www.cendio.com

Bug 5584

Summary: Gnome, Unity and KDE with modern polkit gives auth dialogs on login
Product: ThinLinc Reporter: Pierre Ossman <ossman@cendio.se>
Component: Server OSAssignee: Samuel Mannehed <samuel@cendio.se>
Status: CLOSED FIXED QA Contact: Bugzilla mail exporter <bugzilla-qa@cendio.se>
Severity: Normal    
Priority: P2 CC: bojme@cendio.se, hean01@cendio.se, thoni56@cendio.se
Version: pre-1.0Keywords: prosaic, thomas_tester
Target Milestone: 4.7.0   
Hardware: PC   
OS: Unknown   
Bug Depends on: 5830    
Bug Blocks:    
Attachments: /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules
/etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla
Screenshot of the dialog
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla

Description From cendio 2015-06-30 15:32:26
Tested with Fedora 22, see upstream bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1149893
https://bugzilla.redhat.com/show_bug.cgi?id=1237146
https://bugzilla.redhat.com/show_bug.cgi?id=1237149

Nothing obvious we can do except nag upstream to fix their policy.

Note that the colord prompt will also show up when you add more virtual screens
(going full screen with multihead).
------- Comment #1 From cendio 2015-07-01 13:32:32 -------
More upstream nagging:

https://bugzilla.gnome.org/show_bug.cgi?id=751775
https://bugzilla.gnome.org/show_bug.cgi?id=751776

https://github.com/hughsie/colord/issues/16
https://github.com/hughsie/PackageKit/issues/69
------- Comment #2 From cendio 2015-12-28 10:31:10 -------
And KDE are also affected:

https://bugs.kde.org/show_bug.cgi?id=357245
------- Comment #3 From cendio 2015-12-28 10:32:43 -------
And RHEL 7:

https://bugzilla.redhat.com/show_bug.cgi?id=1294199
------- Comment #4 From cendio 2015-12-28 11:14:37 -------
And more KDE:

https://bugs.kde.org/show_bug.cgi?id=357247
------- Comment #5 From cendio 2016-04-19 15:02:25 -------
Getting pretty much all of these on RHEL 7 now, a recommended distribution.
Reassigning for discussion.
------- Comment #6 From cendio 2016-04-26 10:35:57 -------
A first step is to see if we can construct some policy files to work around
this and put those in Platform Specific notes.

After that we can start nagging upstream more and/or see if we should automate
installing these policy files.
------- Comment #7 From cendio 2016-08-10 11:14:34 -------
Tested for this problem on various distributions. Problems found:

RHEL7
-----
Gnome: color-manager, packagekit-proxy
KDE: none


SLES12
------
Gnome: none


Ubuntu 16.04.1
--------------
Unity: none
Gnome: color-manager
KDE: Not able to test - plasmashell crashes


Fedora 24
---------
Gnome: color-manager [1]
KDE: packagekit.system-sources

[1]: the packagekit-proxy problem is not present in Fedora 24, because it is
fixed upstream (https://bugzilla.gnome.org/show_bug.cgi?id=751776), and the fix
is available in Gnome 3.20, which Fedora 24 uses.
------- Comment #8 From cendio 2016-08-10 12:48:00 -------
(In reply to comment #7)

> Fedora 24
> ---------
> Gnome: color-manager [1]
> KDE: packagekit.system-sources

color-manager is also a problem with KDE when resizing session.
------- Comment #9 From cendio 2016-08-10 14:20:30 -------
Created an attachment (id=726) [details]
/etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules

The attached PolicyKit "rules" files solves the problem on RHEL7 and Fedora. It
does not solve the problem with Gnome on Ubuntu, since even Ubuntu 16.04 does
not have a /etc/polkit-1/rules.d, since it's running an old version of
PolicyKit. From
http://askubuntu.com/questions/536591/policykit-rules-never-come-into-effect :

"""
If you are on Ubuntu 14.04 (or lower) then you are still using the old version
of PolKit, where there are no .rules files but only .pkla and .conf files.

on the command prompt, do

pkaction --version

if it says < 0.106, then you can only use the old syntax
"""

The problem is limited in scope because Ubuntu does not provide Gnome by
default; only Unity.
------- Comment #10 From cendio 2016-08-10 14:38:55 -------
Note for tester:

* On SELinux systems, it is crucial that
/etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules has the correct
ownership and context. I don't know how this is supposed to work, but a manual
"chown" and "restorecon" solved it for me. Without this, you will get strange
errors like:

polkitd[868]: <no filename>:0: can't open
/etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules: No such file or
directory


