Polkit pkla rule is not working on 18.04












5















I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.



I work via xrdp and always get this prompt and I cannot disable it.



Whenever I change <action id="org.freedesktop.color-manager.create-device"> policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any> I get Gnome fatal error in logs.



UPDATED logs after WinEunuuchs2Unix advice:



gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.

gnome-session-binary[877]: Entering running state

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'

systemd[847]: Started Evolution calendar service.

dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

systemd[847]: Starting Evolution address book service...

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'

systemd[847]: Started Evolution address book service.

gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files

kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"

gsd-color[1088]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1088]: No data available

gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  213.817502] do_trap: 20 callbacks suppressed

kernel: [  213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]

gnome-shell[922]: Could not get current seat: No data available

gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)

gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gsd-color[1240]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1240]: No data available

gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]

gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop

gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session

xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10

xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session:  username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)

at-spi-bus-launcher[884]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

at-spi-bus-launcher[884]:       after 23 requests (23 known processed) with 0 events remaining.

kernel: [  221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]

gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

conky.desktop[1150]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

conky.desktop[1150]:       after 578 requests (578 known processed) with 0 events remaining.

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)

xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)


The same happens if I simply try to login interactively with password prompt.



I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d:



<action id="org.freedesktop.color-manager.create-device">

  <description xml:lang="en">Create a color managed device</description>

  <message xml:lang="en">Authentication is required to create a color managed device</message>

  <defaults>

    <allow_any>yes</allow_inactive>

    <allow_inactive>yes</allow_inactive>

    <allow_active>yes</allow_active>

  </defaults>

</action>


It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions.



I also tried to create global allow pkla rule as per this proposal:



[No password prompt]

Identity=unix-group:sudo

Action=*

ResultActive=yes


I also have global rule in /etc/polkit-1/rules.d



polkit.addRule(function(action, subject) {

if (subject.isInGroup("group")) {

      return polkit.Result.YES;

   }

});


As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version shows 0.105.



None of the above worked. Which steps should I try and how to debug this?






gnome security 18.04 xrdp policykit







share|improve this question

























  • At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in /etc/polkit-1/localauthority/50-local.d for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).

    – muru
    May 6 '18 at 11:05













  • Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.

    – Suncatcher
    May 6 '18 at 11:30













  • Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in /etc/polkit-1/rules.d but it seems to be not working too.

    – Suncatcher
    May 6 '18 at 11:33


















5















I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.



I work via xrdp and always get this prompt and I cannot disable it.



Whenever I change <action id="org.freedesktop.color-manager.create-device"> policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any> I get Gnome fatal error in logs.



UPDATED logs after WinEunuuchs2Unix advice:



gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.

gnome-session-binary[877]: Entering running state

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'

systemd[847]: Started Evolution calendar service.

dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

systemd[847]: Starting Evolution address book service...

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'

systemd[847]: Started Evolution address book service.

gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files

kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"

gsd-color[1088]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1088]: No data available

gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  213.817502] do_trap: 20 callbacks suppressed

kernel: [  213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]

gnome-shell[922]: Could not get current seat: No data available

gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)

gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gsd-color[1240]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1240]: No data available

gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]

gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop

gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session

xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10

xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session:  username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)

at-spi-bus-launcher[884]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

at-spi-bus-launcher[884]:       after 23 requests (23 known processed) with 0 events remaining.

kernel: [  221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]

gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

conky.desktop[1150]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

conky.desktop[1150]:       after 578 requests (578 known processed) with 0 events remaining.

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)

xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)


The same happens if I simply try to login interactively with password prompt.



I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d:



<action id="org.freedesktop.color-manager.create-device">

  <description xml:lang="en">Create a color managed device</description>

  <message xml:lang="en">Authentication is required to create a color managed device</message>

  <defaults>

    <allow_any>yes</allow_inactive>

    <allow_inactive>yes</allow_inactive>

    <allow_active>yes</allow_active>

  </defaults>

</action>


It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions.



