Mageia forum

[doktor5000]

edit doktor5000 UPDATE 10/10/2015 - a fix for this issue has just been released,
see http://advisories.mageia.org/MGAA-2015-0145.html for more details


After applying today's polkit update (on Mageia 5, 64 bit):
http://advisories.mageia.org/MGASA-2015-0262.html
I was unable to launch MCC from either the panel icon or the menu - my root password was rejected. I was able to launch MCC from a root terminal.

Restarting polkit

Code: Select all

systemctl restart polkit

has restored expected behaviour.

edit doktor5000 UPDATE 12/10/2015
This polkit bug, 1. in the list in viewtopic.php?p=59728#p59728
now also has a fix, so those upgrading or installing Mageia 5 will not be affected, polkit system service will be automatically restarted upon an update of the polkit package.


Perhaps a fluke on my system, but posted here in case anyone else has the same experience.

Jim

Edit: There have been reports in one of the mailing lists that restarting polkit may not always solve the problem. In some cases a system re-boot was required to restore normal behaviour.

[isadora]

Same behaviour here, and thanks for your solution Jim.

[mark9117]

Kind of weird. New Mageia 5 install. Everything seems generally okay, but I've stumbled onto some strange trouble.

Clicking the MCC launcher on the taskbar and the dialog pops up and asks me to authenticate as root.
I type in my password and click okay. I get a second dialog that tells me authentication failed, try again.

subsequent attempts fail and the same dialog keeps popping up until it just quits (3 times?).

I've checked and double checked my root password. I can su to root in a Konsole window and invoke the Control Center with the "mcc" comand; the Control Center opens up just fine and I do what I need to do.

Any ideas what's happening here?

Thanks.

Mark

[jkerr82508]

See: viewtopic.php?f=7&t=9994#p57681

Jim

[mark9117]

Yes, that is the solution. Really simple.

Thank you sir.

Mark

[RoyD]

Same problem here
Thank you Jim

[doktor5000]

Same for me, Mga5-64 re: todays update, Jim

Thanks for the tip.

regards

Benmc

[doktor5000]

@Jim: Do you think an errata entry should be added for this, in addition to this forum thread?

[jkerr82508]

I'm not sure of the best way to proceed. Isn't the Errata for issues that exist when the new distro version is released?
This problem occurs on an installed system when polkit is updated.

Now that I know this problem affects more users than just myself, I will open a bug report. It's unlikely that this update will be re-packaged, but future polkit updates should take account of the potential for this problem.

Jim

Bug report: https://bugs.mageia.org/show_bug.cgi?id=16319

[doktor5000]

Now that I know this problem affects more users than just myself, I will open a bug report. It's unlikely that this update will be re-packaged, but future polkit updates should take account of the potential for this problem.

Sounds great. And well, errata for me is the go-to place for stuff that is partly broken and partly not working as expected.
Not everything might be known directly at release time, stuff gets added in there later on ... at least I add stuff in there later on, especially things that were present in previous erratae and still persist

[ozky]

Some times it works and reboot helps in my system it affects to all apps what use polkit.
Is that normal when i reboot system it ask root password in lxqt ?.

[daniewicz]

Thanks Jim. Works for me.

[leon244]

Just noted that this happens to me using Mageia 4 and polkit 0.113. the fix noted above does not work and I need to reboot or, as a work around, call drakconf in a console as root. Calling it with kdesu via console also works.

[vecciora]

Thanks. It helps!

[tomane]

This doesn't work for me !
I tried rebooting but it's not better.
Drakrpm, mcc, hibernation, netapplet... don't work from GUI. I click on the icons but nothing happens.
I can run them from a console as root.

The polkit service shows running :

Code: Select all

# service polkit status
Redirecting to /bin/systemctl status polkit.service
● polkit.service - Authorization Manager
   Loaded: loaded (/usr/lib/systemd/system/polkit.service; static)
   Active: active (running) since mar. 2015-07-28 01:05:24 CEST; 12min ago
     Docs: man:polkit(8)
 Main PID: 10138 (polkitd)
   CGroup: /system.slice/polkit.service
           └─10138 /usr/lib/polkit-1/polkitd --no-debug

juil. 28 01:05:24 magneto polkitd[10138]: Started polkitd version 0.113
juil. 28 01:05:24 magneto polkitd[10138]: Loading rules from directory /etc/polkit-1/rules.d
juil. 28 01:05:24 magneto polkitd[10138]: Loading rules from directory /usr/share/polkit-1/rules.d
juil. 28 01:05:24 magneto polkitd[10138]: Finished loading, compiling and executing 4 rules
juil. 28 01:05:24 magneto polkitd[10138]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
juil. 28 01:05:24 magneto polkitd[10138]: Registered Authentication Agent for unix-session:c4 (system bus name :1...TF-8)
Hint: Some lines were ellipsized, use -l to show in full.

