I am asked for admin password for trivial tasks all of a sudden

Hi,

Out of the blue, after having suspended my system last night, this morning after waking it up, I am asked to give my admin password for trivial tasks like connecting to my WiFi, rebooting, shutting down…

I do normally put my laptop to sleep and I have never faced the kind of issue before. I am not sure what has happened and how I could troubleshoot this.

Even though I have used openSUSE for some time now, it is still a bit new to me so I would appreciate your help to solve this problem.

If you want me to look for some logs or else, please tell me.

And sorry if I put this under the wrong category. Please feel free to move it to a more appropriate place if you think so.

@neotux:

First, welcome to the openSUSE Forums.


  1. Please check if, the directory β€˜/etc/polkit-1/’ exists.
  2. Please check if, any files exist in that directory – you’ll need to be logged in as the user β€œroot” to do this.
  3. Please check if, the file β€˜/etc/polkit-default-privs.standard’ exists.
  4. Please check the default Security Settings in YaST – <https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-security-yast-security.html#>.
    Especially the predefined security configurations – <https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-security-yast-security.html#sec-security-yast-security-predefined-configs>
    You should be using either β€œWorkstation” or, β€œRoaming device”.

Specifically for Network Manager, you need to take a look at these documents:
<https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-network.html#sec-network-nm>
<https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-nm.html#>

  • Please, make sure that, you’ve enabled a Password Manager –
    KDE Plasma: KWallet
    GNOME: GNOME Keyring
1 Like

@dcurtisfra

Thank you so much for the welcome and the detailed and insightful response!

The only file in that location is: /etc/polkit-1/rules.d/90-defaults-privs.rules

No, no such file exists under /etc.

It seems to be running:


$ pgrep -f gnome-keyring-daemon
1491

Thanks for these links! I’ll take some time and go through them.

This was set to β€œCustom Settings” for some reason. I changed it back to β€œWorkstation” and this has solved the issue.

However when I open the Security Module again, it is set back to β€œCustom Settings”. Should I leave it at that or is it a symptom for other things that might not be correctly configured?

@neotux:

OK, the default Polkit rules have been installed but, the standard Polkit default privileges definitions seem to be missing.

I’m on Leap 15.5 – for Tumbleweed you’ll have to check this for me –

> rpm --query --whatprovides /etc/polkit-default-privs.standard

Here on Leap, the package β€œpolkit-default-privs” provides this file. If Tumbleweed also indicates that, this file (and a couple of similar files) is provided by a specific package then, you’ll have to forcibly re-install that package.
Using the Leap example:

# zypper install --force polkit-default-privs

Once that’s been sorted out, please check if all the required Polkit packages have been installed on your system – taking the Leap example:

 > zypper search --installed-only polkit
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...

S  | Name                    | Summary                                              | Type
---+-------------------------+------------------------------------------------------+------
i+ | gconf-polkit            | GNOME Konfigurations-Datenbanksystem                 | Paket
i+ | libpolkit-agent-1-0     | PolicyKit Authorization Framework -- Agent Library   | Paket
i+ | libpolkit-gobject-1-0   | PolicyKit Authorization Framework -- GObject Library | Paket
i  | libpolkit-qt5-1-1       | PolicyKit Library Qt Bindings                        | Paket
i+ | polkit                  | PolicyKit Authorization Framework                    | Paket
i+ | polkit-default-privs    | SUSE PolicyKit default permissions                   | Paket
i  | polkit-gnome            | PolicyKit integration for the GNOME desktop          | Paket
i  | polkit-gnome-lang       | Translations for package polkit-gnome                | Paket
i  | polkit-kde-agent-5      | PolicyKit-Legitimationsdienst fΓΌr KDE                | Paket
i  | polkit-kde-agent-5-lang | Translations for package polkit-kde-agent-5          | Paket
 >

For the case of Tumbleweed, the following command will check if all the required packages have been installed or, not –

# zypper verify

Once you’ve verified that, all of the package dependencies have been resolved, you can check if, all the files contained in the installed packages are in fact present on your system:

# rpm --verify --all

If the RPM Verify procedure indicates that, specific files are missing then, with β€œrpm --query --whatprovides” you can determine which package contains the missing file and then, forcibly re-install the concerned package to recover the missing file.


