Project

General

Profile

Bug #16982

Can't start Synaptic from Additional Software that was itself started from tails-persistence-setup

Added by sajolida about 1 month ago. Updated 23 days ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Persistence
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Additional Software Packages

Description

As reported on tails-testers ("Opinion about Tails 4.0beta1").

  • Open Additional Software in 4.0~beta1.
  • Click on "Synaptic Package Manager".
  • Nothing happens.

Related issues

Related to Tails - Feature #14544: Spend software developer time on smallish UX improvements In Progress 08/31/2018
Related to Tails - Bug #16273: pkexec error when trying to remove ASP through persistence-setup In Progress 01/04/2019
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

History

#1 Updated by intrigeri about 1 month ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to Elevated

#2 Updated by intrigeri about 1 month ago

#3 Updated by intrigeri about 1 month ago

Might be related to #12092#note-24.

#4 Updated by segfault 26 days ago

  • Assignee set to segfault

#5 Updated by segfault 26 days ago

Can't reproduce. On a Tails image based on yesterday's devel branch (9f57027ef3bb7a24f255058788adb3d649af159c), I open Additional Software, then I click on "Synaptic Package Manager", then I get asked for the administration password, then Synaptic opens.

#6 Updated by segfault 26 days ago

segfault wrote:

Can't reproduce. On a Tails image based on yesterday's devel branch (9f57027ef3bb7a24f255058788adb3d649af159c), I open Additional Software, then I click on "Synaptic Package Manager", then I get asked for the administration password, then Synaptic opens.

Same with an image based on devel from Aug 11 (0a1ea458111f16833e10cb02c4cd445990c32019).

#7 Updated by segfault 26 days ago

  • Priority changed from Elevated to Normal
  • Target version changed from Tails_4.0 to Tails_3.16

After the reading the email in which the bug was reported, I was able to reproduce this by starting Additional Software from the tails-persistence-setup dialog.
I was also able to reproduce this on Tails 3.15, so this is not a regression and I think we can lower the priority and change the target version to target 3.X releases instead of 4.0.

The journal contains this error message:

pkexec: tails-persistence-setup: The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=unknown] [CWD=/] [COMMAND=/usr/sbin/synaptic --update-at-startup]

#8 Updated by segfault 26 days ago

  • Assignee deleted (segfault)

So the issue is that tails-persistence-setup is run as its own user, which has the default shell set to /bin/false. When it starts tails-addititional-software-config, that is also run as the tails-persistence-setup user, and then pkexec doesn't seem to work because there is no working default shell configured.

I'm not sure what the best way to fix this is. We should run apps started by tails-persistence-setup as amnesia, but we can't simply change the user to amnesia, that would require more special permissions for the tails-persistence-setup user.

IMO the best design would be to run the tails-persistence-setup app as amnesia and have a privileged backend which the app uses for the actions which require privileges. IIRC, it's not possible to run graphical apps as another user under Wayland, so we have to change this anyway at some point, right?

#9 Updated by intrigeri 23 days ago

Hi!

I was also able to reproduce this on Tails 3.15, so this is not a regression

In a way, it's good news: one less Buster-related regression that we have to treat as particularly urgent! I'll drop the target version: we have plenty of other FT work that's more important and/or urgent than this one.

OTOH it's somewhat concerning that we've shipped the Additional Software feature without ever noticing this bug. Anyway, trying to start Synaptic from there is almost a corner case, so I'm not utterly surprised this was neither noticed by us, nor reported by users.

So the issue is that tails-persistence-setup is run as its own user, which has the default shell set to /bin/false. When it starts tails-addititional-software-config, that is also run as the tails-persistence-setup user, and then pkexec doesn't seem to work because there is no working default shell configured.

Giving tails-persistence-setup a real shell should be fine: I don't think the security design (that's somewhat documented IIRC) relies on it having none.

IMO the best design would be to run the tails-persistence-setup app as amnesia and have a privileged backend which the app uses for the actions which require privileges.

Fully agreed: this is tracked as #15142. It's not exactly trivial. In the meantime, the bug this ticket is about can probably be fixed cheaply, as described above.

IIRC, it's not possible to run graphical apps as another user under Wayland, so we have to change this anyway at some point, right?

Yes, although there's a dirty workaround available (see the description of #12213), but the current plan is that for Tails 5.0 (Bullseye) we switch to Wayland without using that workaround. We'll see how close to this objective we manage to go :)

#10 Updated by intrigeri 23 days ago

  • Subject changed from Can't start Synaptic from Additional Software to Can't start Synaptic from Additional Software that was itself started from tails-persistence-setup
  • Target version deleted (Tails_3.16)

#11 Updated by sajolida 23 days ago

  • Related to Feature #14544: Spend software developer time on smallish UX improvements added

#12 Updated by intrigeri 23 days ago

  • Related to Bug #16273: pkexec error when trying to remove ASP through persistence-setup added

Also available in: Atom PDF