Comment 1 Pierre Ossman 2015-07-01 13:32:32 CEST

More upstream nagging:

https://bugzilla.gnome.org/show_bug.cgi?id=751775
https://bugzilla.gnome.org/show_bug.cgi?id=751776

https://github.com/hughsie/colord/issues/16
https://github.com/hughsie/PackageKit/issues/69

Comment 2 Pierre Ossman 2015-12-28 10:31:10 CET

And KDE are also affected:

https://bugs.kde.org/show_bug.cgi?id=357245

Comment 3 Pierre Ossman 2015-12-28 10:32:43 CET

And RHEL 7:

https://bugzilla.redhat.com/show_bug.cgi?id=1294199

Comment 4 Pierre Ossman 2015-12-28 11:14:37 CET

And more KDE:

https://bugs.kde.org/show_bug.cgi?id=357247

Comment 5 Pierre Ossman 2016-04-19 15:02:25 CEST

Getting pretty much all of these on RHEL 7 now, a recommended distribution. Reassigning for discussion.

Comment 6 Pierre Ossman 2016-04-26 10:35:57 CEST

A first step is to see if we can construct some policy files to work around this and put those in Platform Specific notes.

After that we can start nagging upstream more and/or see if we should automate installing these policy files.

Comment 7 Peter Åstrand 2016-08-10 11:14:34 CEST

Tested for this problem on various distributions. Problems found:

RHEL7
-----
Gnome: color-manager, packagekit-proxy
KDE: none


SLES12
------
Gnome: none


Ubuntu 16.04.1
--------------
Unity: none
Gnome: color-manager
KDE: Not able to test - plasmashell crashes


Fedora 24
---------
Gnome: color-manager [1]
KDE: packagekit.system-sources

[1]: the packagekit-proxy problem is not present in Fedora 24, because it is fixed upstream (https://bugzilla.gnome.org/show_bug.cgi?id=751776), and the fix is available in Gnome 3.20, which Fedora 24 uses.

Comment 8 Peter Åstrand 2016-08-10 12:48:00 CEST

(In reply to comment #7)

> Fedora 24
> ---------
> Gnome: color-manager [1]
> KDE: packagekit.system-sources

color-manager is also a problem with KDE when resizing session.

Comment 9 Peter Åstrand 2016-08-10 14:20:30 CEST

Created attachment 726 [details]
/etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules

The attached PolicyKit "rules" files solves the problem on RHEL7 and Fedora. It does not solve the problem with Gnome on Ubuntu, since even Ubuntu 16.04 does not have a /etc/polkit-1/rules.d, since it's running an old version of PolicyKit. From http://askubuntu.com/questions/536591/policykit-rules-never-come-into-effect :

"""
If you are on Ubuntu 14.04 (or lower) then you are still using the old version of PolKit, where there are no .rules files but only .pkla and .conf files.

on the command prompt, do

pkaction --version

if it says < 0.106, then you can only use the old syntax
"""

The problem is limited in scope because Ubuntu does not provide Gnome by default; only Unity.

Comment 10 Peter Åstrand 2016-08-10 14:38:55 CEST

Note for tester:

* On SELinux systems, it is crucial that /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules has the correct ownership and context. I don't know how this is supposed to work, but a manual "chown" and "restorecon" solved it for me. Without this, you will get strange errors like:

polkitd[868]: <no filename>:0: can't open /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules: No such file or directory


* Always test with a newly created user account (or at least clean the home directory), since some dialogs are only presented once.

Comment 11 Peter Åstrand 2016-08-10 15:29:08 CEST

(In reply to comment #9)
> Created an attachment (id=726) [details]
> /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules

An alternative approach is to instead execute:

perl -pi.$(date +%s) -e 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g' /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
perl -pi.$(date +%s) -e 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g' /usr/share/polkit-1/actions/org.freedesktop.color.policy

Pros and cons:

+ Works even on Ubuntu
+ Shorter
+ Only changes "allow_any", which is not for the local console
+ Changes all "actions" - less risk that future updates gives auth dialogs
- Changes all "actions" - not a minimal solution
+ Fixes the source of the problem rather than trying to change the setting afterwards

I'd say that this solution is preferred over /etc/polkit-1/rules.d.

