polkit: help needed (user lost privileges)

English Hardware
#1

Hi all,

I just updated from 13.2 to 42.1. It seems that my normal user account lost privileges in the process and I can’t find where and how I can restore them.
The authentication agent keeps popping up (every time, not just the first time) asking for root password for actions like:

  • mounting USB storage
  • ejecting USB storage
  • suspend to RAM
  • also possibly (?) related to some PulseAudio issues (amarok crashes complaining about bad file descriptor in pa_write)

I have searched for a while and this looks a lot like a polkit configuration problem, but I have not managed to find where.
What I have checked so far:

  • I have read https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.policykit.html

  • sysconfig/system/security/permissions/PERMISSION_SECURITY is “easy local”

  • I have explicitly set sysconfig/system/security/policykit/POLKIT_DEFAULT_PRIVS to “standard” (previously not set / default)

  • /etc/polkit-default-privs.local is empty (besides an entry for upower.hibernate set to yes:yes:yes)

  • I see nothing wrong with /etc/polkit-default-privs.standard

  • for example it has the following lines:
    org.freedesktop.udisks2.filesystem-mount auth_admin:auth_admin:yes
    org.freedesktop.udisks2.eject-media auth_admin:auth_admin:yes
    org.freedesktop.upower.suspend auth_admin:auth_admin:yes

  • when I query with pkaction, the results are consistent with the polkit-default-privs config file, for example:
    org.freedesktop.udisks2.filesystem-mount:
    description: Mount a filesystem
    message: Authentication is required to mount the filesystem
    vendor: The udisks Project
    vendor_url: http://udisks.freedesktop.org/
    icon: drive-removable-media
    implicit any: auth_admin
    implicit inactive: auth_admin
    implicit active: yes

  • I have run /sbin/set_polkit_default_privs several times

  • I have rebooted several times

  • security and hardening in YaST2 is in “custom” mode: couldn’t change it to “workstation” (?) but there’s nothing paranoid in there anyway

So here are my questions / help requests:

  • Is there a fine-grained way to diagnose such polkit authentication issues? Maybe a verbose message log somewhere?
  • Am I missing something with groups? Should my user account be a member of a specific group for polkit to work?
  • FWIW I am on the latest KDE 5.21.0 / Plasma 5.6.3 from the KDE repositories. Could there be some specific issues with the way KDE authenticates with polkit to perform aforementioned actions (mount, eject, suspend…)?
  • Is there a KDE-specific polkit config that I have missed somewhere?

Thanks in advance for any help or insight about this,
-Pierre.

#2

Should not be necessary.
PERMISSION_SECURITY=“easy local” implies POLKIT_DEFAULT_PRIVS=“standard”, unless you set the latter to something else.

  • Am I missing something with groups? Should my user account be a member of a specific group for polkit to work?

No.

  • FWIW I am on the latest KDE 5.21.0 / Plasma 5.6.3 from the KDE repositories. Could there be some specific issues with the way KDE authenticates with polkit to perform aforementioned actions (mount, eject, suspend…)?

No.
The display manager should register your user session with logind, that’s required for having your user session being regarded as “active” by polkit.
What does “loginctl” say? Does it list your user session?

How are you actually starting the graphical system?
Normally via a display manager/login screen? Or via startx?
The latter is not supported any more since years, and does not register the user session with logind, leading to exactly the problems that you experience…

Does it work if you logout and login again?
Might be some timing problem.

Did you fully update your system?
There was a bug in polkit as shipped with Leap that might cause such problems.

Does your PAM config include pam_systemd? That’s necessary for the above to work.

grep systemd /etc/pam.d/*
  • Is there a KDE-specific polkit config that I have missed somewhere?

No.

PS: your pulseaudio problem is definitely related, but it is independent of polkit.
Adding your user to the “audio” group should work around that.
But the underlying cause probably is that your user session does not get registered properly with logind, which should grant you access to the audio device (that’s required for pulseaudio to work).

#3

Thanks a lot for the quick reply!

