Enabling system management privileges for non-local users - How the heck does `polkit` work, anyways?
Solution 1
Can't say for certain you're having the exact same problem, but this is listed as a fedora bug, as of Nov, 2011. I installed a clean CentOS 6, upgraded all packages and then had the same problem trying to remotely access and add a new package (something requiring auth).
Solution 2
Hi I have trouble with this as well. Specifically with udisk.
(I'm running Ubuntu desktop 14.04)
To fix for udisks I did this.
-
Backup and edit
sudo vi /usr/share/polkit-1/actions/org.freedesktop.udisks.policy
-
look for all the:
<allow_active>yes</allow_active>
and then change the:
<allow_any>no</allow_any>
to:
`<allow_any>yes</allow_any>`
this allows remote access rather than just froce local only
Related videos on Youtube
Comments
-
Fake Name over 1 year
I am managing a CentOS 6.2 server remotely using X over SSH (actually NX, but that's just a proxy).
The Everything is working correctly, except when I try to do tasks that would normally require administrative permissions (such as things in
palimpsest
, or any other GUI tools).When I try to do things which would trigger a authentication dialog (through
polkit-gnome
)the permissions dialog is silently failing, and the software is running as my user account, rather then root.To clarify, if I change package settings using the package manager at the local console, I get a pop-up - "Authentication is required to (add/remove) packages".
If I do this remotely, the authentication fails, and I get a "Authorization Failed" dialog.
It seems to boil down to policykit configuration, but I've followed the polkit man pages, and edited my configuration, and it hasn't changed anything.
I can manage packages/do super-user stuff from the command line without any problems. However, I am very visually oriented, and much prefer a GUI when possible.
Ok, so it seems that I need to add a new rule to policykit.
Going off the man pages, I created a file (named
20-remote-admin-allow.pkla
), and dropped it into/etc/polkit-1/localauthority/50-local.d/
. Since there seems to be multiple polkit config directories, I copied the same file into/var/lib/polkit-1/localauthority/50-local.d/
.It does not appear to have changed anything.
Here is my config file, as mentioned above:
[root@cloaica zul]# cat /var/lib/polkit-1/localauthority/50-local.d/10-remote-admin-allow.pkla [Let remote users do admin stuff] Identity=unix-user:zul Action=* ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_self_keep [root@cloaica zul]# cat /etc/polkit-1/localauthority/50-local.d/20-remote-admin-allow.pkla [Allow Remote Administraton] Identity=unix-user:zul Action=* ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin [root@cloaica zul]#
pkaction --verbose
still reportsimplicit any: no implicit inactive: no
for most actions, and said actions fail if I attempt them, with "Authentication Failed" dialog, as mentioned above.
Seriously, I does anyone actually understand how polkit actually works?
Policykit seems to be an ongoing nightmare, and considering there used to be a GUI configuration tool and it was removed, I don't understand how anyone thought this was ready for release into a production OS.
To be clear, I like having the "please authenticate to perform this action" dialogs. I just want to actually have them, rather then having the system silently fail to authenticate.
I don't want to remove the entirety of polkit, just make it either think all sessions are active, or that inactive sessions get the same permissions as active sessions.
-
Admin over 12 yearsI have no experience in CentOS, but it seems a PolicyKit related problem. The default conf on Debian and Ubuntu gives no privilege to a nonlocal user.
-
Admin over 12 years@enzotib - I would guess it's something like that. Now, where is is the setting that controls those privileges?
-
Admin over 12 yearsThey are in
/etc/polkit-1
and/var/lib/polkit-1
. See alsopkaction --verbose
output andpklocalauthority
man page. -
Admin over 12 years@enzotib - I've done that, see updated question. It hasn't helped.
-
Admin over 12 yearsSome remarks: 1) the file must have
.pkla
extension; 2) there should beIdentity
and notAdminIdentities
; 3)pkaction
returns information for registered actions (found in/usr/share/polkit-1/actions/*
) and do not show local modifications, so it is better to try than believe inpkaction
. -
Admin over 12 years@enzotib - 1: Both files are
*.pkla
files. 2: Didn't make any difference. 3: Then what's the point ofpkaction
? That's ridiculously stupid. -
Admin over 12 years@enzotib - see updated question
-
Admin over 12 yearsI still see an
Identities
instead ofIdentity
on the first file, don't know if it is important. -
Admin over 12 years@enzotib - Good catch. I've updated the question.
-
Admin over 12 yearsWeird. It now kind of works... For instance,
system-config-lvm
correctly prompts for the administrator password.gpk-application
andpalimpsest
do not. -
Admin over 12 yearsand
pkcheck --action-id org.freedesktop.udisks.linux-lvm2
is dropping me into thepkcheck
man pages, despite the fact that the man pages saypkcheck --action-id action {--process { pid | pid,pid-start-time }
-
Admin over 2 yearsI needed to run
systemctl restart polkit
after creating the.pkla
file. serverfault.com/questions/1078535/…
-
-
Digger over 2 yearsFYI, the changes made via this method will most likely be overwritten by a udisk upgrade. Better to place a suitable file into, for example, the
/etc/polkit-1/localauthority/50-local.d
directory.