You are not logged in.
I upgraded a Refracta-jessie install to ascii. If I start gparted or synaptic from the menu (gparted-pkexec or synaptic-pkexec) the program starts without asking for a password. Google tells me in at least 10 different places how to get the system to do that - by changing /usr/share/policykit-1/actions/com.ubuntu.pkexec.gparted.policy and changing "auth_admin" to "yes" in the following lines:
allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin</allow_active>
So in my case, I should expect to change "yes" to "auth_admin". Except that it already says "auth_admin" on those lines.
I also tried changing
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
from "true" to "false" and also to a null value (""). That results in not being able to run gparted-pkexec from the menu or from a terminal. When it's set to false, it does start a process, but nothing comes up. If I try to start it from terminal after the attempt to start it from the menu, I get a message saying that gparted is already running. And only root can shut it down at that point.
Also, when I tried this yesterday, if I ran gparted-pkexec from terminal, it did ask for root password. Today it doesn't ask, it just starts gparted.
I'm lost. Anyone have any ideas?
Offline
Try gksu.
Online
Yes, gksu works. Meanwhile, pkexec allows unprivileged users to alter packages and partitions. Something is broken somewhere.
Offline
Interesting - I got ceres loaded from the Jessie install CD [dist-upgrade, syslog-ng, dist-upgrade],
and only selected the Devuan DE (not the XFCE option) and system-utilities.
'
as sudo did an apt-get for synaptic, from the menu panel tried to run Synaptic :-
only got a blink on the display. 'which' doesn't show 'synpatic'
went into /usr/bin (iirc) and found the synaptic-pkexec script and sudo ran it from terminal
IT asked for the root password and then ran.
'
So - straight ceres doesn't prompt for a password OR start as a normal user.
have to sudo the bin/sh from a terminal
Offline
I've seen that blink, too. I have another ascii install that won't let me start gparted from the menu, but running gparted-pkexec in terminal does ask for the password. You don't need to use sudo to run gparted-pkexec, because pkexec should take care of asking for the password. Well, you shouldn't need sudo. If you do need it, then this is more broken than I thought.
I guess I need to compare package lists between my two installs. The second one started out as a minimal jessie that was upgraded and then just a few things added.
Offline
What desktops are you using?
I have found from debian past that depending on the DE the access to synaptic varies. In some you can browse and even update but you can't install.
In LXDE from the menu it opens up a sudo login box.
Sudo synaptic will also ask for normal sudo pass.
I am not sure about this, but the polkit for each DE is different and PAM has something to do with who can run what.
Offline
I tried it in openbox and xfce on both installs. That doesn't make a difference.
Offline
People who haven't used xfce/lx*/ob find it illogical (and maybe it is) why wouldn't a user without root rights NOT be able to browse and search available and installed software. It maybe the gnome based, or kde, or mate, that only ask for pass when you attempt an upgrade or installation.
People have used linux for years through a desktop and have no clue where and which programs without a gui exist in their own system. They only see what is on the menu.
If you try $apt -search nunit do you get a result? Should you?
Offline
Unprivileged users should be able to search package names and descriptions. They should not be allowed to install software or resize partitions (as I just did). That's a security risk.
I found this bug report, concerning the problem that most people are having. It's not very helpful.
pkexec: Synpatic & gParted fails to authenicate
https://bugs.debian.org/cgi-bin/bugrepo … bug=780275
And this one about the relationship between pkexec and sudo, also not very helpful. My user is not in the sudo group. User did have sudo privs for shutdown, reboot, suspend and hibernate. I removed those privs and the problem with gparted persists.
policykit-1: members of group sudo become root with pkexec while ignoring /etc/sudoers
https://bugs.debian.org/cgi-bin/bugrepo … bug=869922
Here's my polkit file for gparted:
# cat /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="com.ubuntu.pkexec.gparted">
<message>Authentication is required to run the GParted Partition Editor</message>
<icon_name>gparted</icon_name>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
</action>
</policyconfig>
Here's what /var/log/auth.log has to say when I open gparted from the menu:
Aug 17 19:35:45 refracta-ascii pkexec[5206]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Aug 17 19:35:45 refracta-ascii pkexec[5206]: user: Executing command [USER=root] [TTY=unknown] [CWD=/home/user] [COMMAND=/usr/sbin/gparted]
Offline
Request to look into the post of same problem,
https://dev1galaxy.org/viewtopic.php?id=675
Interested to hear about using " policykit-1-gnome "
Cheers,
Offline
nathg,
Thanks for the reminder. I tried replacing mate-polkit with policykit-1-gnome and I get the same behavior. (gparted runs without password).