Yes, apparently it does (it also lists 2 other sessions besides the one below, apparently linked to pulseaudio and akonadi, not sure what they are).


pierre@gandalf:~> loginctl session-status 22
22 - pierre (1000)
           Since: sam. 2016-04-30 15:22:16 CEST; 1h 34min ago
          Leader: 17945 (kdm)
         Display: :0
         Service: xdm; type x11; class user
           State: active
            Unit: session-22.scope
                  ├─17945 -:0
                  ├─17969 /usr/bin/ck-launch-session /usr/bin/dbus-launch --sh-syntax --exit-with-session /usr/bin/ssh-agent /usr/bin/gpg-agent ...
                  ├─18071 /bin/dbus-launch --autolaunch aaeeb14525c6cd043fea59e2e6007c00 --binary-syntax --close-stderr
                  ├─18074 /bin/sh /usr/bin/startkde
                  ├─18077 /usr/bin/dbus-launch --sh-syntax --exit-with-session /usr/bin/ssh-agent /usr/bin/gpg-agent --sh --daemon --keep-displa...
                  ├─18078 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
                  ├─18079 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
                  ├─18081 /usr/lib/at-spi2/at-spi-bus-launcher
                  ├─18082 /usr/bin/ssh-agent /usr/bin/gpg-agent --sh --daemon --keep-display --write-env-file /home/pierre/.gnupg/agent.info-gan...
                  ├─18083 /usr/bin/gpg-agent --sh --daemon --keep-display --write-env-file /home/pierre/.gnupg/agent.info-gandalf.balden.maison:...
                  ├─18091 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
                  ├─18099 /usr/lib/at-spi2/at-spi2-registryd --use-gnome-session
                  ├─18130 /usr/lib64/libexec/kf5/start_kdeinit --kded +kcminit_startup
                  ├─18131 kdeinit5: Running...
                  ├─18132 klauncher [kdeinit5] --fd=9
                  ├─18135 kded5 [kdeinit5]
                  ├─18147 kwrapper5 /usr/bin/ksmserver
                  ├─18148 /usr/bin/kaccess
                  ├─18150 /usr/bin/ksmserver
                  ├─18155 /usr/bin/kglobalaccel5
                  ├─18160 /usr/lib/dconf-service
                  ├─18166 kwin_x11 -session 1025e2051e11d2000145970792600000059010000_1462022503_581821
                  ├─18167 /usr/bin/baloo_file
                  ├─18168 /usr/bin/krunner
                  ├─18176 /usr/bin/plasmashell --shut-up
                  ├─18189 /usr/bin/kactivitymanagerd start-daemon
                  ├─18192 /usr/lib64/libexec/kf5/kscreen_backend_launcher
                  ├─18204 /usr/lib64/libexec/polkit-kde-authentication-agent-1
                  ├─18211 /usr/bin/xembedsniproxy
                  ├─18218 /usr/bin/kalarm -session 1025e2051e11d2000146201887500000152610007_1462022488_558383
                  ├─18232 /usr/bin/cairo-dock
                  ├─18240 /usr/bin/xbindkeys
                  ├─18242 /usr/bin/parcellite
                  ├─18247 /usr/lib/gvfs/gvfsd
                  ├─18249 /usr/bin/akonadi_control
                  ├─18255 /usr/lib/gvfs/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
                  ├─18264 /usr/bin/zeitgeist-datahub
                  ├─18270 /usr/bin/zeitgeist-daemon
                  ├─18271 ibus-daemon --xim -d
                  ├─18279 /usr/lib/zeitgeist-fts
                  ├─18301 /usr/lib64/ibus/ibus-dconf
                  ├─18306 /usr/lib64/ibus/ibus-ui-gtk3
                  ├─18310 /usr/lib64/ibus/ibus-x11 --kill-daemon
                  ├─18322 /usr/lib64/ibus/ibus-engine-simple
                  ├─18330 akonadiserver
