Ubuntu
unity-greeter package

unity-greeter .pkla file does not work consistenly on all the systems

Bug #1048522 reported by Antti Kaijanmäki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unity-greeter (Ubuntu)
Fix Released
High
Antti Kaijanmäki

Bug Description

The current .pkla file does not work properly on all system.

It seems that policykit handles localauthority files with action wildcards somewhat nondeterministically. AFAICT the file is specified according to policykit documentation, but still the file does not work as expected on all of the systems. In fact on systems where the file does not work switching the rules around has desired effect, but this breaks the systems where the original file already works.

To get the file to work reliably on all the systems the wild card needs to be removed and all permissions for each action has to be specified explicitly.

See original description
Antti Kaijanmäki (kaijanmaki)
Changed in network-manager-applet (Ubuntu):
status: New → Confirmed
assignee: nobody → Antti Kaijanmäki (kaijanmaki)
tags: added: quantal
Mathieu Trudel-Lapierre (cyphermox)
Changed in network-manager-applet (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Antti Kaijanmäki (kaijanmaki)
affects: network-manager-applet (Ubuntu) → unity-greeter (Ubuntu)
tags: added: network-manager
Antti Kaijanmäki (kaijanmaki)
description: updated
summary: - the user is not able to activate system wide mobile broadband connection
- inside the greeter
+ unity-greeter .pkla file does not work consistenly on all the systems
Changed in unity-greeter:
status: New → Confirmed
Revision history for this message
Michael Terry (mterry) wrote :

It seems like the proposed solution is a workaround for a policykit bug.

With the proposed solution, if NetworkManager adds new permission controls, unity-greeter will use the default access rights until we notice, right? Seems bad.

Could we look into fixing it at the policykit level?

Revision history for this message
Michael Terry (mterry) wrote :

On IRC:

<mterry> Wellark, so with this patch, if a new NM capability comes out, we'll end up using the default permissions for it, instead of denying?
 seems bad
<Wellark> mterry: the actions do have default permissions
<Wellark> so if a new action is introduced it's probably prevented by default permission if it's dangerous
<Wellark> but yes, if the default policy does not prevent the new action then it's available in the greeter also
 and preventing that needs a modification to the .pkla
<Wellark> but there has not been new actions to NM in very long time
 and they are something that are added only with great care. Unless NM gets something totally new kind of functionality there will be no new actions
 policykit upstream is planning to move to a whole new configuration system in the future
 so, we need to update the permissions files on all the packages we use it anyway at some point in the future
 I would not be too concerned about the (unlikely) situation that NM gets a new action added before that

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-greeter - 12.10.3-0ubuntu1

---------------
unity-greeter (12.10.3-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Rearrange some UI bits (LP: #1049231, LP: #1049235, LP: #1049236,
      LP: #1049239)
    - After a remote login error, do not use cache when trying same user
      again
    - When no users and no manual entry, force manual entry to appear
      (LP: #1044251)
    - When switching between monitors, re-adjust user names (LP: #1043604)
    - Center remote login help dialog
    - Use the xsettings plugin to apply icons-in-menus gsetting
      (LP: #927236)
  * debian/unity-greeter.pkla:
    - Fix policykit file to not be order-dependent and spell out the
      NetworkManager permissions instead of using a wildcard.
      LP: #1048522
  * debian/control:
    - Add some Build-Depends for new test suite
  * debian/patches/01_add_remote_login_help_icon.patch:
    - Drop, remote login help icon is included upstream
  * debian/patches/02_use_remote_login_hint.patch:
    - Update to apply again
 -- Michael Terry <email address hidden> Mon, 17 Sep 2012 13:31:13 -0400

Changed in unity-greeter (Ubuntu):
status: Triaged → Fix Released
Michael Terry (mterry)
no longer affects: unity-greeter
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.