Once you’ve done all that, execute the following:

# rpmconfigcheck

This script checks for new configuration files and indicates that, you need to check your current system’s configuration settings against the settings syntax of the new configuration files supplied by the latest (Tumbleweed) system upgrade.

  • On Leap, the same applies to the Patch and Update procedures …
1 Like

Thanks again @dcurtisfra for your kindness to help with this!

Here we go:

The output:

>  rpm --query --whatprovides /etc/polkit-default-privs.standard
error: file /etc/polkit-default-privs.standard: No such file or directory

Does this mean it is not installed?

I went ahead with the next command:

# zypper install --force polkit-default-privs
Loading repository data...

----

The following package is going to be reinstalled:
  polkit-default-privs

1 package to reinstall.
---
Continue? [y/n/v/...? shows all options] (y): y
---
.
(1/1) Installing: polkit-default-privs-1550+20230606.5001571-1.1.noarch .........................................[done]

Now:

> zypper search --installed-only polkit
Loading repository data...
Reading installed packages...

S  | Name                   | Summary                                                     | Type
---+------------------------+-------------------------------------------------------------+--------
i+ | libpolkit-agent-1-0    | PolicyKit Authorization Framework -- Agent Library          | package
i+ | libpolkit-gobject-1-0  | PolicyKit Authorization Framework -- GObject Library        | package
i+ | polkit                 | PolicyKit Authorization Framework                           | package
i+ | polkit-default-privs   | SUSE PolicyKit default permissions                          | package
i+ | polkit-gnome           | PolicyKit integration for the GNOME desktop                 | package
i+ | typelib-1_0-Polkit-1_0 | PolicyKit Authorization Framework -- Introspection bindings | package
#  zypper verify
Loading repository data...
Reading installed packages...
Dependencies of all installed packages are satisfied.

Looks promising so far.

# rpmconfigcheck
Searching for unresolved configuration files
Please check the following files (see /var/adm/rpmconfigcheck):
    /etc/chrony.conf.rpmnew
    /etc/postfix/main.cf.rpmnew
    /etc/postfix/master.cf.rpmnew
    /etc/speech-dispatcher/speechd.conf.rpmnew
    /etc/speech-dispatcher/speechd.conf.rpmsave
    /etc/zypp/zypp.conf.rpmnew

Looks like I need to be looking into some files and merge them perhaps with the old ones?

A follow up:

Reinstalling polkit-default-privs doesn’t seem to have installed: /etc/polkit-default-privs.standard

Not knowing where or how to look for it, i downloaded the package with zypper download.

Extracting it, there is only one folder usr. This is what is inside:

> tree usr
usr
β”œβ”€β”€ etc
β”‚   └── polkit-default-privs
β”‚       β”œβ”€β”€ local.template> tree usr
usr
β”œβ”€β”€ etc
β”‚   └── polkit-default-privs
β”‚       β”œβ”€β”€ local.template
β”‚       └── profiles
β”‚           β”œβ”€β”€ easy
β”‚           β”œβ”€β”€ restrictive
β”‚           └── standard
β”œβ”€β”€ sbin
β”‚   β”œβ”€β”€ chkstat-polkit
β”‚   └── set_polkit_default_privs
└── share
    β”œβ”€β”€ doc
    β”‚   └── packages
    β”‚       └── polkit-default-privs
    β”‚           └── README.md
    β”œβ”€β”€ fillup-templates
    β”‚   └── sysconfig.security-polkit_default_privs
    └── man
        β”œβ”€β”€ man5
        β”‚   └── polkit-default-privs.5.gz
        └── man8
            └── set_polkit_default_privs.8.gz

