I am not prompted for sudo actions in the GUI when connected via RdP

[felipeleon73]

In Manjaro 20.1 KDE I am not prompted for sudo actions in the GUI when connected via RdP.

Everything else works perfectly, but I can't do any action that requires administrator privileges from the GUI.
sudo and kdesu from Konsole, on the other hand, work correctly.

[matt335672]

Hi @felipeleon73

When you say you aren't prompted, do you mean that you don't get GUI prompts to enter a password when you are expecting one? Can you give an example of something that doesn't work so we can have a look at it?

Thanks,

[felipeleon73]

Hi @felipeleon73

When you say you aren't prompted, do you mean that you don't get GUI prompts to enter a password when you are expecting one? Can you give an example of something that doesn't work so we can have a look at it?

Thanks,

e.g. Setting a theme in System Settings > Login Screen (Sddm).
If i try to change the theme from remote, when i press apply the theme reset to previous. Changing from local, btw, pressing apply i get the GUI for enter the password.

[matt335672]

Thanks.
I'm not familiar with Manjaro, so I'll have to install it, which might take me a while to get to. If I was to take a wild guess however, I'd say this looks like a policykit problem.

Policykit is used by a lot of desktop environments, and is responsible for allowing GUIs to perform privileged actions.

What does the following command give you as output?

pkaction --version

[felipeleon73]

Also in my opinion it can be a polkit problem ... I tried to play with allow_inactive, but without success.
However the output of the pkaction --version command is:
pkaction version 0.116

[matt335672]

It's almost certainly a polkit issue then, and you're on the right lines I think.

The version of polkit you have is quite modern, and some of the advice on the internet will relate to earlier versions with PKLA - IIRC 0.105 is the latest version to support PKLA files but I could be wrong on that.

Can you have a poke around in log files and see if you can find any errors related to polkit? This would verify that polkit is at the root of the problem, and let us start working on a rules file.

[matt335672]

Hi @felipeleon73

This is indeed a polkit problem, but Manjaro doesn't make it easy to get to the bottom of it.

For a start, the daemon logging is disabled, so you're not getting a lot of help here. I got round this by editing /usr/lib/systemd/system/polkit.service as follows:-

[Unit]
Description=Authorization Manager
Documentation=man:polkit(8)

[Service]
Type=dbus
BusName=org.freedesktop.PolicyKit1
#ExecStart=/usr/lib/polkit-1/polkitd --no-debug
Environment=G_MESSAGES_DEBUG=all
ExecStart=/usr/lib/polkit-1/polkitd

I've commented out the original ExecStart and added the two lines after it.

After that, if you sudo systemctl daemon-reload and restart the polkit service you will get pretty extensive logging with the journalctl -u polkit command.

Your example in question returned the following report:-

Jun 04 16:50:38 manjaro polkitd[1428]: system-bus-name::1.97 is inquiring whether system-bus-name::1.98 is authorized for org.kde.kcontrol.kcmsddm.save
Jun 04 16:50:38 manjaro polkitd[1428]:  user of caller is unix-user:xxx
Jun 04 16:50:38 manjaro polkitd[1428]:  user of subject is unix-user:xxx
Jun 04 16:50:38 manjaro polkitd[1428]: checking whether system-bus-name::1.98 is authorized for org.kde.kcontrol.kcmsddm.save
Jun 04 16:50:38 manjaro polkitd[1428]:   0x55a52003ca40
Jun 04 16:50:38 manjaro polkitd[1428]: Checking whether session 2 is active.
Jun 04 16:50:38 manjaro polkitd[1428]: Session 2 has UID 1000.
Jun 04 16:50:38 manjaro polkitd[1428]: UID 1000 has state active.
Jun 04 16:50:38 manjaro polkitd[1428]:  subject is in session 2 (local=0 active=1)
Jun 04 16:50:38 manjaro polkitd[1428]:  not authorized

So the polkit action ID we're trying to authorize is org.kde.kcontrol.kcmsddm.save.

There are lots of ways to proceed from here, but I aded my user xxx to a Unix group rdesktop, and then created /etc/polkit-1/rules.d/50-xrdp.rules with the following contents:-

polkit.addRule(function(action, subject) {
    if (subject.isInGroup("rdesktop")) {
        switch (action.id) {
            case 'org.kde.kcontrol.kcmsddm.save':
                //polkit.log("subject=" + subject);
                return polkit.Result.YES;
                break
        }
    }

    return undefined;
});

It's more complicated than it needs to be for this example. The idea is that as you find desktop actions you want to authorize, you can just add extra lines to the case statement.

The daemon spots the file and loads it automatically. After that, the GUI works as expected, and I get the following report from the log:-

Jun 04 17:07:25 manjaro polkitd[1428]: system-bus-name::1.142 is inquiring whether system-bus-name::1.143 is authorized for org.kde.kcontrol.kcmsddm.save
Jun 04 17:07:25 manjaro polkitd[1428]:  user of caller is unix-user:xxx
Jun 04 17:07:25 manjaro polkitd[1428]:  user of subject is unix-user:xxx
Jun 04 17:07:25 manjaro polkitd[1428]: checking whether system-bus-name::1.143 is authorized for org.kde.kcontrol.kcmsddm.save
Jun 04 17:07:25 manjaro polkitd[1428]:   0x7fc48c01a290
Jun 04 17:07:25 manjaro polkitd[1428]: Checking whether session 5 is active.
Jun 04 17:07:25 manjaro polkitd[1428]: Session 5 has UID 1000.
Jun 04 17:07:25 manjaro polkitd[1428]: UID 1000 has state active.
Jun 04 17:07:25 manjaro polkitd[1428]:  subject is in session 5 (local=0 active=1)
Jun 04 17:07:25 manjaro polkitd[1428]:  is authorized (has implicit authorization local=0 active=1)

I hope that's reasonably clear, and I apologise for taking longer than I expected to get back to you.

Is that useful?

[felipeleon73]

Really great answer! Thank you very much!