Enabling system management privileges for non-local users - How the heck does `polkit` work, anyways?
Solution 1
Can't say for certain you're having the exact same problem, but this is listed as a fedora bug, as of Nov, 2011. I installed a clean CentOS 6, upgraded all packages and then had the same problem trying to remotely access and add a new package (something requiring auth).
Solution 2
Hi I have trouble with this as well. Specifically with udisk.
(I'm running Ubuntu desktop 14.04)
To fix for udisks I did this.
-
Backup and edit
sudo vi /usr/share/polkit-1/actions/org.freedesktop.udisks.policy -
look for all the:
<allow_active>yes</allow_active>and then change the:
<allow_any>no</allow_any>
to:
`<allow_any>yes</allow_any>`
this allows remote access rather than just froce local only
Related videos on Youtube
34 : 37
17 : 38
43 : 55
12 : 18
03 : 20
Comments
-
Fake Name over 1 year
I am managing a CentOS 6.2 server remotely using X over SSH (actually NX, but that's just a proxy).
The Everything is working correctly, except when I try to do tasks that would normally require administrative permissions (such as things in
palimpsest, or any other GUI tools).When I try to do things which would trigger a authentication dialog (through
polkit-gnome)the permissions dialog is silently failing, and the software is running as my user account, rather then root.To clarify, if I change package settings using the package manager at the local console, I get a pop-up - "Authentication is required to (add/remove) packages".
If I do this remotely, the authentication fails, and I get a "Authorization Failed" dialog.
It seems to boil down to policykit configuration, but I've followed the polkit man pages, and edited my configuration, and it hasn't changed anything.
I can manage packages/do super-user stuff from the command line without any problems. However, I am very visually oriented, and much prefer a GUI when possible.
Ok, so it seems that I need to add a new rule to policykit.
Going off the man pages, I created a file (named
20-remote-admin-allow.pkla), and dropped it into/etc/polkit-1/localauthority/50-local.d/. Since there seems to be multiple polkit config directories, I copied the same file into/var/lib/polkit-1/localauthority/50-local.d/.It does not appear to have changed anything.
Here is my config file, as mentioned above:
[root@cloaica zul]# cat /var/lib/polkit-1/localauthority/50-local.d/10-remote-admin-allow.pkla [Let remote users do admin stuff] Identity=unix-user:zul Action=* ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_self_keep [root@cloaica zul]# cat /etc/polkit-1/localauthority/50-local.d/20-remote-admin-allow.pkla [Allow Remote Administraton] Identity=unix-user:zul Action=* ResultAny=auth_admin ResultInactive=auth_admin ResultActive=auth_admin [root@cloaica zul]#pkaction --verbosestill reportsimplicit any: no implicit inactive: nofor most actions, and said actions fail if I attempt them, with "Authentication Failed" dialog, as mentioned above.
Seriously, I does anyone actually understand how polkit actually works?
Policykit seems to be an ongoing nightmare, and considering there used to be a GUI configuration tool and it was removed, I don't understand how anyone thought this was ready for release into a production OS.
To be clear, I like having the "please authenticate to perform this action" dialogs. I just want to actually have them, rather then having the system silently fail to authenticate.
I don't want to remove the entirety of polkit, just make it either think all sessions are active, or that inactive sessions get the same permissions as active sessions.
-
Admin over 12 yearsI have no experience in CentOS, but it seems a PolicyKit related problem. The default conf on Debian and Ubuntu gives no privilege to a nonlocal user. -
Admin over 12 years@enzotib - I would guess it's something like that. Now, where is is the setting that controls those privileges?
-
Admin over 12 yearsThey are in
/etc/polkit-1and/var/lib/polkit-1. See alsopkaction --verboseoutput andpklocalauthorityman page. -
Admin over 12 years@enzotib - I've done that, see updated question. It hasn't helped.
-
Admin over 12 yearsSome remarks: 1) the file must have
.pklaextension; 2) there should beIdentityand notAdminIdentities; 3)pkactionreturns information for registered actions (found in/usr/share/polkit-1/actions/*) and do not show local modifications, so it is better to try than believe inpkaction. -
Admin over 12 years@enzotib - 1: Both files are
*.pklafiles. 2: Didn't make any difference. 3: Then what's the point ofpkaction? That's ridiculously stupid. -
Admin over 12 years@enzotib - see updated question
-
Admin over 12 yearsI still see an
Identitiesinstead ofIdentityon the first file, don't know if it is important. -
Admin over 12 years@enzotib - Good catch. I've updated the question.
-
Admin over 12 yearsWeird. It now kind of works... For instance,
system-config-lvmcorrectly prompts for the administrator password.gpk-applicationandpalimpsestdo not. -
Admin over 12 yearsand
pkcheck --action-id org.freedesktop.udisks.linux-lvm2is dropping me into thepkcheckman pages, despite the fact that the man pages saypkcheck --action-id action {--process { pid | pid,pid-start-time } -
Admin over 2 yearsI needed to run
systemctl restart polkitafter creating the.pklafile. serverfault.com/questions/1078535/…
-
-
Digger over 2 yearsFYI, the changes made via this method will most likely be overwritten by a udisk upgrade. Better to place a suitable file into, for example, the/etc/polkit-1/localauthority/50-local.ddirectory.