I tried running without a display manager, and I'm getting inconsistent results. Sometimes I can break it so gparted doesn't run (in terminal it gives me an error message about trying to run it as another user and I don't have permission) and sometimes it does run. And sometimes I end up with no input in console and have to use sysrq keys to reboot.
So far, I have not found the right combination to cause pkexec to ask me for a password. At least not today. I have been asked for a password in terminal a couple days ago.
Offline
Not for nothin', but have you checked /etc/sudoers.d to make sure there's not an entry left from a livecd session that didn't get removed?
Because that will do exactly what you are describing.
https://sourceforge.net/projects/vuu-do/
Vuu-do GNU/Linux, minimal Devuan-based openbox systems to build on, maximal versions if you prefer your linux fully-loaded.
Please donate to support Devuan and init freedom! https://devuan.org/os/donate
Offline
Just for the record... I am running Ascii (ugpraded from stock Devuan Jessie months ago), and have no such issue with pkexec.
[Edited to mention that I'm running with MATE.]
Last edited by sgage (2017-08-18 21:54:09)
Offline
Take a look at the thread I just oppened up. http://dev1galaxy.org/viewtopic.php?id=1555
Both I and fsmithred are running LXDE (if I am not mistaken as mentioned in another thread).
I have also installed eudev in all my installations.
My ascii is an evolution from previous edition of miyo linux.
My ceres is from scratch installation from Devuan 1 Live.
All LXDE.
All LXDE for years if you include Debian as "somehow" related distro.
NOT ONCE, have I run gparted without a password, unless one would consider running from the terminal where sudo was used right before and the session didn't expire. But gparted-pkexec is different from sudo gparted-pkexec in when it will ask for the password.
So what can explain the difference between my and fsmithred's experience
Offline
Take a look at the thread I just oppened up. http://dev1galaxy.org/viewtopic.php?id=1555
Both I and fsmithred are running LXDE (if I am not mistaken as mentioned in another thread).
I have also installed eudev in all my installations.
My ascii is an evolution from previous edition of miyo linux.
My ceres is from scratch installation from Devuan 1 Live.
All LXDE.
All LXDE for years if you include Debian as "somehow" related distro.
NOT ONCE, have I run gparted without a password, unless one would consider running from the terminal where sudo was used right before and the session didn't expire. But gparted-pkexec is different from sudo gparted-pkexec in when it will ask for the password.So what can explain the difference between my and fsmithred's experience
It's a mystery wrapped in an enigma. Or is it the other way around? :-)
BTW, I am running eudev as well, and everything seems to be nominal.
I will check out your new thread...
Offline
For the record - this is on a refracta-jessie that was upgraded to ascii. So I started with xfce. It also has icewm and openbox, and I use lxpanel and lxterminal with ob. But I don't have the full lxde destkop. I've also had other weird stuff with this installation. Today I had to add net.ifnames=0 to the boot command a couple of times to have network connection. Normally I don't need to do that with this install, even though it's using 4.9 kernel.
Tested another install on the same machine. This one started as a minimal install, upgraded to ascii, then added apps. In xfce and openbox, gparted won't start from the menu, but if I start gparted-pkexec in terminal, it asks for password. This install also has lxqt, and there, I get a graphical window asking for the root password like it should. (lxqt-policykit-agent runs)
I seem to be the only one with this problem (the one in the subject line) so I won't file a bug report on it. At some point I'll do another refracta jessie to ascii upgrade and watch what happens. The current one has been through a lot to get where it is.
Offline
Why don't you start with one desktop and then expand incrementally instead of throwing a smorgasbord at it.