* Always test with a newly created user account (or at least clean the home
directory), since some dialogs are only presented once.
------- Comment #11 From cendio 2016-08-10 15:29:08 -------
(In reply to comment #9)
> Created an attachment (id=726) [details] [details]
> /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules

An alternative approach is to instead execute:

perl -pi.$(date +%s) -e
's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
perl -pi.$(date +%s) -e
's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
/usr/share/polkit-1/actions/org.freedesktop.color.policy

Pros and cons:

+ Works even on Ubuntu
+ Shorter
+ Only changes "allow_any", which is not for the local console
+ Changes all "actions" - less risk that future updates gives auth dialogs
- Changes all "actions" - not a minimal solution
+ Fixes the source of the problem rather than trying to change the setting
afterwards

I'd say that this solution is preferred over /etc/polkit-1/rules.d.
------- Comment #12 From cendio 2016-08-10 16:34:28 -------
Both solutions requires changing files on the system. We need to decide if this
should be done only via recommendations in platform specific notes, tl-setup,
or if TL should actually perform the necessary changes. See also bug 1425.
------- Comment #13 From cendio 2016-08-16 07:55:26 -------
(In reply to comment #11)

> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.color.policy
> 
> Pros and cons:
> 
> + Works even on Ubuntu
> + Shorter
> + Only changes "allow_any", which is not for the local console
> + Changes all "actions" - less risk that future updates gives auth dialogs
> - Changes all "actions" - not a minimal solution
> + Fixes the source of the problem rather than trying to change the setting
> afterwards
> 
> I'd say that this solution is preferred over /etc/polkit-1/rules.d.

Drawback: that change will be reverted as soon as the packaged are updated
(unless the file is marked as a config file).
------- Comment #14 From cendio 2016-08-16 14:05:55 -------
Created an attachment (id=727) [details]
 /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules

Updated rules file which only affects non-local sessions.
------- Comment #15 From cendio 2016-08-16 14:22:43 -------
(In reply to comment #11)

> An alternative approach is to instead execute:
> 
> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.color.policy
> 
> Pros and cons:
> 
> + Works even on Ubuntu
> + Shorter
> + Only changes "allow_any", which is not for the local console
> + Changes all "actions" - less risk that future updates gives auth dialogs
> - Changes all "actions" - not a minimal solution
> + Fixes the source of the problem rather than trying to change the setting
> afterwards
> 
> I'd say that this solution is preferred over /etc/polkit-1/rules.d.

Updated pros and cons list:

+ Works even on Ubuntu. However, on Ubuntu, only Gnome3 is affected, which is
not installed by default. (See also bug 5830).
+ Shorter
+ Changes all "actions" - less risk that future updates gives auth dialogs
- Changes all "actions" - not a minimal solution
+ Fixes the source of the problem rather than trying to change the setting
afterwards
- Changes will be reverted when package is upgraded

Given these pros and cons, I'd say that the /etc solution is now preferred, so
this is what I will document in PSN.

Also note that the PolKit rules doc is here:
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

There's a "spawn" method. In principle, it should be possible to call an
external program which checks if the user is in a TL session or not. But
perhaps overkill at this point, unless that would make us comfortable with
installing the rule file by default. That would give a much better experience
for RHEL7 users.
------- Comment #16 From cendio 2016-08-17 09:37:49 -------
Information has been added to
https://www.cendio.com/thinlinc/docs/platforms/redhat .
------- Comment #17 From cendio 2016-08-17 10:47:56 -------
Created an attachment (id=728) [details]
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla

.pkla file to prevent colord dialogs with GNOME3 on Ubuntu

Please note that this file must be installed in
/etc/polkit-1/localauthority/50-local.d, not in
/etc/polkit-1/localauthority.conf.d!
------- Comment #18 From cendio 2016-08-17 11:19:36 -------
Created an attachment (id=729) [details]
 /etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla 

Updated file which catches all colord actions
------- Comment #19 From cendio 2016-08-17 11:23:15 -------
Created an attachment (id=730) [details]
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla
------- Comment #20 From cendio 2016-08-17 12:44:49 -------
Work on Ubuntu is finished and documented here:

https://www.cendio.com/thinlinc/docs/platforms/ubuntu

Closing.
------- Comment #21 From cendio 2016-08-24 17:22:15 -------
Tested for RHEL etc. with server on CentOS 7. Confirmed that dialog about
"color screen" showed up when login in from client on Windows 10. Could not
re-create dialog when changing window size.