                  ├─18334 /usr/lib/bluetooth/obexd
                  ├─18340 /usr/bin/kuiserver5
                  ├─18343 /usr/sbin/mysqld --defaults-file=/home/pierre/.local/share/akonadi/mysql.conf --datadir=/home/pierre/.local/share/akon...
                  ├─18377 /usr/bin/akonadi_akonotes_resource --identifier akonadi_akonotes_resource_0
                  ├─18378 /usr/bin/akonadi_akonotes_resource --identifier akonadi_akonotes_resource_1
                  ├─18379 /usr/bin/akonadi_akonotes_resource --identifier akonadi_akonotes_resource_2
                  ├─18380 /usr/bin/akonadi_akonotes_resource --identifier akonadi_akonotes_resource_3
                  ├─18381 /usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent
                  ├─18382 /usr/bin/akonadi_birthdays_resource --identifier akonadi_birthdays_resource
                  ├─18383 /usr/bin/akonadi_contacts_resource --identifier akonadi_contacts_resource_0
                  ├─18384 /usr/bin/akonadi_contacts_resource --identifier akonadi_contacts_resource_1
                  ├─18385 /usr/bin/akonadi_contacts_resource --identifier akonadi_contacts_resource_2
                  ├─18386 /usr/bin/akonadi_contacts_resource --identifier akonadi_contacts_resource_3
                  ├─18387 /usr/bin/akonadi_followupreminder_agent --identifier akonadi_followupreminder_agent
                  ├─18388 /usr/bin/akonadi_ical_resource --identifier akonadi_ical_resource_1
                  ├─18389 /usr/bin/akonadi_ical_resource --identifier akonadi_ical_resource_2
                  ├─18390 /usr/bin/akonadi_ical_resource --identifier akonadi_ical_resource_3
                  ├─18391 /usr/bin/akonadi_ical_resource --identifier akonadi_ical_resource_4
                  ├─18392 /usr/bin/akonadi_indexing_agent --identifier akonadi_indexing_agent
                  ├─18393 /usr/bin/akonadi_kalarm_resource --identifier akonadi_kalarm_resource_0
                  ├─18394 /usr/bin/akonadi_kalarm_resource --identifier akonadi_kalarm_resource_1
                  ├─18395 /usr/bin/akonadi_kalarm_resource --identifier akonadi_kalarm_resource_2
                  ├─18396 /usr/bin/akonadi_maildir_resource --identifier akonadi_maildir_resource_0
                  ├─18397 /usr/bin/akonadi_maildir_resource --identifier akonadi_maildir_resource_1
                  ├─18398 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
                  ├─18399 /usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent
                  ├─18400 /usr/bin/akonadi_migration_agent --identifier akonadi_migration_agent
                  ├─18401 /usr/bin/akonadi_newmailnotifier_agent --identifier akonadi_newmailnotifier_agent
                  ├─18402 /usr/bin/akonadi_notes_agent --identifier akonadi_notes_agent
                  ├─18403 /usr/bin/akonadi_sendlater_agent --identifier akonadi_sendlater_agent
                  ├─18404 /usr/bin/akonadi_vcard_resource --identifier akonadi_vcard_resource_1
                  ├─18610 /usr/lib64/firefox/firefox
                  ├─18623 /usr/lib/GConf/2/gconfd-2
                  ├─18645 /usr/lib/mozilla/kmozillahelper
                  ├─18668 kdeinit4: kdeinit4 Running...
                  ├─18669 kdeinit4: klauncher [kdeinit] --fd=8
                  ├─18671 kdeinit4: kded4 [kdeinit]
                  ├─19199 /usr/lib/gvfs/gvfsd-metadata
                  ├─19757 /opt/kde3/bin/kdesud
                  ├─21499 konsole
                  ├─21504 /bin/bash
                  ├─21633 loginctl session-status 22
                  └─21634 less

