Skip to content

fix(dns): no password prompts on vpn on — ship polkit rule (spec 009)#22

Merged
vcwild merged 1 commit into
mainfrom
009-polkit-dns-no-prompt
Jun 22, 2026
Merged

fix(dns): no password prompts on vpn on — ship polkit rule (spec 009)#22
vcwild merged 1 commit into
mainfrom
009-polkit-dns-no-prompt

Conversation

@vcwild

@vcwild vcwild commented Jun 22, 2026

Copy link
Copy Markdown
Owner

The problem

Since akon became rootless (v2.0.0), akon vpn on prompts the user for their password multiple times — once for each resolvectl call that applies the tunnel DNS. systemd-resolved gates set-dns-servers, set-domains, and set-default-route behind polkit auth_admin, so an unprivileged (rootless) user is challenged 3× per connect (plus more on disconnect). This blocks background mode and lazy mode.

CAP_NET_ADMIN doesn't help — polkit authorization is independent of process capabilities.

The fix

Ship a scoped polkit rule (packaging/polkit/49-akon-resolved-dns.rules) that grants — without authentication — exactly the four resolve1 DNS actions akon needs, and only for local active sessions:

  • org.freedesktop.resolve1.set-dns-servers
  • org.freedesktop.resolve1.set-domains
  • org.freedesktop.resolve1.set-default-route
  • org.freedesktop.resolve1.revert

Installed by the deb/rpm packages and make install (removed on uninstall), alongside the existing setcap grant.

Verified (pkcheck)

set-dns-servers:   AUTHORIZED   (no prompt)
set-domains:       AUTHORIZED
set-default-route: AUTHORIZED
revert:            AUTHORIZED
set-dnssec:        challenge    (correctly NOT granted — scoped)

Safety & robustness

  • Least-privilege: only 4 DNS actions, local active sessions only — not a blanket admin bypass. 3 static-content tests lock the scope.
  • Best-effort DNS: without the rule, polkit denies non-interactively (no hang); the tunnel stays up with a warning.
  • No sudo: the rootless model is preserved.

ADR 0003 records the decision. Spec: specs/009-polkit-dns-no-prompt/.

All 37 CI-equivalent test binaries green; fmt + clippy clean on 1.96.

…mpts (spec 009)

Rootless akon applies the tunnel DNS via resolvectl, which systemd-resolved
gates behind polkit auth_admin — causing 3 password prompts per 'akon vpn on'
(plus more on disconnect). This was a severe UX regression in the rootless model
and blocked background/lazy mode.

Fix: ship a scoped polkit rule (packaging/polkit/49-akon-resolved-dns.rules)
granting ONLY the four resolve1 DNS actions (set-dns-servers, set-domains,
set-default-route, revert) to LOCAL ACTIVE sessions, without authentication.

- Rule installed by deb/rpm packages + make install; removed on uninstall.
- make uninstall target added.
- DNS apply remains best-effort: without the rule, polkit denies
  non-interactively (no hang) and the tunnel stays up with a WARN.
- 3 static-content tests lock the rule's scope (exactly 4 actions, local+active,
  no blanket grant).
- ADR 0003 records the decision.

Verified with pkcheck: the 4 actions are AUTHORIZED without prompt for a local
session; unrelated actions (set-dnssec) are still challenged.

Spec: specs/009-polkit-dns-no-prompt/
Copilot AI review requested due to automatic review settings June 22, 2026 09:19

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@vcwild vcwild merged commit 6ee3788 into main Jun 22, 2026
12 of 14 checks passed
@vcwild vcwild deleted the 009-polkit-dns-no-prompt branch June 22, 2026 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants