Issues with permissions XRDP

[kluehrsen]

xrdp version

0.9.12

Detailed xrdp version, build options

xrdp 0.9.12
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2018 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --enable-ipv6
      --enable-jpeg
      --enable-fuse
      --enable-rfxcodec
      --enable-opus
      --enable-painter
      --enable-vsock
      --build=x86_64-linux-gnu
      --prefix=/usr
      --includedir=${prefix}/include
      --mandir=${prefix}/share/man
      --infodir=${prefix}/share/info
      --sysconfdir=/etc
      --localstatedir=/var
      --disable-silent-rules
      --libdir=${prefix}/lib/x86_64-linux-gnu
      --libexecdir=${prefix}/lib/x86_64-linux-gnu
      --disable-maintainer-mode
      --disable-dependency-tracking
      --with-socketdir=/run/xrdp/sockdir
      build_alias=x86_64-linux-gnu
      CFLAGS=-g -O2 -fdebug-prefix-map=/build/xrdp-Ze414c/xrdp-0.9.12=. -fstack-protector-strong -Wformat -Werror=format-security
      LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
      CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
      PKG_CONFIG_PATH=/build/xrdp-Ze414c/xrdp-0.9.12/pkgconfig

  Compiled with OpenSSL 1.1.1f  31 Mar 2020

Operating system & version

Ubuntu 20.04

Installation method

dnf / apt / zypper / pkg / etc

Which backend do you use?

xorgxrdp

What desktop environment do you use?

Xfce

Environment xrdp running on

server with (4) NVIDIA A40

What's your client?

No response

Area(s) with issue?

Authentication

Steps to reproduce

While attempting to do anything that requires privileged access, errors get thrown in XRDP. i.e. unable to create raid array, unable to download software, etc.

✔️ Expected Behavior

The user for xrdp is in the sudo group, so I would expect to be able to fulfill these operations - but continue to get error messages.

❌ Actual Behavior

Error message denying software download

Anything else?

xrdp.log.docx
xrdp-sesman.log.docx

[20240125-10:31:23] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20240125-10:31:23] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20240125-10:31:23] [DEBUG] TLSv1.3 enabled
[20240125-10:31:23] [DEBUG] TLSv1.2 enabled
[20240125-10:31:23] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389)
[20240125-10:31:27] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:10.255.7.254 port 54588
[20240125-10:31:27] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389)
[20240125-10:31:27] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20240125-10:31:27] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20240125-10:31:27] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20240125-10:31:27] [DEBUG] TLSv1.3 enabled
[20240125-10:31:27] [DEBUG] TLSv1.2 enabled
[20240125-10:31:27] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389)
[20240125-10:31:29] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:10.255.3.254 port 44638
[20240125-10:31:29] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389)
[20240125-10:31:29] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20240125-10:31:29] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20240125-10:31:29] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20240125-10:31:29] [DEBUG] TLSv1.3 enabled
[20240125-10:31:29] [DEBUG] TLSv1.2 enabled
[20240125-10:31:29] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:10.20.11.21 port 3389)

[kluehrsen]

To note: I did use Script Version 1.4.8 from c-nergy.be to install, and made a few other manual changes to the config.

added xrdp to ssl-cert group
changed permission settings on /etc/ssl/private to allow other users to access --

At this point I'm not sure if the issue is somewhere in the XRDP files where I need to tweak a line of code, or if there's something wrong with my VPN/network. Have been troubleshooting for over a week (different installation methods) - so hoping there's some answer here on how to resolve the behavior.

[metalefty]

I think this should help you.
#2297

[kluehrsen]

I think this should help you. #2297

Thank you! I attempted to make a few of the changes recommended in that thread, but still having issues with permissions in my session - specifically trying to download cudnn software.

Here are the steps I took:

chmod 644 /etc/xrdp/cert.pem
chmod 640 /etc/xrdp/key.pem
chown :xrdp /etc/xrdp/key.pem
usermod -G ssl-cert xrdp
Reboot system

A few differences. When I run ls -l /etc/xrdp/key.pem /etc/xrdp/cert.pem my output is:

lrwxrwxrwx 1 root root 36 Jan 22 22:27 /etc/xrdp/cert.pem -> /etc/ssl/certs/ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root 38 Jan 22 22:27 /etc/xrdp/key.pem -> /etc/ssl/private/ssl-cert-snakeoil.key

id xrdp
uid=129(xrdp) gid=135(xrdp) groups=135(xrdp),113(ssl-cert)

ls -l
total 4
-rw-r----- 1 root xrdp 1704 Jan 22 22:06 ssl-cert-snakeoil.key

Does this have to do with using the snakeoil key? If there are additional steps I should take, the advice is greatly appreciated.

[matt335672]

@kluehrsen - your session permissions are nothing to do with the TLS key. This is exclusively used for setting up a TLS connection to the machine.

I suspect your issues are related to 'polkit'. I've just added a FAQ for this, which frankly I should have done a long time ago:-

https://github.com/neutrinolabs/xrdp/wiki/Tips-and-FAQ#why-cant-i-perform-some-privileged-gui-actions

Have a read of that, and please let me know if it's useful or not.

[kluehrsen]

@kluehrsen - your session permissions are nothing to do with the TLS key. This is exclusively used for setting up a TLS connection to the machine.

I suspect your issues are related to 'polkit'. I've just added a FAQ for this, which frankly I should have done a long time ago:-

https://github.com/neutrinolabs/xrdp/wiki/Tips-and-FAQ#why-cant-i-perform-some-privileged-gui-actions

Have a read of that, and please let me know if it's useful or not.

Thank you, this was very helpful. For my case, running the script didn't resolve the issue initially -- it took checking the auth.log and seeing org.freedesktop.packagekit.package-install-untrusted was failing authentication --

I then added the following to your /etc/pol-kit-1/localauthority/50-local/pk-local.pkla :

[pk-local override for org.freedesktop.packagekit.package-install-untrusted]
Identity=unix-group:pk-local
Action=org.freedesktop.packagekit.package-install-untrusted
#ResultAny=auth_admin
ResultAny=yes

Thanks so much for your help, very much appreciated!! KL

[matt335672]

Interesting.

On my Mint system, I get this:-

$ pkaction --action-id org.freedesktop.packagekit.package-install-untrusted --verbose
org.freedesktop.packagekit.package-install-untrusted:
  description:       Install untrusted local file
  message:           Authentication is required to install untrusted software
  vendor:            The PackageKit Project
  vendor_url:        http://www.packagekit.org/
  icon:              package-x-generic
  implicit any:      auth_admin
  implicit inactive: auth_admin
  implicit active:   auth_admin
  annotation:        org.freedesktop.policykit.imply -> org.freedesktop.packagekit.package-install

auth_admin means you need to be an administrator (or able to authenticate as one). auth_any lets all users install untrusted software. Is teh user you're running as also in the sudo group?