Polkit pkla rule is not working on 18.04
I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.
I work via xrdp and always get this prompt and I cannot disable it.
Whenever I change <action id="org.freedesktop.color-manager.create-device">
policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any>
I get Gnome fatal error in logs.
UPDATED logs after WinEunuuchs2Unix advice:
gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.
gnome-session-binary[877]: Entering running state
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'
systemd[847]: Started Evolution calendar service.
dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
systemd[847]: Starting Evolution address book service...
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'
systemd[847]: Started Evolution address book service.
gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files
kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"
gsd-color[1088]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1088]: No data available
gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 213.817502] do_trap: 20 callbacks suppressed
kernel: [ 213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]
gnome-shell[922]: Could not get current seat: No data available
gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)
gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gsd-color[1240]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1240]: No data available
gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]
gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop
gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session
xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session: username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)
at-spi-bus-launcher[884]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
at-spi-bus-launcher[884]: after 23 requests (23 known processed) with 0 events remaining.
kernel: [ 221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]
gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
conky.desktop[1150]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
conky.desktop[1150]: after 578 requests (578 known processed) with 0 events remaining.
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)
xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)
The same happens if I simply try to login interactively with password prompt.
I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d
:
<action id="org.freedesktop.color-manager.create-device">
<description xml:lang="en">Create a color managed device</description>
<message xml:lang="en">Authentication is required to create a color managed device</message>
<defaults>
<allow_any>yes</allow_inactive>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions
.
I also tried to create global allow pkla rule as per this proposal:
[No password prompt]
Identity=unix-group:sudo
Action=*
ResultActive=yes
I also have global rule in /etc/polkit-1/rules.d
polkit.addRule(function(action, subject) {
if (subject.isInGroup("group")) {
return polkit.Result.YES;
}
});
As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version
shows 0.105
.
None of the above worked. Which steps should I try and how to debug this?
gnome security 18.04 xrdp policykit
add a comment |
I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.
I work via xrdp and always get this prompt and I cannot disable it.
Whenever I change <action id="org.freedesktop.color-manager.create-device">
policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any>
I get Gnome fatal error in logs.
UPDATED logs after WinEunuuchs2Unix advice:
gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.
gnome-session-binary[877]: Entering running state
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'
systemd[847]: Started Evolution calendar service.
dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
systemd[847]: Starting Evolution address book service...
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'
systemd[847]: Started Evolution address book service.
gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files
kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"
gsd-color[1088]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1088]: No data available
gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 213.817502] do_trap: 20 callbacks suppressed
kernel: [ 213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]
gnome-shell[922]: Could not get current seat: No data available
gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)
gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gsd-color[1240]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1240]: No data available
gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]
gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop
gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session
xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session: username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)
at-spi-bus-launcher[884]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
at-spi-bus-launcher[884]: after 23 requests (23 known processed) with 0 events remaining.
kernel: [ 221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]
gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
conky.desktop[1150]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
conky.desktop[1150]: after 578 requests (578 known processed) with 0 events remaining.
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)
xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)
The same happens if I simply try to login interactively with password prompt.
I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d
:
<action id="org.freedesktop.color-manager.create-device">
<description xml:lang="en">Create a color managed device</description>
<message xml:lang="en">Authentication is required to create a color managed device</message>
<defaults>
<allow_any>yes</allow_inactive>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions
.
I also tried to create global allow pkla rule as per this proposal:
[No password prompt]
Identity=unix-group:sudo
Action=*
ResultActive=yes
I also have global rule in /etc/polkit-1/rules.d
polkit.addRule(function(action, subject) {
if (subject.isInGroup("group")) {
return polkit.Result.YES;
}
});
As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version
shows 0.105
.
None of the above worked. Which steps should I try and how to debug this?
gnome security 18.04 xrdp policykit
At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in/etc/polkit-1/localauthority/50-local.d
for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).
– muru
May 6 '18 at 11:05
Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.
– Suncatcher
May 6 '18 at 11:30
Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in/etc/polkit-1/rules.d
but it seems to be not working too.
– Suncatcher
May 6 '18 at 11:33
add a comment |
I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.
I work via xrdp and always get this prompt and I cannot disable it.
Whenever I change <action id="org.freedesktop.color-manager.create-device">
policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any>
I get Gnome fatal error in logs.
UPDATED logs after WinEunuuchs2Unix advice:
gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.
gnome-session-binary[877]: Entering running state
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'
systemd[847]: Started Evolution calendar service.
dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
systemd[847]: Starting Evolution address book service...
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'
systemd[847]: Started Evolution address book service.
gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files
kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"
gsd-color[1088]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1088]: No data available
gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 213.817502] do_trap: 20 callbacks suppressed
kernel: [ 213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]
gnome-shell[922]: Could not get current seat: No data available
gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)
gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gsd-color[1240]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1240]: No data available
gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]
gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop
gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session
xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session: username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)
at-spi-bus-launcher[884]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
at-spi-bus-launcher[884]: after 23 requests (23 known processed) with 0 events remaining.
kernel: [ 221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]
gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
conky.desktop[1150]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
conky.desktop[1150]: after 578 requests (578 known processed) with 0 events remaining.
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)
xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)
The same happens if I simply try to login interactively with password prompt.
I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d
:
<action id="org.freedesktop.color-manager.create-device">
<description xml:lang="en">Create a color managed device</description>
<message xml:lang="en">Authentication is required to create a color managed device</message>
<defaults>
<allow_any>yes</allow_inactive>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions
.
I also tried to create global allow pkla rule as per this proposal:
[No password prompt]
Identity=unix-group:sudo
Action=*
ResultActive=yes
I also have global rule in /etc/polkit-1/rules.d
polkit.addRule(function(action, subject) {
if (subject.isInGroup("group")) {
return polkit.Result.YES;
}
});
As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version
shows 0.105
.
None of the above worked. Which steps should I try and how to debug this?
gnome security 18.04 xrdp policykit
I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.
I work via xrdp and always get this prompt and I cannot disable it.
Whenever I change <action id="org.freedesktop.color-manager.create-device">
policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any>
I get Gnome fatal error in logs.
UPDATED logs after WinEunuuchs2Unix advice:
gsd-media-keys[1099]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-user-share-webdav.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit rygel.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit gnome-remote-desktop.service not loaded.
gsd-sharing[1059]: Failed to StopUnit service: GDBus.Error:org.freedesktop.systemd1.NoSuchUnit: Unit vino-server.service not loaded.
gnome-session-binary[877]: Entering running state
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.Calendar7'
systemd[847]: Started Evolution calendar service.
dbus-daemon[867]: [session uid=1000 pid=867] Activating service name='ca.desrt.dconf' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
dbus-daemon[867]: [session uid=1000 pid=867] Activating via systemd: service name='org.gnome.evolution.dataserver.AddressBook9' unit='evolution-addressbook-factory.service' requested by ':1.56' (uid=1000 pid=1176 comm="/usr/lib/evolution/evolution-calendar-factory-subp" label="unconfined")
systemd[847]: Starting Evolution address book service...
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'ca.desrt.dconf'
dbus-daemon[867]: [session uid=1000 pid=867] Successfully activated service 'org.gnome.evolution.dataserver.AddressBook9'
systemd[847]: Started Evolution address book service.
gnome-shell[922]: Error looking up permission: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.impl.portal.PermissionStore was not provided by any .service files
kerneloops-appl[1152]: Failed to load module "canberra-gtk-module"
gsd-color[1088]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1088]: No data available
gnome-shell[922]: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
gsd-color[1088]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 213.817502] do_trap: 20 callbacks suppressed
kernel: [ 213.817504] traps: gsd-color[1088] trap divide error ip:5592b1f5c94a sp:7fffbcc03a90 error:0 in gsd-color[5592b1f53000+12000]
gnome-shell[922]: Could not get current seat: No data available
gnome-shell[922]: GNOME Shell started at Mon May 21 2018 12:06:54 GMT+0300 (EEST)
gnome-session[877]: gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gnome-session-binary[877]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
gsd-color[1240]: failed to get edid: unable to get EDID for output
colord[1140]: failed to get seat for session c1 [pid 1240]: No data available
gsd-color[1240]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
kernel: [ 220.142162] traps: gsd-color[1240] trap divide error ip:55c79912d94a sp:7ffcbd6a6020 error:0 in gsd-color[55c799124000+12000]
gnome-session[877]: gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
gnome-session-binary[877]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop
gnome-session[877]: gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
gnome-session-binary[877]: CRITICAL: We failed, but the fail whale is dead. Sorry....
xrdp-sesman[846]: (846)(140561311482944)[CORE ] window manager (pid 859) did exit, cleaning up session
xrdp-sesman[846]: (846)(140561311482944)[INFO ] calling auth_stop_session and auth_end from pid 846
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets:
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10
xrdp-sesman[846]: (846)(140561311482944)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
xrdp-sesman[621]: (621)(140561311482944)[INFO ] ++ terminated session: username xoob, display :10.0, session_pid 846, ip 192.168.1.100:7137 - socket: 12
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 26 (AF_UNIX)
at-spi-bus-launcher[884]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
at-spi-bus-launcher[884]: after 23 requests (23 known processed) with 0 events remaining.
kernel: [ 221.144168] gnome-shell[922]: segfault at 10 ip 00007fd88cb3712f sp 00007fff690fcac0 error 4 in libmutter-2.so.0.0.0[7fd88ca73000+156000]
gsd-power[1051]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-xsettings[1069]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-wacom[1075]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-clipboard[1084]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-media-keys[1099]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
gsd-keyboard[1093]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
kerneloops-applet.desktop[1152]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
conky.desktop[1150]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":10.0"
conky.desktop[1150]: after 578 requests (578 known processed) with 0 events remaining.
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)
xrdp[844]: (844)(140711347752192)[DEBUG] xrdp_mm_module_cleanup
xrdp[844]: (844)(140711347752192)[DEBUG] Closed socket 25 (AF_UNIX)
The same happens if I simply try to login interactively with password prompt.
I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d
:
<action id="org.freedesktop.color-manager.create-device">
<description xml:lang="en">Create a color managed device</description>
<message xml:lang="en">Authentication is required to create a color managed device</message>
<defaults>
<allow_any>yes</allow_inactive>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
It seems to me it's equivalent to directly changing actions is /usr/share/polkit-1/actions
.
I also tried to create global allow pkla rule as per this proposal:
[No password prompt]
Identity=unix-group:sudo
Action=*
ResultActive=yes
I also have global rule in /etc/polkit-1/rules.d
polkit.addRule(function(action, subject) {
if (subject.isInGroup("group")) {
return polkit.Result.YES;
}
});
As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I'm wrong. My pkaction --version
shows 0.105
.
None of the above worked. Which steps should I try and how to debug this?
gnome security 18.04 xrdp policykit
gnome security 18.04 xrdp policykit
edited May 21 '18 at 9:25
Suncatcher
asked May 6 '18 at 9:36
SuncatcherSuncatcher
12317
12317
At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in/etc/polkit-1/localauthority/50-local.d
for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).
– muru
May 6 '18 at 11:05
Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.
– Suncatcher
May 6 '18 at 11:30
Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in/etc/polkit-1/rules.d
but it seems to be not working too.
– Suncatcher
May 6 '18 at 11:33
add a comment |
At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in/etc/polkit-1/localauthority/50-local.d
for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).
– muru
May 6 '18 at 11:05
Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.
– Suncatcher
May 6 '18 at 11:30
Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in/etc/polkit-1/rules.d
but it seems to be not working too.
– Suncatcher
May 6 '18 at 11:33
At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in
/etc/polkit-1/localauthority/50-local.d
for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).– muru
May 6 '18 at 11:05
At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in
/etc/polkit-1/localauthority/50-local.d
for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).– muru
May 6 '18 at 11:05
Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.
– Suncatcher
May 6 '18 at 11:30
Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.
– Suncatcher
May 6 '18 at 11:30
Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in
/etc/polkit-1/rules.d
but it seems to be not working too.– Suncatcher
May 6 '18 at 11:33
Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in
/etc/polkit-1/rules.d
but it seems to be not working too.– Suncatcher
May 6 '18 at 11:33
add a comment |
4 Answers
4
active
oldest
votes
In Stack Exchange I found this bug fix which might be helpful.
More specific you have to place a .rules
file in
/etc/polkit-1/rules.d/
(Select a filename and just give the .rules
extension)
and give the rules:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.color-manager.create-device" ||
action.id == "org.freedesktop.color-manager.create-profile" ||
action.id == "org.freedesktop.color-manager.delete-device" ||
action.id == "org.freedesktop.color-manager.delete-profile" ||
action.id == "org.freedesktop.color-manager.modify-device" ||
action.id == "org.freedesktop.color-manager.modify-profile") &&
subject.isInGroup("ATTENTION")) {
return polkit.Result.YES;
}
});
Then you have to Replace the word "ATTENTION" with your user's group.
Refer back to the link for more information and additional links to follow.
Original post below
Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.
Googling your specific error message:
couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
Returns a lot of results:
- Why do I get this warning from Gnome keyring in Xubuntu?
- From ArchLinux: Gnome Keyring not working
- From Debian: Fails to provide secrets
Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.
I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with<allow_any>yes</allow_any>
policy. Also, I have single desktop files in/etc/xdg/autostart/
, so those Debian bug is not relevant to me.
– Suncatcher
May 21 '18 at 9:18
Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alikeSSH_AUTH_SOCK=/run/user/1000/keyring/ssh
, I suppose keyring error is solved, yes?
– Suncatcher
May 21 '18 at 9:19
@Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.
– WinEunuuchs2Unix
May 21 '18 at 13:12
Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize.rules
files, onlypkla
.
– Suncatcher
May 21 '18 at 15:05
@Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…
– WinEunuuchs2Unix
May 21 '18 at 15:13
|
show 3 more comments
The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.
add a comment |
I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
The problem was related to polkit, since
nmcli general permissions
Shows the lack of permissiosns.
I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:
# cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla
and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):
[Allow all without authentication for members of sudo group even for ssh sessions]
Identity=unix-group:sudo
Action=*
ResultAny=yes
After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.
add a comment |
Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1032687%2fpolkit-pkla-rule-is-not-working-on-18-04%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
In Stack Exchange I found this bug fix which might be helpful.
More specific you have to place a .rules
file in
/etc/polkit-1/rules.d/
(Select a filename and just give the .rules
extension)
and give the rules:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.color-manager.create-device" ||
action.id == "org.freedesktop.color-manager.create-profile" ||
action.id == "org.freedesktop.color-manager.delete-device" ||
action.id == "org.freedesktop.color-manager.delete-profile" ||
action.id == "org.freedesktop.color-manager.modify-device" ||
action.id == "org.freedesktop.color-manager.modify-profile") &&
subject.isInGroup("ATTENTION")) {
return polkit.Result.YES;
}
});
Then you have to Replace the word "ATTENTION" with your user's group.
Refer back to the link for more information and additional links to follow.
Original post below
Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.
Googling your specific error message:
couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
Returns a lot of results:
- Why do I get this warning from Gnome keyring in Xubuntu?
- From ArchLinux: Gnome Keyring not working
- From Debian: Fails to provide secrets
Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.
I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with<allow_any>yes</allow_any>
policy. Also, I have single desktop files in/etc/xdg/autostart/
, so those Debian bug is not relevant to me.
– Suncatcher
May 21 '18 at 9:18
Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alikeSSH_AUTH_SOCK=/run/user/1000/keyring/ssh
, I suppose keyring error is solved, yes?
– Suncatcher
May 21 '18 at 9:19
@Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.
– WinEunuuchs2Unix
May 21 '18 at 13:12
Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize.rules
files, onlypkla
.
– Suncatcher
May 21 '18 at 15:05
@Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…
– WinEunuuchs2Unix
May 21 '18 at 15:13
|
show 3 more comments
In Stack Exchange I found this bug fix which might be helpful.
More specific you have to place a .rules
file in
/etc/polkit-1/rules.d/
(Select a filename and just give the .rules
extension)
and give the rules:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.color-manager.create-device" ||
action.id == "org.freedesktop.color-manager.create-profile" ||
action.id == "org.freedesktop.color-manager.delete-device" ||
action.id == "org.freedesktop.color-manager.delete-profile" ||
action.id == "org.freedesktop.color-manager.modify-device" ||
action.id == "org.freedesktop.color-manager.modify-profile") &&
subject.isInGroup("ATTENTION")) {
return polkit.Result.YES;
}
});
Then you have to Replace the word "ATTENTION" with your user's group.
Refer back to the link for more information and additional links to follow.
Original post below
Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.
Googling your specific error message:
couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
Returns a lot of results:
- Why do I get this warning from Gnome keyring in Xubuntu?
- From ArchLinux: Gnome Keyring not working
- From Debian: Fails to provide secrets
Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.
I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with<allow_any>yes</allow_any>
policy. Also, I have single desktop files in/etc/xdg/autostart/
, so those Debian bug is not relevant to me.
– Suncatcher
May 21 '18 at 9:18
Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alikeSSH_AUTH_SOCK=/run/user/1000/keyring/ssh
, I suppose keyring error is solved, yes?