I also tried to create global allow pkla rule as per this proposal:



[No password prompt]

Identity=unix-group:sudo

Action=*

ResultActive=yes


I also have global rule in /etc/polkit-1/rules.d



polkit.addRule(function(action, subject) {

if (subject.isInGroup("group")) {

      return polkit.Result.YES;

   }

});


As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version shows 0.105.



None of the above worked. Which steps should I try and how to debug this?






gnome security 18.04 xrdp policykit







share|improve this question

























  • At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in /etc/polkit-1/localauthority/50-local.d for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).

    – muru
    May 6 '18 at 11:05













  • Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.

    – Suncatcher
    May 6 '18 at 11:30













  • Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in /etc/polkit-1/rules.d but it seems to be not working too.

    – Suncatcher
    May 6 '18 at 11:33
















5












5








5


2






I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.



I work via xrdp and always get this prompt and I cannot disable it.



Whenever I change <action id="org.freedesktop.color-manager.create-device"> policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any> I get Gnome fatal error in logs.



UPDATED logs after WinEunuuchs2Unix advice:



gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.

gnome-session-binary[877]: Entering running state

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'

systemd[847]: Started Evolution calendar service.

dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

systemd[847]: Starting Evolution address book service...

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'

systemd[847]: Started Evolution address book service.

gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files

kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"

gsd-color[1088]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1088]: No data available

gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  213.817502] do_trap: 20 callbacks suppressed

kernel: [  213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]

gnome-shell[922]: Could not get current seat: No data available

gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)

gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gsd-color[1240]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1240]: No data available

gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]

gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop

gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session

xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10

xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session:  username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)

at-spi-bus-launcher[884]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

at-spi-bus-launcher[884]:       after 23 requests (23 known processed) with 0 events remaining.

kernel: [  221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]

gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

conky.desktop[1150]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

conky.desktop[1150]:       after 578 requests (578 known processed) with 0 events remaining.

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)

xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)


The same happens if I simply try to login interactively with password prompt.



I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d:



<action id="org.freedesktop.color-manager.create-device">

  <description xml:lang="en">Create a color managed device</description>

  <message xml:lang="en">Authentication is required to create a color managed device</message>

  <defaults>

    <allow_any>yes</allow_inactive>

    <allow_inactive>yes</allow_inactive>

    <allow_active>yes</allow_active>

  </defaults>

</action>


It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions.



I also tried to create global allow pkla rule as per this proposal:



[No password prompt]

Identity=unix-group:sudo

Action=*

ResultActive=yes


I also have global rule in /etc/polkit-1/rules.d



polkit.addRule(function(action, subject) {

if (subject.isInGroup("group")) {

      return polkit.Result.YES;

   }

});


As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version shows 0.105.



None of the above worked. Which steps should I try and how to debug this?






gnome security 18.04 xrdp policykit







share|improve this question
















I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.



I work via xrdp and always get this prompt and I cannot disable it.



Whenever I change <action id="org.freedesktop.color-manager.create-device"> policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any> I get Gnome fatal error in logs.



UPDATED logs after WinEunuuchs2Unix advice:



gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.

gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.

gnome-session-binary[877]: Entering running state

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'

systemd[847]: Started Evolution calendar service.

dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")

systemd[847]: Starting Evolution address book service...

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'

dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'

systemd[847]: Started Evolution address book service.

gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files

kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"

gsd-color[1088]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1088]: No data available

gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  213.817502] do_trap: 20 callbacks suppressed

kernel: [  213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]

gnome-shell[922]: Could not get current seat: No data available

gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)

gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8

gsd-color[1240]: failed to get edid: unable to get EDID for output

colord[1140]: failed to get seat for session c1 [pid 1240]: No data available

gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output

kernel: [  220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]

gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly

gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop

gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....

xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session

xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10

xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10

xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session:  username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)

at-spi-bus-launcher[884]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

at-spi-bus-launcher[884]:       after 23 requests (23 known processed) with 0 events remaining.

kernel: [  221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]

gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.

conky.desktop[1150]: XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"

conky.desktop[1150]:       after 578 requests (578 known processed) with 0 events remaining.

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)

xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup

xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)


The same happens if I simply try to login interactively with password prompt.