β”‚       └── profiles
β”‚           β”œβ”€β”€ easy
β”‚           β”œβ”€β”€ restrictive
β”‚           └── standard
β”œβ”€β”€ sbin
β”‚   β”œβ”€β”€ chkstat-polkit
β”‚   └── set_polkit_default_privs
└── share
    β”œβ”€β”€ doc
    β”‚   └── packages
    β”‚       └── polkit-default-privs
    β”‚           └── README.md
    β”œβ”€β”€ fillup-templates
    β”‚   └── sysconfig.security-polkit_default_privs
    └── man
        β”œβ”€β”€ man5
        β”‚   └── polkit-default-privs.5.gz
        └── man8
            └── set_polkit_default_privs.8.gz

If a package has been installed, there’s a much easier method to inspect the (installed) package’s contents:

 > rpm --query --list polkit-default-privs 
/etc/polkit-1/rules.d/90-default-privs.rules
/etc/polkit-default-privs.easy
/etc/polkit-default-privs.local
/etc/polkit-default-privs.restrictive
/etc/polkit-default-privs.standard
/sbin/chkstat-polkit
/sbin/set_polkit_default_privs
/usr/share/doc/packages/polkit-default-privs
/usr/share/doc/packages/polkit-default-privs/README.md
/usr/share/fillup-templates/sysconfig.security-polkit_default_privs
/usr/share/man/man5/polkit-default-privs.5.gz
/usr/share/man/man8/set_polkit_default_privs.8.gz
 >
1 Like

Nope – it means that, no package provides the queried file.


And, it also means that, Polkit on Tumbleweed is quite different to the Polkit on Leap 15.x …

1 Like

That ain’t a Bug – it’s a Feature!!!

  • I’ve checked here on Leap 15.5 and, the same behaviour is present.

I’ve checked through the Security Centre for the things I need and noticed the following:

  1. In the Kernel Settings module, the SysRq Keys are enabled but, in the Security Centre on the Overview page the SysRq Keys are marked as being unsecure despite the recommended setting being documented as β€œenable this feature to allow you to deal with catastrophic system failures” …
  2. The Secure File Privileges setting is also marked as being unsecure.
  3. It alerted me to the need to generate syslog messages when cron scripts are executed and, the need to activate TCP-syncookies.

My current YaST sysctl settings looks like this:

 # cat /etc/sysctl.d/70-yast.conf
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.disable_ipv6 = 0
kernel.sysrq = 1
net.ipv4.tcp_syncookies = 1
 #

Also this:

 > cat /proc/sys/net/ipv4/tcp_syncookies 
1
 >

I need to investigate the Secure File Privileges setting – will get back later …

1 Like

@neotux:

OK, in the YaST Security Center if –

  • You enable the Kernel’s SysRq keys, that’s considered to be not secure (insecure) …
  • If the Secure File Permissions isn’t set to β€œSecure”, that’s considered to be insecure …

More information is here: <https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-security-yast-security.html#>

1 Like

Dear @dcurtisfra,

First of all, please accept my apologies for such a long delay in responding.
I have been away from home for a much longer time that I first anticipated and I didn’t have access to my openSUSE system.

Also thank you for your explanation and guidance! I have now a somewhat better understanding of the security settings in the YaST Security Center.

I think the issue initially explained in my first post started after I had changed the file permissions from easy to secure.

Easy file permissions are suitable for stand-alone machines. These settings allow regular users to, for example, read most system files. See the file /etc/permissions.easy for the complete configuration. The Secure file permissions are designed for multiuser machines with network access. A thorough explanation of these settings can be found in /etc/permissions.secure.

Reading the documentation you linked to and this being a single user system, I think I am fine with leaving the file permissions at Easy. This would save me from the β€œhassle” of giving my root password each time I want to reboot, shutdown, connect to WiFi etc.

Once again, thank you for your time and effort to look into the issue and clearing things up for me.

PS. I would like to mark your latest post as the solution but I don’t see any solution box to check. Should I just append [Solved] to the title?

No need – the openSUSE Forums never, ever, had a β€œsolved” state for the posts. :face_with_spiral_eyes:

  • Even though, the KDE Forums do have such a state in their β€œDiscuss” forum – with the same forum engine as this one …
1 Like