that aren't in the PATH and that are moved between distros. See this:

systemd/systemd#34712 - polkit "actions" integration fails for paths moved from /lib to /usr/lib

There calling /lib/systemd/systemd-reply-password (according to spec) does not get us the expected action, while calling /usr/lib/systemd/systemd-reply-password would.

This looks like a flaw in in polkitd.

I think we need either:

• Allowing multiple <annotate>, or multiple <action> with the same id.
• A realpath(3) call before find_action_for_path:

  polkit/src/programs/pkexec.c

  Lines 796 to 799 in 94e2b54

  	action_id = find_action_for_path (authority,
  	path,
  	exec_argv[1],
  	&allow_gui);

Cheers,
Walter Doekes
OSSO B.V.

[wdoekes]

@jrybar-rh or anyone else. Could you check the PR?

[jrybar-rh]

I'm already on it, but currently there are other burning priorities. WIP.