I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d:



<action id="org.freedesktop.color-manager.create-device">

  <description xml:lang="en">Create a color managed device</description>

  <message xml:lang="en">Authentication is required to create a color managed device</message>

  <defaults>

    <allow_any>yes</allow_inactive>

    <allow_inactive>yes</allow_inactive>

    <allow_active>yes</allow_active>

  </defaults>

</action>


It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions.



I also tried to create global allow pkla rule as per this proposal:



[No password prompt]

Identity=unix-group:sudo

Action=*

ResultActive=yes


I also have global rule in /etc/polkit-1/rules.d



polkit.addRule(function(action, subject) {

if (subject.isInGroup("group")) {

      return polkit.Result.YES;

   }

});


As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version shows 0.105.



None of the above worked. Which steps should I try and how to debug this?






gnome security 18.04 xrdp policykit




gnome security 18.04 xrdp policykit






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 21 '18 at 9:25







Suncatcher

















asked May 6 '18 at 9:36









SuncatcherSuncatcher

12317




12317













  • At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in /etc/polkit-1/localauthority/50-local.d for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).

    – muru
    May 6 '18 at 11:05













  • Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.

    – Suncatcher
    May 6 '18 at 11:30













  • Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in /etc/polkit-1/rules.d but it seems to be not working too.

    – Suncatcher
    May 6 '18 at 11:33





















  • At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in /etc/polkit-1/localauthority/50-local.d for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).

    – muru
    May 6 '18 at 11:05













  • Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.

    – Suncatcher
    May 6 '18 at 11:30













  • Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in /etc/polkit-1/rules.d but it seems to be not working too.

    – Suncatcher
    May 6 '18 at 11:33



















At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in /etc/polkit-1/localauthority/50-local.d for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).

– muru
May 6 '18 at 11:05







At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in /etc/polkit-1/localauthority/50-local.d for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).

– muru
May 6 '18 at 11:05















Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.

– Suncatcher
May 6 '18 at 11:30







Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.

– Suncatcher
May 6 '18 at 11:30















Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in /etc/polkit-1/rules.d but it seems to be not working too.

– Suncatcher
May 6 '18 at 11:33







Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in /etc/polkit-1/rules.d but it seems to be not working too.

– Suncatcher
May 6 '18 at 11:33












4 Answers
4






active

oldest

votes


















0














In Stack Exchange I found this bug fix which might be helpful.



More specific you have to place a .rules file in



/etc/polkit-1/rules.d/


(Select a filename and just give the .rules extension)



and give the rules:



polkit.addRule(function(action, subject) {

   if ((action.id == "org.freedesktop.color-manager.create-device" ||

        action.id == "org.freedesktop.color-manager.create-profile" ||

        action.id == "org.freedesktop.color-manager.delete-device" ||

        action.id == "org.freedesktop.color-manager.delete-profile" ||

        action.id == "org.freedesktop.color-manager.modify-device" ||

        action.id == "org.freedesktop.color-manager.modify-profile") &&

       subject.isInGroup("ATTENTION")) {

      return polkit.Result.YES;

   }

});


Then you have to Replace the word "ATTENTION" with your user's group.



Refer back to the link for more information and additional links to follow.




Original post below



Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.



Googling your specific error message:



couldn't access control socket: /run/user/1000/keyring/control: No such file or directory


Returns a lot of results:




  • Why do I get this warning from Gnome keyring in Xubuntu?

  • From ArchLinux: Gnome Keyring not working

  • From Debian: Fails to provide secrets


Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.






share|improve this answer


























  • I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with <allow_any>yes</allow_any> policy. Also, I have single desktop files in /etc/xdg/autostart/, so those Debian bug is not relevant to me.

    – Suncatcher
    May 21 '18 at 9:18











  • Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike SSH_AUTH_SOCK=/run/user/1000/keyring/ssh, I suppose keyring error is solved, yes?

    – Suncatcher
    May 21 '18 at 9:19













  • @Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.

    – WinEunuuchs2Unix
    May 21 '18 at 13:12











  • Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize .rules files, only pkla.

    – Suncatcher
    May 21 '18 at 15:05











  • @Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…

    – WinEunuuchs2Unix
    May 21 '18 at 15:13



















0














The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.






share|improve this answer

































    0














    I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
    The problem was related to polkit, since



    nmcli general permissions


    Shows the lack of permissiosns.



