Package: policykit-1 Version: 0.105-17 Severity: normal Dear Maintainer,
Hardening my Debian Stretch system with lynis, I enabled hardening /proc to limit non-superuser access to /proc directories. proc /proc proc defaults,hidepid=2 0 0 After reboot, all programs that required root authentication via a popup are blocked from opening the window. Programs tested include; /usr/bin/synaptic- pkexec and /usr/bin/gufw-pkexec. /var/log/auth.log Apr 9 12:07:30 hostname polkitd(authority=local): Registered Authentication Agent for unix-process:21299:214113 (system bus name :1.88 [pkexec /usr/sbin/synaptic], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Apr 9 12:07:33 hostname polkitd(authority=local): Operator of unix- process:21299:214113 FAILED to authenticate to gain authorization for action com.ubuntu.pkexec.synaptic for unix-process:21299:214113 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:username) Apr 9 12:07:33 hostname pkexec[21300]: username: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/username] [COMMAND=/usr/sbin/synaptic] Apr 9 12:07:33 hostname polkitd(authority=local): Unregistered Authentication Agent for unix-process:21299:214113 (system bus name :1.88, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) In fstab, hidepid=1 or hidepid=2 causes the same behavior. Commenting out the /proc line in fstab and rebooting solves the issue but reduces my hardening. The behavior of blocking the user from running a program as root seems to be correct. However, there is no warning to the user that they are being blocked from running the program since the popup window to enter authentication never opens. I suggest that if the authentication window cannot open then a warning window is displayed to the user that permission is denied. Debian Stretch 4.9.18-1 (2017-03-30) x86_64 GNU/Linux lightdm 1.18.3 Openbox 3.6.1 LXQt Version: 0.11.1 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages policykit-1 depends on: ii dbus 1.10.16-1 ii libc6 2.24-9 ii libglib2.0-0 2.50.3-2 ii libpam-systemd 232-22 ii libpam0g 1.1.8-3.5 ii libpolkit-agent-1-0 0.105-17 ii libpolkit-backend-1-0 0.105-17 ii libpolkit-gobject-1-0 0.105-17 policykit-1 recommends no packages. policykit-1 suggests no packages. -- no debconf information
