9

I am managing a CentOS 6.2 server remotely using X over SSH (actually NX, but that's just a proxy).

The Everything is working correctly, except when I try to do tasks that would normally require administrative permissions (such as things in palimpsest, or any other GUI tools).

When I try to do things which would trigger a authentication dialog (through polkit-gnome)the permissions dialog is silently failing, and the software is running as my user account, rather then root.

To clarify, if I change package settings using the package manager at the local console, I get a pop-up - "Authentication is required to (add/remove) packages".

If I do this remotely, the authentication fails, and I get a "Authorization Failed" dialog.

It seems to boil down to policykit configuration, but I've followed the polkit man pages, and edited my configuration, and it hasn't changed anything.

I can manage packages/do super-user stuff from the command line without any problems. However, I am very visually oriented, and much prefer a GUI when possible.

Ok, so it seems that I need to add a new rule to policykit.

Going off the man pages, I created a file (named 20-remote-admin-allow.pkla), and dropped it into /etc/polkit-1/localauthority/50-local.d/. Since there seems to be multiple polkit config directories, I copied the same file into /var/lib/polkit-1/localauthority/50-local.d/.

It does not appear to have changed anything.

Here is my config file, as mentioned above:

[root@cloaica zul]# cat /var/lib/polkit-1/localauthority/50-local.d/10-remote-admin-allow.pkla 
[Let remote users do admin stuff]
Identity=unix-user:zul
Action=*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_self_keep

[root@cloaica zul]# cat /etc/polkit-1/localauthority/50-local.d/20-remote-admin-allow.pkla 
[Allow Remote Administraton]
Identity=unix-user:zul
Action=*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin
[root@cloaica zul]#

pkaction --verbose still reports 

implicit any:      no
implicit inactive: no

for most actions, and said actions fail if I attempt them, with "Authentication Failed" dialog, as mentioned above.

Seriously, I does anyone actually understand how polkit actually works?

Policykit seems to be an ongoing nightmare, and considering there used to be a GUI configuration tool and it was removed, I don't understand how anyone thought this was ready for release into a production OS.

To be clear, I like having the "please authenticate to perform this action" dialogs. I just want to actually have them, rather then having the system silently fail to authenticate.

I don't want to remove the entirety of polkit, just make it either think all sessions are active, or that inactive sessions get the same permissions as active sessions.

Fake Name
  • 499
  • 5
  • 16
  • I have no experience in CentOS, but it seems a PolicyKit related problem. The default conf on Debian and Ubuntu gives no privilege to a nonlocal user. – enzotib Dec 25 '11 at 12:45
  • @enzotib - I would guess it's something like that. Now, where is is the setting that controls those privileges? – Fake Name Dec 26 '11 at 06:11
  • They are in `/etc/polkit-1` and `/var/lib/polkit-1`. See also `pkaction --verbose` output and `pklocalauthority` man page. – enzotib Dec 26 '11 at 08:28
  • @enzotib - I've done that, see updated question. It hasn't helped. – Fake Name Jan 08 '12 at 04:05
  • Some remarks: 1) the file must have `.pkla` extension; 2) there should be `Identity` and not `AdminIdentities`; 3) `pkaction` returns information for registered actions (found in `/usr/share/polkit-1/actions/*`) and do not show local modifications, so it is better to try than believe in `pkaction`. – enzotib Jan 09 '12 at 08:50
  • @enzotib - 1: Both files are `*.pkla` files. 2: Didn't make any difference. 3: Then what's the point of `pkaction`? That's ridiculously stupid. – Fake Name Jan 09 '12 at 11:20
  • @enzotib - see updated question – Fake Name Jan 09 '12 at 11:23
  • I still see an `Identities` instead of `Identity` on the first file, don't know if it is important. – enzotib Jan 09 '12 at 11:32
  • @enzotib - Good catch. I've updated the question. – Fake Name Jan 09 '12 at 12:08
  • Weird. It now *kind* of works... For instance, `system-config-lvm` correctly prompts for the administrator password. `gpk-application` and `palimpsest`do not. – Fake Name Jan 09 '12 at 12:10
  • and `pkcheck --action-id org.freedesktop.udisks.linux-lvm2` is dropping me into the `pkcheck` man pages, despite the fact that the man pages say `pkcheck --action-id action {--process { pid | pid,pid-start-time }` – Fake Name Jan 09 '12 at 12:14
  • I needed to run `systemctl restart polkit` after creating the `.pkla` file. https://serverfault.com/questions/1078535/centos-admin-user-on-xrdp-session-cant-do-admin – kbro Sep 24 '21 at 09:45

4 Answers4

1

Hi I have trouble with this as well. Specifically with udisk.

(I'm running Ubuntu desktop 14.04)

To fix for udisks I did this.

  1. Backup and edit

    sudo vi /usr/share/polkit-1/actions/org.freedesktop.udisks.policy

  2. look for all the:

    <allow_active>yes</allow_active>

    and then change the:

    <allow_any>no</allow_any>

to:

   `<allow_any>yes</allow_any>`

this allows remote access rather than just froce local only

SpiRail
  • 221
  • 2
  • 4
  • FYI, the changes made via this method will most likely be overwritten by a udisk upgrade. Better to place a suitable file into, for example, the `/etc/polkit-1/localauthority/50-local.d` directory. – Digger Nov 06 '21 at 17:44
1

Can't say for certain you're having the exact same problem, but this is listed as a fedora bug, as of Nov, 2011. I installed a clean CentOS 6, upgraded all packages and then had the same problem trying to remotely access and add a new package (something requiring auth).

bsd
  • 10,916
  • 4
  • 30
  • 38
0

Try this one:

[Remote Admin SSH access] 
Identity=unix-group:users
Action=*
ResultAny=yes
ResultInactive=yes
ResultActive=yes

After this add the user to users group. Do you see any security issues with this configuration?

Renan
  • 16,976
  • 8
  • 69
  • 88
antenagora
  • 1
0

I found that running:

 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 &

first in my ssh session allows me to get the normal auth popup as if I was local.

With this, I'm able to run gnome-disks or any other gnome utility that needs auth_admin.

This binary comes from the policykit-1-gnome package.

SolarKennedy
  • 86
  • 4