    I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:



     # cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla


    and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):



    [Allow all without authentication for members of sudo group even for ssh sessions]
    
Identity=unix-group:sudo
    
Action=*
    
ResultAny=yes


    After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.






    share|improve this answer































      0














      Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.






      share|improve this answer























        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "89"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1032687%2fpolkit-pkla-rule-is-not-working-on-18-04%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        4 Answers
        4






        active

        oldest

        votes








        4 Answers
        4






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        0














        In Stack Exchange I found this bug fix which might be helpful.



        More specific you have to place a .rules file in



        /etc/polkit-1/rules.d/


        (Select a filename and just give the .rules extension)



        and give the rules:



        polkit.addRule(function(action, subject) {
        
   if ((action.id == "org.freedesktop.color-manager.create-device" ||
        
        action.id == "org.freedesktop.color-manager.create-profile" ||
        
        action.id == "org.freedesktop.color-manager.delete-device" ||
        
        action.id == "org.freedesktop.color-manager.delete-profile" ||
        
        action.id == "org.freedesktop.color-manager.modify-device" ||
        
        action.id == "org.freedesktop.color-manager.modify-profile") &&
        
       subject.isInGroup("ATTENTION")) {
        
      return polkit.Result.YES;
        
   }
        
});


        Then you have to Replace the word "ATTENTION" with your user's group.



        Refer back to the link for more information and additional links to follow.




        Original post below



        Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.



        Googling your specific error message:



        couldn't access control socket: /run/user/1000/keyring/control: No such file or directory


        Returns a lot of results:




        • Why do I get this warning from Gnome keyring in Xubuntu?

        • From ArchLinux: Gnome Keyring not working

        • From Debian: Fails to provide secrets


        Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.






        share|improve this answer


























        • I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with <allow_any>yes</allow_any> policy. Also, I have single desktop files in /etc/xdg/autostart/, so those Debian bug is not relevant to me.

          – Suncatcher
          May 21 '18 at 9:18











        • Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike SSH_AUTH_SOCK=/run/user/1000/keyring/ssh, I suppose keyring error is solved, yes?

          – Suncatcher
          May 21 '18 at 9:19













        • @Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.

          – WinEunuuchs2Unix
          May 21 '18 at 13:12











        • Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize .rules files, only pkla.

          – Suncatcher
          May 21 '18 at 15:05











        • @Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…

          – WinEunuuchs2Unix
          May 21 '18 at 15:13
















        0














        In Stack Exchange I found this bug fix which might be helpful.



        More specific you have to place a .rules file in



        /etc/polkit-1/rules.d/


        (Select a filename and just give the .rules extension)



        and give the rules:



        polkit.addRule(function(action, subject) {
        
   if ((action.id == "org.freedesktop.color-manager.create-device" ||
        
        action.id == "org.freedesktop.color-manager.create-profile" ||
        
        action.id == "org.freedesktop.color-manager.delete-device" ||
        
        action.id == "org.freedesktop.color-manager.delete-profile" ||
        
        action.id == "org.freedesktop.color-manager.modify-device" ||
        
        action.id == "org.freedesktop.color-manager.modify-profile") &&
        
       subject.isInGroup("ATTENTION")) {
        
      return polkit.Result.YES;
        
   }
        
});


        Then you have to Replace the word "ATTENTION" with your user's group.



        Refer back to the link for more information and additional links to follow.




        Original post below



        Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.



        Googling your specific error message:



        couldn't access control socket: /run/user/1000/keyring/control: No such file or directory


        Returns a lot of results:




        • Why do I get this warning from Gnome keyring in Xubuntu?

        • From ArchLinux: Gnome Keyring not working

        • From Debian: Fails to provide secrets


        Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.






        share|improve this answer


























        • I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with <allow_any>yes</allow_any> policy. Also, I have single desktop files in /etc/xdg/autostart/, so those Debian bug is not relevant to me.

          – Suncatcher
          May 21 '18 at 9:18











        • Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike SSH_AUTH_SOCK=/run/user/1000/keyring/ssh, I suppose keyring error is solved, yes?