– Suncatcher
May 21 '18 at 9:19
@Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.
– WinEunuuchs2Unix
May 21 '18 at 13:12
Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize.rules
files, onlypkla
.
– Suncatcher
May 21 '18 at 15:05
@Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…
– WinEunuuchs2Unix
May 21 '18 at 15:13
|
show 3 more comments
In Stack Exchange I found this bug fix which might be helpful.
More specific you have to place a .rules
file in
/etc/polkit-1/rules.d/
(Select a filename and just give the .rules
extension)
and give the rules:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.color-manager.create-device" ||
action.id == "org.freedesktop.color-manager.create-profile" ||
action.id == "org.freedesktop.color-manager.delete-device" ||
action.id == "org.freedesktop.color-manager.delete-profile" ||
action.id == "org.freedesktop.color-manager.modify-device" ||
action.id == "org.freedesktop.color-manager.modify-profile") &&
subject.isInGroup("ATTENTION")) {
return polkit.Result.YES;
}
});
Then you have to Replace the word "ATTENTION" with your user's group.
Refer back to the link for more information and additional links to follow.
Original post below
Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.
Googling your specific error message:
couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
Returns a lot of results:
- Why do I get this warning from Gnome keyring in Xubuntu?
- From ArchLinux: Gnome Keyring not working
- From Debian: Fails to provide secrets
Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.
In Stack Exchange I found this bug fix which might be helpful.
More specific you have to place a .rules
file in
/etc/polkit-1/rules.d/
(Select a filename and just give the .rules
extension)
and give the rules:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.color-manager.create-device" ||
action.id == "org.freedesktop.color-manager.create-profile" ||
action.id == "org.freedesktop.color-manager.delete-device" ||
action.id == "org.freedesktop.color-manager.delete-profile" ||
action.id == "org.freedesktop.color-manager.modify-device" ||
action.id == "org.freedesktop.color-manager.modify-profile") &&
subject.isInGroup("ATTENTION")) {
return polkit.Result.YES;
}
});
Then you have to Replace the word "ATTENTION" with your user's group.
Refer back to the link for more information and additional links to follow.
Original post below
Your system logs are showing gnome-keyring errors. Solving those errors is likely key to your policy kit problems based on this Q&A: Gnome-keyring login problem that references policy kits.
Googling your specific error message:
couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
Returns a lot of results:
- Why do I get this warning from Gnome keyring in Xubuntu?
- From ArchLinux: Gnome Keyring not working
- From Debian: Fails to provide secrets
Between these three links you should find enough information to fix the gnome-keyring error. This in turn should be the precursor to fixing the policy kit problems.
edited May 21 '18 at 13:04
answered May 20 '18 at 19:58
WinEunuuchs2UnixWinEunuuchs2Unix
45.3k1085176
45.3k1085176
I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with<allow_any>yes</allow_any>
policy. Also, I have single desktop files in/etc/xdg/autostart/
, so those Debian bug is not relevant to me.
– Suncatcher
May 21 '18 at 9:18
Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alikeSSH_AUTH_SOCK=/run/user/1000/keyring/ssh
, I suppose keyring error is solved, yes?
– Suncatcher
May 21 '18 at 9:19
@Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.
– WinEunuuchs2Unix
May 21 '18 at 13:12
Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize.rules
files, onlypkla
.
– Suncatcher
May 21 '18 at 15:05
@Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…
– WinEunuuchs2Unix
May 21 '18 at 15:13
|
show 3 more comments
I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with<allow_any>yes</allow_any>
policy. Also, I have single desktop files in/etc/xdg/autostart/
, so those Debian bug is not relevant to me.
– Suncatcher
May 21 '18 at 9:18
Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alikeSSH_AUTH_SOCK=/run/user/1000/keyring/ssh
, I suppose keyring error is solved, yes?
– Suncatcher
May 21 '18 at 9:19
@Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.
– WinEunuuchs2Unix
May 21 '18 at 13:12
Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize.rules
files, onlypkla
.