Online
Same behavior in a devuan jessie that got upgraded to ascii, and then again when upgraded to ceres.
pkexec allows primary user to install and remove software (didn't test gparted this time)
It does not allow primary user to create a new user, and it does not let the second user install software.
I will get around to filing a bug report.
Offline
I found that lxpolikit fixes alot of issues back and forth, too many rights and too little rights. Polkit just doesn't work right on openbox/lxde. Now if you like me and a few others are running openbox without the complete lxde installation try it. You may have to put it manually into openbox/autostart
Offline
Using xfce here. This was an install from the desktop-live iso. It's actually a mixed ascii/ceres now. I tested it first in pure ascii, then added ceres and did a dist-upgrade without removing the ascii sources. I had no problems during the upgrade. And pkexec acts the same in both.
I did notice in another installation that lxqt did it right. I guess the lx teams know what they're doing.
Offline
In the upgraded Refracta:
Tried replacing mate-polkit with lxpolkit. Didn't help. Tried adding policykit-1-gnome (with each of the other polkits) didn't help.
In the upgraded Devuan:
Tried adding policykit-1-gnome first, and now gparted and synaptic don't start. Tried from the menu and from the terminal with pkexec.
However, I can do 'pkexec /usr/sbin/adduser buford' and it works. Had to use the full path with adduser.
Offline
Well, did a little reading on "so many policykits"
I learned that program starting is a 2 step process (at least) - very simplified
step 1 -PAM (/etc/pam.d) Authenticates who you are
step 2 -Polkit - Authorizes what you can do/run - based upon being 'Authenticated'
'
I didn't get an answer as to why so many "polkits" -- unless they are a wrapper for
the official Polkit --[ie creates the PAM files and policy files for their respective programs
mate menu items / lxde menu items / gnome base structure / etc.
'
just posted this as aFWIW - shed some possible light on the variations that @fsmithred encountered
Offline
I have a suspicion that systemd was providing some intermediary service to many desktop devs. They universalized some instruction so systemd would know what you want to do and it would feed it to the appropriate daemon/service to carry out the simple task. Desktop devs concentrating in serving the giant distros couldn't care less about the non-systemd systems. New systems haven't gotten around to it yet in translating non-sense to sensical instructions.
So you end up downloading a desktop whose functions are systemd oriented and just do a silent blip when things don't work out. When you try the actual instruction in terminal at least you know why the desktop is not doing anything. Sudo synaptic has always worked for me when all else failed.
Oblogout when you install it in ascii semi works, but for each subcommand you have to test it in terminal and edit the appropriate .conf file. For lxpanel there is a conf file that has all the systemd commands for shutdown/reboot etc, you have to transform them to oblogout instructions, and edit the oblogout.conf itself to get it to function correctly. Pain in the neck.
The more I try to make things work the more sense Steve Litt's article makes https://sysdfree.wordpress.com/112/
Offline
Food for reading, man polkit & pkexec. Late in the party. Checked my ascii & ceres systems with DE's. Removed policykit-1-gnome & install lxpolkit ( ascii with lxde & xfce4). gparted & synaptic can't be launced from menu, but from terminal. In terminal it uses no graphical authentication. Same for mate-polkit (ceres with mate). In both system reinstalled policykit-1-gnome & reboot. Graphical authentication is back for both programs and also for mounting devices from file managers. 'pkexec' is provided by synaptic & gparted.'gksu' is maual install. Authentication via pkexec routed through 'polkit-agent-helper-1' which is provided by DE's. Without DM probably you need policykit-1. Different DE's have their own implementation. Should DM's & xorg run by users?
cheers,
Offline
Turns out there are some files created by live-config that get in the way. I will add them to the installer's exclude list.
- /etc/PolicyKit/PolicyKit.conf
- /var/lib/polkit-1/localauthority/10-vendor.d/10-live-cd.pkla
- /home/*/.su-to-rootrc
- /home/*/.*/share/config/kdesurc
- /home/*/.*/share/config/tdesurc
(Note: the last three also need to be added to home_boot_exlclude.list)
...and make sure policykit-1-gnome is installed.
Edit: added files specific to kde or tde.
Offline