          – Suncatcher
          May 21 '18 at 9:19













        • @Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.

          – WinEunuuchs2Unix
          May 21 '18 at 13:12











        • Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize .rules files, only pkla.

          – Suncatcher
          May 21 '18 at 15:05











        • @Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…

          – WinEunuuchs2Unix
          May 21 '18 at 15:13














        0












        0








        0







        In Stack Exchange I found this bug fix which might be helpful.



        More specific you have to place a .rules file in



        /etc/polkit-1/rules.d/


        (Select a filename and just give the .rules extension)



        and give the rules:



        polkit.addRule(function(action, subject) {
        
   if ((action.id == "org.freedesktop.color-manager.create-device" ||
        
        action.id == "org.freedesktop.color-manager.create-profile" ||
        
        action.id == "org.freedesktop.color-manager.delete-device" ||
        
        action.id == "org.freedesktop.color-manager.delete-profile" ||
        
        action.id == "org.freedesktop.color-manager.modify-device" ||
        
        action.id == "org.freedesktop.color-manager.modify-profile") &&
        
       subject.isInGroup("ATTENTION")) {
        
      return polkit.Result.YES;
        
   }
        
});


        Then you have to Replace the word "ATTENTION" with your user's group.



        Refer back to the link for more information and additional links to follow.




        Original post below



        Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.



        Googling your specific error message:



        couldn't access control socket: /run/user/1000/keyring/control: No such file or directory


        Returns a lot of results:




        • Why do I get this warning from Gnome keyring in Xubuntu?

        • From ArchLinux: Gnome Keyring not working

        • From Debian: Fails to provide secrets


        Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.






        share|improve this answer















        In Stack Exchange I found this bug fix which might be helpful.



        More specific you have to place a .rules file in



        /etc/polkit-1/rules.d/


        (Select a filename and just give the .rules extension)



        and give the rules:



        polkit.addRule(function(action, subject) {
        
   if ((action.id == "org.freedesktop.color-manager.create-device" ||
        
        action.id == "org.freedesktop.color-manager.create-profile" ||
        
        action.id == "org.freedesktop.color-manager.delete-device" ||
        
        action.id == "org.freedesktop.color-manager.delete-profile" ||
        
        action.id == "org.freedesktop.color-manager.modify-device" ||
        
        action.id == "org.freedesktop.color-manager.modify-profile") &&
        
       subject.isInGroup("ATTENTION")) {
        
      return polkit.Result.YES;
        
   }
        
});


        Then you have to Replace the word "ATTENTION" with your user's group.



        Refer back to the link for more information and additional links to follow.




        Original post below



        Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.



        Googling your specific error message:



        couldn't access control socket: /run/user/1000/keyring/control: No such file or directory


        Returns a lot of results:




        • Why do I get this warning from Gnome keyring in Xubuntu?

        • From ArchLinux: Gnome Keyring not working

        • From Debian: Fails to provide secrets


        Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited May 21 '18 at 13:04

























        answered May 20 '18 at 19:58









        WinEunuuchs2UnixWinEunuuchs2Unix

        45.3k1085176




        45.3k1085176













        • I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with <allow_any>yes</allow_any> policy. Also, I have single desktop files in /etc/xdg/autostart/, so those Debian bug is not relevant to me.

          – Suncatcher
          May 21 '18 at 9:18











        • Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike SSH_AUTH_SOCK=/run/user/1000/keyring/ssh, I suppose keyring error is solved, yes?

          – Suncatcher
          May 21 '18 at 9:19













        • @Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.

          – WinEunuuchs2Unix
          May 21 '18 at 13:12











        • Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize .rules files, only pkla.

          – Suncatcher
          May 21 '18 at 15:05











        • @Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…

          – WinEunuuchs2Unix
          May 21 '18 at 15:13



















        • I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with <allow_any>yes</allow_any> policy. Also, I have single desktop files in /etc/xdg/autostart/, so those Debian bug is not relevant to me.

          – Suncatcher
          May 21 '18 at 9:18











        • Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike SSH_AUTH_SOCK=/run/user/1000/keyring/ssh, I suppose keyring error is solved, yes?