Comment 12 Peter Åstrand 2016-08-10 16:34:28 CEST

Both solutions requires changing files on the system. We need to decide if this should be done only via recommendations in platform specific notes, tl-setup, or if TL should actually perform the necessary changes. See also bug 1425.

Comment 13 Peter Åstrand 2016-08-16 07:55:26 CEST

(In reply to comment #11)

> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.color.policy
> 
> Pros and cons:
> 
> + Works even on Ubuntu
> + Shorter
> + Only changes "allow_any", which is not for the local console
> + Changes all "actions" - less risk that future updates gives auth dialogs
> - Changes all "actions" - not a minimal solution
> + Fixes the source of the problem rather than trying to change the setting
> afterwards
> 
> I'd say that this solution is preferred over /etc/polkit-1/rules.d.

Drawback: that change will be reverted as soon as the packaged are updated (unless the file is marked as a config file).

Comment 14 Peter Åstrand 2016-08-16 14:05:55 CEST

Created attachment 727 [details]
 /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules

Updated rules file which only affects non-local sessions.

Comment 15 Peter Åstrand 2016-08-16 14:22:43 CEST

(In reply to comment #11)

> An alternative approach is to instead execute:
> 
> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
> perl -pi.$(date +%s) -e
> 's|<allow_any>auth_admin</allow_any>|<allow_any>no</allow_any>|g'
> /usr/share/polkit-1/actions/org.freedesktop.color.policy
> 
> Pros and cons:
> 
> + Works even on Ubuntu
> + Shorter
> + Only changes "allow_any", which is not for the local console
> + Changes all "actions" - less risk that future updates gives auth dialogs
> - Changes all "actions" - not a minimal solution
> + Fixes the source of the problem rather than trying to change the setting
> afterwards
> 
> I'd say that this solution is preferred over /etc/polkit-1/rules.d.

Updated pros and cons list:

+ Works even on Ubuntu. However, on Ubuntu, only Gnome3 is affected, which is not installed by default. (See also bug 5830).
+ Shorter
+ Changes all "actions" - less risk that future updates gives auth dialogs
- Changes all "actions" - not a minimal solution
+ Fixes the source of the problem rather than trying to change the setting afterwards
- Changes will be reverted when package is upgraded

Given these pros and cons, I'd say that the /etc solution is now preferred, so this is what I will document in PSN.

Also note that the PolKit rules doc is here:
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

There's a "spawn" method. In principle, it should be possible to call an external program which checks if the user is in a TL session or not. But perhaps overkill at this point, unless that would make us comfortable with installing the rule file by default. That would give a much better experience for RHEL7 users.

Comment 16 Peter Åstrand 2016-08-17 09:37:49 CEST

Information has been added to https://www.cendio.com/thinlinc/docs/platforms/redhat .

Comment 17 Peter Åstrand 2016-08-17 10:47:56 CEST

Created attachment 728 [details]
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla

.pkla file to prevent colord dialogs with GNOME3 on Ubuntu

Please note that this file must be installed in /etc/polkit-1/localauthority/50-local.d, not in /etc/polkit-1/localauthority.conf.d!

Comment 18 Peter Åstrand 2016-08-17 11:19:36 CEST

Created attachment 729 [details]
 /etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla 

Updated file which catches all colord actions

Comment 19 Peter Åstrand 2016-08-17 11:23:15 CEST

Created attachment 730 [details]
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla

Comment 20 Peter Åstrand 2016-08-17 12:44:49 CEST

Work on Ubuntu is finished and documented here:

https://www.cendio.com/thinlinc/docs/platforms/ubuntu

Closing.

Comment 21 Thomas Nilefalk 2016-08-24 17:22:15 CEST

Tested for RHEL etc. with server on CentOS 7. Confirmed that dialog about "color screen" showed up when login in from client on Windows 10. Could not re-create dialog when changing window size.

Confirmed that adding the rules described at https://www.cendio.com/thinlinc/docs/platforms/redhat removed the "color screen" dialog.