How are you actually starting the graphical system?
Normally via a display manager/login screen? Or via startx?
The latter is not supported any more since years, and does not register the user session with logind, leading to exactly the problems that you experience…

I always start the KDE session through the local xdm display manager.

Does it work if you logout and login again?
Might be some timing problem.

No. I tried that numerous times (and each time I changed a setting to make sure it was taken into account). I even rebooted several times.
I also tried to start a GNOME session (for the first time in… about 10 years probably) and I have the exact same polkit authentication problems, so it is not KDE-specific.

Did you fully update your system?
There was a bug in polkit as shipped with Leap that might cause such problems.

Yes, as far as I can tell my system is up-to-date.
The main polkit packages are version 0.113-9.1, latest from the Update/OSS repository.
The KDE agent is version 5.6.3 from the KDE Frameworks 5 repository.


pierre@gandalf:~> rpm -qa | grep polkit
polkit-kde-agent-5-lang-5.6.3-62.1.noarch
polkit-doc-0.113-9.1.noarch
polkit-kde-agent-5-5.6.3-62.1.x86_64
libpolkit-qt-1-1-0.103.0-5.1.x86_64
libpolkit-qt5-1-1-0.112.0-12.3.x86_64
polkit-kde-agent-1-0.99.0-22.2.x86_64
gconf-polkit-3.2.6-7.2.x86_64
polkit-gnome-lang-0.105-10.1.noarch
libpolkit-gtk-1-0-debuginfo-0.102-1.1.x86_64
libpolkit-qt-1-devel-0.103.0-5.1.x86_64
polkit-gnome-debugsource-0.105-9.1.4.x86_64
polkit-gnome-debuginfo-0.105-9.1.4.x86_64
libpolkit0-32bit-0.113-9.1.x86_64
gnome-settings-daemon-polkit-datetime-debuginfo-3.0.3-1.2.x86_64
gconf-polkit-debuginfo-3.2.6-6.1.4.x86_64
polkit-devel-0.113-9.1.x86_64
polkit-0.113-9.1.x86_64
polkit-default-privs-13.2-10.1.noarch
polkit-gnome-0.105-10.1.x86_64
libpolkit0-0.113-9.1.x86_64

Does your PAM config include pam_systemd? That’s necessary for the above to work.

grep systemd /etc/pam.d/*

Well, it seems to be included, albeit with “optional” keyword (don’t know what that implies). Here’s the grep output:


pierre@gandalf:~> grep systemd /etc/pam.d/*
/etc/pam.d/common-session:session       optional        pam_systemd.so
/etc/pam.d/common-session-pc:session    optional        pam_systemd.so
/etc/pam.d/common-session.rpmnew:session optional       pam_systemd.so
/etc/pam.d/systemd-user:# Used by systemd when launching systemd user instances.

PS: your pulseaudio problem is definitely related, but it is independent of polkit.
Adding your user to the “audio” group should work around that.
But the underlying cause probably is that your user session does not get registered properly with logind, which should grant you access to the audio device (that’s required for pulseaudio to work).

Actually my user was already in the “audio” group.
More specifically, audio does work in several applications (KDE system settings, kmid, *mplayer, vlc, firefox…) but only amarok crashes whenever I try to play an MP3.
This may be a separate issue, possibly MP3 specific, but I’ll try to sort that out later if does not go away with the polkit issue.

Thanks again (and in advance if you can provide me with any further ideas as to the origin of this behaviour).

-Pierre.

#4

Well, from other threads I have the impression that if it lists more than one user session (even though you’re only logged in once) that might indicate a problem as well…

I always start the KDE session through the local xdm display manager.

kdm apparently.
Maybe do try to switch to a different one as a test. xdm is installed by default, so change /etc/sysconfig/displaymanager to contain:

DISPLAYMANAGER="xdm"

Does the problem disappear?

You might also want to install and set sddm (Leap’s default for a KDE installation), lightdm or even gdm (the default for a GNOME installation).

Well, it seems to be included, albeit with “optional” keyword (don’t know what that implies). Here’s the grep output:

pierre@gandalf:~> grep systemd /etc/pam.d/*
/etc/pam.d/common-session:session optional pam_systemd.so
/etc/pam.d/common-session-pc:session optional pam_systemd.so
/etc/pam.d/common-session.rpmnew:session optional pam_systemd.so
/etc/pam.d/systemd-user:# Used by systemd when launching systemd user instances.

Looks ok.
But that /etc/pam.d/common-session.rpmnew puzzles me a bit. Such a file should normally only be there if you manually edited the standard file at some point. This in turn could mean that it is not correct…

Can you please post the content of /etc/pam.d/common-session-pc? And check that /etc/pam.d/common-session is a symlink to it.

Actually my user was already in the “audio” group.
More specifically, audio does work in several applications (KDE system settings, kmid, *mplayer, vlc, firefox…) but only amarok crashes whenever I try to play an MP3.
This may be a separate issue, possibly MP3 specific, but I’ll try to sort that out later if does not go away with the polkit issue.

Amarok is the only KDE4 application using phonon in that list.
Is phonon-backend-vlc installed? If yes, try to remove it.
Is gstreamer-fluendo-mp3 installed?