– Suncatcher
May 21 '18 at 15:05
@Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…
– WinEunuuchs2Unix
May 21 '18 at 15:13
I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with
<allow_any>yes</allow_any>
policy. Also, I have single desktop files in /etc/xdg/autostart/
, so those Debian bug is not relevant to me.– Suncatcher
May 21 '18 at 9:18
I applied the Archlinux solution, and those keyring error seems to have gone, however Gnome still crashes with
<allow_any>yes</allow_any>
policy. Also, I have single desktop files in /etc/xdg/autostart/
, so those Debian bug is not relevant to me.– Suncatcher
May 21 '18 at 9:18
Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
, I suppose keyring error is solved, yes?– Suncatcher
May 21 '18 at 9:19
Here is the new log with new errors, there many of them, but most seems to be DBus-related. As I see records alike
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
, I suppose keyring error is solved, yes?– Suncatcher
May 21 '18 at 9:19
@Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.
– WinEunuuchs2Unix
May 21 '18 at 13:12
@Suncatcher The gnome key ring errors appear to be gone now. I've updated the answer with a bug report I found on Stack Exchange.
– WinEunuuchs2Unix
May 21 '18 at 13:12
Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize
.rules
files, only pkla
.– Suncatcher
May 21 '18 at 15:05
Doesn't help. I tried this solution many times before. What about polkit version? They say polkit < 0.106 doesn't recognize
.rules
files, only pkla
.– Suncatcher
May 21 '18 at 15:05
@Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…
– WinEunuuchs2Unix
May 21 '18 at 15:13
@Suncatcher Sorry forgot you were on version 0.105. See this answer: askubuntu.com/questions/536591/…
– WinEunuuchs2Unix
May 21 '18 at 15:13
|
show 3 more comments
The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.
add a comment |
The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.
add a comment |
The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.
The issue was related to incorrect pass of single entry gamma ramp instead of a 256 entry gamma ramp. The bug was fixed in xorgxrdp version 0.2.6.
edited Jun 30 '18 at 18:37
answered Jun 1 '18 at 10:43
SuncatcherSuncatcher
12317
12317
add a comment |
add a comment |
I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
The problem was related to polkit, since
nmcli general permissions
Shows the lack of permissiosns.
I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:
# cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla
and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):
[Allow all without authentication for members of sudo group even for ssh sessions]
Identity=unix-group:sudo
Action=*
ResultAny=yes
After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.
add a comment |
I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
The problem was related to polkit, since
nmcli general permissions
Shows the lack of permissiosns.
I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:
# cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla
and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):
[Allow all without authentication for members of sudo group even for ssh sessions]
Identity=unix-group:sudo
Action=*
ResultAny=yes
After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.
add a comment |
I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
The problem was related to polkit, since
nmcli general permissions
Shows the lack of permissiosns.
I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:
# cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla
and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):
[Allow all without authentication for members of sudo group even for ssh sessions]
Identity=unix-group:sudo
Action=*
ResultAny=yes
After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.
I had a problem not being able to connect to vpn from ssh session on ubuntu 18.04.
The problem was related to polkit, since
nmcli general permissions
Shows the lack of permissiosns.
I've succeed with following way of adding custom polkit rule with ubuntu 18.04 (still polkit version 0.105, no support of javascript rules). As root I executed the command:
# cat > /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla
and entered following contents (note, this allows EVERYTHING for users of sudo group, may be risky):
[Allow all without authentication for members of sudo group even for ssh sessions]
Identity=unix-group:sudo
Action=*
ResultAny=yes
After this without restarting of any services or rebooting I got permissions to use any nmcli commands from ssh.
answered Jan 24 at 9:59
Vasily GalkinVasily Galkin
1
1
add a comment |
add a comment |
Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.
add a comment |
Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.
add a comment |
Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.
Check the syntax of your pkla file. There might be hidden characters preventing polkit from parsing the file. See here.
answered Jan 25 at 4:23
AzelicAzelic
63
63
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1032687%2fpolkit-pkla-rule-is-not-working-on-18-04%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
At this point there are too many variables we don't know if it's XML problems, Polkit configuration location precedence or what. So I'd suggest undoing every change you made, and start again with just a file in
/etc/polkit-1/localauthority/50-local.d
for your specific action and user. Also, please include the Polkit messages corresponding to the colord prompts (both with and without any configuration changes).– muru
May 6 '18 at 11:05
Polkit messages are absolutely the same (given above in question), here are full relevant syslogs before and after which also seems the same to me. That's why I think my pkla rule is not parsed and is not active.
– Suncatcher
May 6 '18 at 11:30
Maybe there is a way to view more specific polkit logs elsewhere? I created logging rule in
/etc/polkit-1/rules.d
but it seems to be not working too.– Suncatcher
May 6 '18 at 11:33