User continuously prompted for sudo password during testing

Bug #1328622 reported by Jeff Lane 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
PlainBox (Toolkit)
Won't Fix
Wishlist
Unassigned

Bug Description

ubuntu@am3:~$ dpkg -l |grep checkbox
ii checkbox-ng 0.4~dev+bzr3053+pkg7~ubuntu14.04.1 all PlainBox based test runner
ii plainbox-provider-checkbox 0.4-1 arm64 CheckBox provider for PlainBox
ii python3-checkbox-ng 0.4~dev+bzr3053+pkg7~ubuntu14.04.1 all PlainBox based test runner (Python 3 library)
ii python3-checkbox-support 0.3~dev+bzr3053+pkg3~ubuntu14.04.1 all collection of Python modules used by PlainBox providers
ubuntu@am3:~$ dpkg -l |grep plainbox
ii plainbox-provider-certification-server 0.1~dev+bzr3053+pkg15~ubuntu14.04.1 all Server Certification
ii plainbox-provider-checkbox 0.4-1 arm64 CheckBox provider for PlainBox
ii plainbox-provider-resource-generic 0.4~dev+bzr3053+pkg5~ubuntu14.04.1 arm64 CheckBox generic resource jobs provider
ii plainbox-secure-policy 0.6~dev+bzr3053+pkg4~ubuntu14.04.1 all policykit policy required to use plainbox (secure version)
ii python3-plainbox 0.6~dev+bzr3053+pkg4~ubuntu14.04.1 all toolkit for software and hardware testing (python3 module)

This is being run on a new ARM64 board for dev/test purposes. I discovered that while running the various server tests, anything that requires root access is prompting me for a sudo password when the test runs.

So, rather than being asked for sudo at the beginning and never again, I'm being prompted on each root-access test case to input the sudo password.

Related branches

Revision history for this message
Daniel Manrique (roadmr) wrote :

plainbox's design is like this: it invokes the sudo runner every time it's needed, this is unlike checkbox which had a privileged "daemon" that took care of this.

Without a significant design change, we can't really solve this on the plainbox side. We *are* considering such a change but it's still in the early planning stages.

As a workaround, I can suggest configuring sudoers so that your user can run commands without needing a password.

As an interesting note, if you were using pkexec (i.e. not remotely, over ssh), you could just install the plainbox-insecure-policy package to achieve a similar effect.

Since this is "by design", I'll set this bug as triaged/wishlist and move to the plainbox engine where this stuff resides.

Changed in checkbox:
status: New → Triaged
importance: Undecided → Wishlist
affects: checkbox → plainbox
Revision history for this message
Zygmunt Krynicki (zyga) wrote : Re: [Bug 1328622] Re: User continuously prompted for sudo password during testing

This may be fixed with an all-new run-stuff-as-root policy. We'll see how
that pans out though as I'm pretty busy with QML bits

On Tue, Jun 10, 2014 at 8:53 PM, Daniel Manrique <
<email address hidden>> wrote:

> plainbox's design is like this: it invokes the sudo runner every time
> it's needed, this is unlike checkbox which had a privileged "daemon"
> that took care of this.
>
> Without a significant design change, we can't really solve this on the
> plainbox side. We *are* considering such a change but it's still in the
> early planning stages.
>
> As a workaround, I can suggest configuring sudoers so that your user can
> run commands without needing a password.
>
> As an interesting note, if you were using pkexec (i.e. not remotely,
> over ssh), you could just install the plainbox-insecure-policy package
> to achieve a similar effect.
>
> Since this is "by design", I'll set this bug as triaged/wishlist and
> move to the plainbox engine where this stuff resides.
>
> ** Changed in: checkbox
> Status: New => Triaged
>
> ** Changed in: checkbox
> Importance: Undecided => Wishlist
>
> ** Project changed: checkbox => plainbox
>
> --
> You received this bug notification because you are a member of Checkbox
> Bug Wranglers, which is subscribed to Checkbox.
> https://bugs.launchpad.net/bugs/1328622
>
> Title:
> User continuously prompted for sudo password during testing
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/plainbox/+bug/1328622/+subscriptions
>

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Jeff: IIRC we switched from policykit to sudo, only for remote connections, assuming that sudo would be paswordless. In normal circumstances you should still see policykit being used and see at most few prompts.

Revision history for this message
Jeff Lane  (bladernr) wrote :

That is via an SSH connection. I was running that on a machine in the 1SS datacenter via SSH.

Also, this was FIXED before after you switched to using sudo the last time we had problems. If you'll recall, we were using plainbox-insecure-policy to get around the pkexec problems over ssh.

Then you fixed plainbox-secure-policy to allow sudo and we went back to using that, and I have not heard anyone complaining about this issue.

AFAIK, this only recently (within the last week or two) started happening. This remote testing on the arm64 card I'm working on is the first place I've seen in.

It's not so much being prompted for sudo, I get that, and expect it to happen early on. THe problem is that I'm being prompted for sudo every time a test runs. This makes certification testing extremely time consuming and difficult, as I now have to actively monitor what should be a completely automated test run to enter a password yet again.

Given what Daniel has said, the only real option I see is using the insecure policy by DEFAULT.

Revision history for this message
Jeff Lane  (bladernr) wrote :

Fixed it with a hammer.

Changed in plainbox:
status: Triaged → In Progress
Zygmunt Krynicki (zyga)
Changed in plainbox:
status: In Progress → Confirmed
milestone: none → future
Changed in plainbox:
status: Confirmed → Fix Released
Revision history for this message
Jeff Lane  (bladernr) wrote :

I changed this back to confirmed. I still see this, even when using plainbox-insecure-policy.

Just tested in a digital ocean VM running 14.04.3. I installed canonical-certification-server from the dev PPA which installed the following plainbox/checkbox packages:

I then ran the server full whitelist for 14.04 which made it to this point and then prompted me for a sudo password:
-------------[ Running job 51 / 60. Estimated time left: unknown ]--------------
----------------------------[ power-management/rtc ]----------------------------
ID: 2013.com.canonical.certification::power-management/rtc
Category: 2013.com.canonical.plainbox::power-management
... 8< -------------------------------------------------------------------------
[sudo] password for ubuntu:

Note, as with the original post, this is via an SSH connection. WE have been working around this in Server by changing the Ubuntu user to NOPASSWD for sudo, so that we are NEVER prompted. But that's a hack to work around the issue where even with the insecure policy in place, running via ssh results in prompts for sudo in the middle of testing.

Changed in plainbox:
status: Fix Released → Confirmed
Revision history for this message
Jeff Lane  (bladernr) wrote :

At this point, I only re-opened this because of the above. We have a workaround that is acceptable, so if you don't want to spend time fixing this, then close it again and I'll leave it. I just wanted to point out that while it seemed to be resolved, it's not.

Revision history for this message
Sylvain Pineau (sylvain-pineau) wrote :

insecure policy won't be taken into account if running over ssh as polkit considers it an an inactive session. That's why we fallback to sudo controller. Until we can use Maciej's sudo broker, tweaking sudoers is the only alternative for ssh sessions.

Changed in plainbox:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.