Oh, and one thing I’d also try is create a fresh user account and see if it works there.
Then we know at least whether it is a system-wide problem, or specific to the particular user.

#5

Bingo. That solved it.
I switched to sddm and the problem is gone.
Indeed it was kdm and not xdm.
And now loginctl reports only one single session.

Looks ok.
But that /etc/pam.d/common-session.rpmnew puzzles me a bit. Such a file should normally only be there if you manually edited the standard file at some point. This in turn could mean that it is not correct…
Can you please post the content of /etc/pam.d/common-session-pc? And check that /etc/pam.d/common-session is a symlink to it.

The “rpmnew” file is from September 2014, so is probably a residue from a previous upgrade (my system has been upgraded many many times).
I can’t remember why I would have modified this file around this date, but from time to time it can happen that I manually edit files in /etc to work around problems so it is definitely possible.
Yes the latter file is indeed a symlink to the former.
Here’s the content:


#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required        pam_limits.so
session required        pam_unix.so     try_first_pass 
session optional        pam_umask.so
session optional        pam_systemd.so
session optional        pam_gnome_keyring.so    auto_start only_if=gdm,gdm-password,lxdm,lightdm

Amarok is the only KDE4 application using phonon in that list.
Is phonon-backend-vlc installed? If yes, try to remove it.
Is gstreamer-fluendo-mp3 installed?

Yes, phonon-backend-vlc is installed but is not active (phonon-gstreamer is on top).
Actually I also crashed VLC when trying to play an MP3 so it seemed more MP3-related.
gstreamer-fluendo-mp3 was installed but from the “Multimedia libs” repository.
Having had similar issues in the past, I made a selective update of fluendo-mp3 exclusively from the Packman repository (“Multimedia libs” repository often provides similar packages but apparently they don’t mix well).
At least this solved the problem with the MP3 crashes in amarok and VLC. So this issue was definitely not related to polkit.

Oh, and one thing I’d also try is create a fresh user account and see if it works there.
Then we know at least whether it is a system-wide problem, or specific to the particular user.

Yes, very good idea: I should have tried that already at the beginning.
Since the problem seems to be gone, I don’t need to any more, but I’ll remember to do that next time I stumble upon similar session authentication issues.

Zillion thanks for your help.

-Pierre.

#6

Great!
So it was indeed a problem of kdm.

Hm, actually kdm should still work. But then, it’s basically unmaintained since years and has been removed completely from Plasma5.

The “rpmnew” file is from September 2014, so is probably a residue from a previous upgrade (my system has been upgraded many many times).
I can’t remember why I would have modified this file around this date, but from time to time it can happen that I manually edit files in /etc to work around problems so it is definitely possible.

It might have been modified by some package update too.

But as the original file was modified some time in the past, rpm will not replace it but rather create a .rpmnew file.

You can delete the .rpmnew file if you want to, but it doesn’t cause any problems (it is not used at all).
Your standard file is ok though, obviously, as it works now…

Yes, phonon-backend-vlc is installed but is not active (phonon-gstreamer is on top).
Actually I also crashed VLC when trying to play an MP3 so it seemed more MP3-related.

Probably some mixture of the underlying packages then (in particular the ffmpeg/libav* ones), if the full switch to Packman helped.

gstreamer-fluendo-mp3 was installed but from the “Multimedia libs” repository.

This particular one should not matter, and it is not even available in Packman, as the openSUSE version does contain a fully working (and licensed) MP3 codec.

Having had similar issues in the past, I made a selective update of fluendo-mp3 exclusively from the Packman repository (“Multimedia libs” repository often provides similar packages but apparently they don’t mix well).

Right.
multimedia:libs contains a lot of multimedia packages (in “crippled” versions though) in the latest versions as it is the devel project for Factory.
zypper tends to prefer the highest version when installing a package, so it might use the ones from there causing problems.
You can prevent this by giving the Packman repo a higher priority (lower priority number).

Already installed packages will normally not switched to versions from a different repo automatically though.

At least this solved the problem with the MP3 crashes in amarok and VLC. So this issue was definitely not related to polkit.

Ok, but pulseaudio will not work in general with insufficient privileges.
Though having the user in the “audio” group should make sure that the privileges are fine in this regard in any case.