Comment 22 Bojan Memetovic 2016-08-29 15:55:16 CEST

(In reply to comment #21)
> Tested for RHEL etc. with server on CentOS 7. Confirmed that dialog about
> "color screen" showed up when login in from client on Windows 10. Could not
> re-create dialog when changing window size.
> 
> Confirmed that adding the rules described at
> https://www.cendio.com/thinlinc/docs/platforms/redhat removed the "color
> screen" dialog.


Testet on Ubuntu 16.04 Desktop. 
Polkit authentication dialogs appeared during login, when resizing the session. 
By creating the file /etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla it was possible to prevent such dialog. 

Following guide followed: https://www.cendio.com/thinlinc/docs/platforms/ubuntu

Comment 23 Bojan Memetovic 2016-08-29 15:56:54 CEST

(In reply to comment #22)
> (In reply to comment #21)
> > Tested for RHEL etc. with server on CentOS 7. Confirmed that dialog about
> > "color screen" showed up when login in from client on Windows 10. Could not
> > re-create dialog when changing window size.
> > 
> > Confirmed that adding the rules described at
> > https://www.cendio.com/thinlinc/docs/platforms/redhat removed the "color
> > screen" dialog.
> 
> 
> Tested on Ubuntu 16.04 Desktop. 
> Polkit authentication dialogs appeared during login, when resizing the session. 
> By creating the file
> /etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla it was
> possible to prevent such dialog. 
> 
> Following guide followed: https://www.cendio.com/thinlinc/docs/platforms/ubuntu

Comment 24 Samuel Mannehed 2016-10-06 17:08:44 CEST

Created attachment 749 [details]
Screenshot of the dialog

I get a polkit dialog in Unity on Ubuntu 16.04, 4.7.0rc1. It does not happen if I login outside of ThinLinc.

It only happens the first time a new user logs in, exactly 1 minute after Unity has started.

Comment 25 Samuel Mannehed 2016-10-06 17:18:39 CEST

(In reply to comment #24)
> I get a polkit dialog in Unity on Ubuntu 16.04, 4.7.0rc1. It does not happen if
> I login outside of ThinLinc.
> 
> It only happens the first time a new user logs in, exactly 1 minute after Unity
> has started.

Happens for both normal users and administrator users. As long as it is the first time they log in.

Comment 26 Samuel Mannehed 2016-10-07 15:13:11 CEST

(In reply to comment #24)
> I get a polkit dialog in Unity on Ubuntu 16.04, 4.7.0rc1. It does not happen if
> I login outside of ThinLinc.

I get a similiar dialog in Gnome on Ubuntu 16.04.

Comment 27 Pierre Ossman 2016-10-07 15:22:21 CEST

Updated platform specific notes and reported upstream:

https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1631337

Also reported the previous issue to ubuntu:

https://bugs.launchpad.net/ubuntu/+source/colord/+bug/1631346

Comment 28 Peter Åstrand 2016-10-10 09:09:46 CEST

Created attachment 752 [details]
/etc/polkit-1/localauthority/50-local.d/40-thinlinc-no-auth-dialogs.pkla

Comment 29 Samuel Mannehed 2016-10-19 15:48:13 CEST

Forgot to write reasoning for CLOSE:

Even though I can't get a new test machine in the state where I can reproduce the apt-cache polkit dialog I'm closing. We have previously encountered the problem on two different Ubuntu 16.04 machines. After applying the fix, the dialog does not appear on any of these machines, so we consider this sufficiently tested.

Comment 30 Samuel Mannehed 2016-10-25 16:52:52 CEST

(In reply to comment #29)
> Forgot to write reasoning for CLOSE:
> 
> Even though I can't get a new test machine in the state where I can reproduce
> the apt-cache polkit dialog I'm closing. We have previously encountered the
> problem on two different Ubuntu 16.04 machines. After applying the fix, the
> dialog does not appear on any of these machines, so we consider this
> sufficiently tested.

On my current test-machine for Ubuntu 16.04 I can now reproduce the error and also verify that the fix indeed works.

Comment 31 Samuel Mannehed 2017-05-19 12:33:39 CEST

Note that the dialogs seem to be more persistent on RHEL7 now-a-days. Especially the "update software"-one. I had to click "Cancel" maybe 50 times before the dialogs gave up on popping up.

The workaround mentioned in Platform Specific Notes still work perfectly however.