Confirmed that adding the rules described at
https://www.cendio.com/thinlinc/docs/platforms/redhat removed the "color
screen" dialog.
------- Comment #22 From cendio 2016-08-29 15:55:16 -------
(In reply to comment #21)
> Tested for RHEL etc. with server on CentOS 7. Confirmed that dialog about
> "color screen" showed up when login in from client on Windows 10. Could not
> re-create dialog when changing window size.
> 
> Confirmed that adding the rules described at
> https://www.cendio.com/thinlinc/docs/platforms/redhat removed the "color
> screen" dialog.


Testet on Ubuntu 16.04 Desktop. 
Polkit authentication dialogs appeared during login, when resizing the session. 
By creating the file
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla it was
possible to prevent such dialog. 

Following guide followed: https://www.cendio.com/thinlinc/docs/platforms/ubuntu
------- Comment #23 From cendio 2016-08-29 15:56:54 -------
(In reply to comment #22)
> (In reply to comment #21)
> > Tested for RHEL etc. with server on CentOS 7. Confirmed that dialog about
> > "color screen" showed up when login in from client on Windows 10. Could not
> > re-create dialog when changing window size.
> > 
> > Confirmed that adding the rules described at
> > https://www.cendio.com/thinlinc/docs/platforms/redhat removed the "color
> > screen" dialog.
> 
> 
> Tested on Ubuntu 16.04 Desktop. 
> Polkit authentication dialogs appeared during login, when resizing the session. 
> By creating the file
> /etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla it was
> possible to prevent such dialog. 
> 
> Following guide followed: https://www.cendio.com/thinlinc/docs/platforms/ubuntu
------- Comment #24 From cendio 2016-10-06 17:08:44 -------
Created an attachment (id=749) [details]
Screenshot of the dialog

I get a polkit dialog in Unity on Ubuntu 16.04, 4.7.0rc1. It does not happen if
I login outside of ThinLinc.

It only happens the first time a new user logs in, exactly 1 minute after Unity
has started.
------- Comment #25 From cendio 2016-10-06 17:18:39 -------
(In reply to comment #24)
> I get a polkit dialog in Unity on Ubuntu 16.04, 4.7.0rc1. It does not happen if
> I login outside of ThinLinc.
> 
> It only happens the first time a new user logs in, exactly 1 minute after Unity
> has started.

Happens for both normal users and administrator users. As long as it is the
first time they log in.
------- Comment #26 From cendio 2016-10-07 15:13:11 -------
(In reply to comment #24)
> I get a polkit dialog in Unity on Ubuntu 16.04, 4.7.0rc1. It does not happen if
> I login outside of ThinLinc.

I get a similiar dialog in Gnome on Ubuntu 16.04.
------- Comment #27 From cendio 2016-10-07 15:22:21 -------
Updated platform specific notes and reported upstream:

https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1631337

Also reported the previous issue to ubuntu:

https://bugs.launchpad.net/ubuntu/+source/colord/+bug/1631346
------- Comment #28 From cendio 2016-10-10 09:09:46 -------
Created an attachment (id=752) [details]
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla
------- Comment #29 From cendio 2016-10-19 15:48:13 -------
Forgot to write reasoning for CLOSE:

Even though I can't get a new test machine in the state where I can reproduce
the apt-cache polkit dialog I'm closing. We have previously encountered the
problem on two different Ubuntu 16.04 machines. After applying the fix, the
dialog does not appear on any of these machines, so we consider this
sufficiently tested.
------- Comment #30 From cendio 2016-10-25 16:52:52 -------
(In reply to comment #29)
> Forgot to write reasoning for CLOSE:
> 
> Even though I can't get a new test machine in the state where I can reproduce
> the apt-cache polkit dialog I'm closing. We have previously encountered the
> problem on two different Ubuntu 16.04 machines. After applying the fix, the
> dialog does not appear on any of these machines, so we consider this
> sufficiently tested.

On my current test-machine for Ubuntu 16.04 I can now reproduce the error and
also verify that the fix indeed works.
------- Comment #31 From cendio 2017-05-19 12:33:39 -------
Note that the dialogs seem to be more persistent on RHEL7 now-a-days.
Especially the "update software"-one. I had to click "Cancel" maybe 50 times
before the dialogs gave up on popping up.

The workaround mentioned in Platform Specific Notes still work perfectly
however.