Polkit is prompted but result in EACCES: permission denied

[arbaes]

When trying to save a file where I don't have write access, I can retry as sudo,
the polkit agent raise a prompt sucessfully, and then

Failed to save 'lightdm-webkit2-greeter.conf': Command failed: cd "/home/arbaes"; "/usr/bin/pkexec" --disable-internal-agent /bin/bash -c "echo SUDOPROMPT; \"/usr/bin/code\" --file-write \"/tmp/code-elevated-xtjgyd\" \"/etc/lightdm/lightdm-webkit2-greeter.conf\"" Error using --file-write: EACCES: permission denied, open '/tmp/code-elevated-xtjgyd'

• VSCode Version:
  • 1.38.0
  • 3db7e09
  • x64
• OS Version: Linux version 5.2.11-arch1-1-ARCH
• Polkit tried:
  • xfce-polkit 0.3-1
  • polkit-kde-agent 5.16.5-1

Steps to Reproduce:

1. open any file supposed to be read-only for the current user
2. try to save
3. retry to save as sudo
4. Enter password in prompted polkit
5. Error message is raised

It worth to mention that a different message is raised when a wrong password is entered:

Failed to save 'lightdm-webkit2-greeter.conf': User did not grant permission.

Does this issue occur when all extensions are disabled?: Yes

[bpasero]

@jorangreef have you seen this before? I am trying to figure out if this s a sudo-prompt issue or with VSCode.

[jorangreef]

@bpasero is this for Electron 5.x? If so, this could be related to jorangreef/sudo-prompt#100 (comment) where Electron 5.x runs processes in a setuid sandbox (the Electron team are working on a fix).

@arbaes to isolate, please would you try running:

node node_modules/sudo-prompt/test.js

[bpasero]

@jorangreef this is still with Electron 4.x actually.

Are you saying that with Electron 6 sudo-prompt will not work at the moment? I just tried to reproduce on Ubuntu and indeed it seems to fail. The issue you link (electron/electron#18521) seems to have been closed though, any clues?

[bpasero]

OH, this fix seems to have landed only in 6.0.8 but we are using 6.0.7 so far.

//cc @deepak1556 fyi this was a fix we needed for E6, but we need to verify it is good once we go with 6.0.8

[jorangreef]

Are you saying that with Electron 6 sudo-prompt will not work at the moment?

@bpasero, yes, any Electron version which wanted to sandbox setuid, since there's no way we can do elevation without setuid.

On an unrelated note, while we are talking, just a reminder about microsoft/terminal#2419, the bug behind jorangreef/sudo-prompt#97, which also affects VSCode. I see @bitcrazed assigned this 10 hours ago.

[arbaes]

@jorangreef did try with sudo-prompt 6.11.3, here's the output:

❯ node node_modules/sudo-prompt/test.js
sudo.exec("echo \"$SUDO_PROMPT_TEST_ENV\"", {"env":{"SUDO_PROMPT_TEST_ENV":"hello world"},"name":"Electron"})
error: null
stdout: "hello world\n"
stderr: ""
OK

So I guess it's fine ?

EDIT:
Didn't saw the last comment of @bpasero , nice to know it will be fixed soon.

[jorangreef]

@arbaes, thanks, yes I think that points again to Electron's setuid sandbox as the culprit.

[bpasero]

@arbaes can you post a screenshot of the about dialog of VSCode?

[arbaes]

here you are:

EDIT:
It seems I indeed use an old version of electron, any way to manually force 6.0.8 ?

[bpasero]

I am still not convinced this issue is related to E6 because you see it with E4.

[arbaes]

If I can provide any more insights let me know

[dimyself]

I am getting this same error, but I have electron 6.1.1. I'm getting a similar error:

Failed to save 'curseradio.py': Command failed: cd "/home/user"; "/usr/bin/pkexec" --disable-internal-agent /bin/bash -c "echo SUDOPROMPT; \"/usr/bin/code\" --file-write \"/tmp/code-elevated-rukwep\" \"/usr/lib/python3.7/site-packages/curseradio/curseradio.py\"" Error using --file-write: EACCES: permission denied, open '/tmp/code-elevated-rukwep'

Is this the right place to report this?

Thanks!