          – Suncatcher
          May 21 '18 at 9:19













        • @Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.

          – WinEunuuchs2Unix
          May 21 '18 at 13:12











        • Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize .rules files, only pkla.

          – Suncatcher
          May 21 '18 at 15:05











        • @Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…

          – WinEunuuchs2Unix
          May 21 '18 at 15:13

















        I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with <allow_any>yes</allow_any> policy. Also, I have single desktop files in /etc/xdg/autostart/, so those Debian bug is not relevant to me.

        – Suncatcher
        May 21 '18 at 9:18





        I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with <allow_any>yes</allow_any> policy. Also, I have single desktop files in /etc/xdg/autostart/, so those Debian bug is not relevant to me.

        – Suncatcher
        May 21 '18 at 9:18













        Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike SSH_AUTH_SOCK=/run/user/1000/keyring/ssh, I suppose keyring error is solved, yes?

        – Suncatcher
        May 21 '18 at 9:19







        Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike SSH_AUTH_SOCK=/run/user/1000/keyring/ssh, I suppose keyring error is solved, yes?

        – Suncatcher
        May 21 '18 at 9:19















        @Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.

        – WinEunuuchs2Unix
        May 21 '18 at 13:12





        @Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.

        – WinEunuuchs2Unix
        May 21 '18 at 13:12













        Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize .rules files, only pkla.

        – Suncatcher
        May 21 '18 at 15:05





        Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize .rules files, only pkla.

        – Suncatcher
        May 21 '18 at 15:05













        @Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…

        – WinEunuuchs2Unix
        May 21 '18 at 15:13





        @Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…

        – WinEunuuchs2Unix
        May 21 '18 at 15:13













        0














        The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.






        share|improve this answer






























          0














          The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.






          share|improve this answer




























            0












            0








            0







            The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.






            share|improve this answer















            The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Jun 30 '18 at 18:37

























            answered Jun 1 '18 at 10:43









            SuncatcherSuncatcher

            12317




            12317























                0














                I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
                The problem was related to polkit, since



                nmcli general permissions


                Shows the lack of permissiosns.



                I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:



                 # cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla


                and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):



                [Allow all without authentication for members of sudo group even for ssh sessions]
                
Identity=unix-group:sudo
                
Action=*
                
ResultAny=yes


                After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.






                share|improve this answer




























                  0














                  I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
                  The problem was related to polkit, since



                  nmcli general permissions


                  Shows the lack of permissiosns.



                  I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:



                   # cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla


                  and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):



                  [Allow all without authentication for members of sudo group even for ssh sessions]
                  
Identity=unix-group:sudo
                  
Action=*
                  
ResultAny=yes


                  After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.






                  share|improve this answer


























                    0












                    0








                    0







                    I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
                    The problem was related to polkit, since



                    nmcli general permissions


                    Shows the lack of permissiosns.



                    I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:



                     # cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla


                    and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):



                    [Allow all without authentication for members of sudo group even for ssh sessions]
                    
Identity=unix-group:sudo
                    
Action=*
                    
ResultAny=yes


                    After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.






                    share|improve this answer













                    I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
                    The problem was related to polkit, since



                    nmcli general permissions


                    Shows the lack of permissiosns.



                    I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:



                     # cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla


                    and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):



                    [Allow all without authentication for members of sudo group even for ssh sessions]
                    
Identity=unix-group:sudo
                    
Action=*
                    
ResultAny=yes


                    After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jan 24 at 9:59









                    Vasily GalkinVasily Galkin

                    1




                    1























                        0














                        Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.






                        share|improve this answer




























                          0














                          Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.






                          share|improve this answer


























                            0












                            0








                            0







                            Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.






                            share|improve this answer













                            Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Jan 25 at 4:23









                            AzelicAzelic

                            63




                            63






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Ask Ubuntu!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1032687%2fpolkit-pkla-rule-is-not-working-on-18-04%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                -

                                Popular posts from this blog

                                How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

                                Image
                                0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
                                Read more

                                is 'sed' thread safe

                                Image
                                2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
                                Read more

                                How to make a Squid Proxy server?

                                Image
                                1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
                                Read more