I have the following packages instaled :

Code: Select all

# rpm -qa|grep polkit
gksu-polkit-0.0.3-0.git20131130.11.mga5
polkit-kde-agent-1-0.99.1-2.mga5
lib64polkit-qt-agent-1_1-0.112.0-6.mga5
mate-polkit-1.8.0-6.mga5
lib64polkit-gir1.0-0.113-1.mga5
lib64polkit1_0-0.113-1.mga5
polkit-0.113-1.mga5
lib64polkit-qt-core-1_1-0.112.0-6.mga5
lib64mate-polkit1_0-1.8.0-6.mga5
lib64gksu-polkit0-0.0.3-0.git20131130.11.mga5


Thank you for help !

[ozky]

Don't post any logs right now to this forum thread i have already provided same infos in this bugzilla report.
https://bugs.mageia.org/show_bug.cgi?id=16319

[tomane]

Maybe I found some kind of solution / clue to correct the problem. It's like there is a problem when authentication is set to "default".
I posted what I found here
https://bugs.mageia.org/show_bug.cgi?id=16319#c9
Please tell me if it solves something.
I would like also to know what is the option to run the mcc !
Thanks

[ozky]

See my post in bugzilla.

[doktor5000]

That is neither a solution nor a clue. You disabled the polkit authentication completely, and disabling asking for the password at all.

What do you mean by "what is the option to run the mcc" ? It runs fine here, what exactly is your problem currently?
Please run drakconf as normal user from a terminal and describe what happens.

[tomane]

No, I did not disable the polkit authentication completely, I only changed the need to authenticate on some tools. That's exactly what this MCC option allows, so please don't tell me I disabled polkit, because it also uses polkit.
And since the user (I) needs to authenticate on mageia or when PC wake up, there is no real security issue.
The problem I had is that I didn't had any authentication request when I clicked on any tool that needs to be root to use it (network center, MCC, drakrpm), NOTHING happened.
The problem is now solved, I don't know why.
Please don't insinuate it was just in my mind. I'm using linux for more than 10 years, I'm in computer science, so I know what I'm doing. Thanks a lot.

[tomane]

See my post in bugzilla.

See my answer in bugzilla

[doktor5000]

No, I did not disable the polkit authentication completely, I only changed the need to authenticate on some tools.
That's exactly what this MCC option allows, so please don't tell me I disabled polkit, because it also uses polkit.

Quoting you from the bug report:

I open a terminal, log as root (su -) and then run the mcc.
Then I go to "security", "configure authentication for mageia tools" (I'm sorry that may not be exactly what you have, I run the french version).
I change one of the items authentication (for example "software management") from "default" (what I usually have) to anything else, like "no password", save and close.

You changed it to no password. No password means no authentication. No authentication implies no polkit.

And since the user (I) needs to authenticate on mageia or when PC wake up, there is no real security issue.

May not be a security issue to you. But that was not my point. It's not a solution to disable something completely if it does not work properly.
But as you're in computer science, I'll leave it at that. No point in arguing with really smart people ...

[tomane]

No point in arguing with really smart people ...

I'm not pretending I'm smart but I was expecting a more helpful and supporting welcome, and after all you don't know me, maybe I can have some ideas too. But let's forget it, my english is not very good and maybe I didn't understand you right.

My point was not to disable polkit, my point was to change something in polkit settings, to see if it works better or has any effect, because in reality I don't know how polkit works, I just think that polkit is a tool that allows users not being root to run some tools as root with eventually a preliminary authentication. In a way, polkit allows not having to do "su -" or "sudo" to run commands that require privileges.

Then in my tests, changing the authentication in the security tool to disable the password request for software management (drakrpm) was only an example, as I said.
If I I go to that tool and change an authentication policy to "root password" for mageia update for example, then I get a request to enter root password when I try to run it from the menu, because it's the authentication I selected. But if I leave it to the default value, I'm not prompted for anything and it's not launched. So in that case the only solution I have then if I want to install a rpm is to log as root and run drakrpm, which is not satisfactory of course. I hope I'm clear.

I had a look at polkit documentation and saw what parameter files it uses but I don't understand everything at the moment.
I notice then that when I change something in the security tool, there is one row added to file :
/etc/polkit-1/rules.d/51-draksec.rules

Currently,my file is this :

Code: Select all

# cat 51-draksec.rules
// This file is written by draksec. Do not edit.
var drakToolAuth = function(tool){switch (tool){
case 'draknetcenter': return polkit.Result.YES;
case 'drakrpm-editmedia': return polkit.Result.AUTH_ADMIN_KEEP;
case 'drakrpm-update': return polkit.Result.AUTH_SELF_KEEP;
case 'drakrpm': return polkit.Result.AUTH_ADMIN_KEEP;

}return polkit.Result.NOT_HANDLED;};

Every item I changed in the security tool has a line in this file and will be launched according to the authorisation rule defined in file (with or without prompt for password). The other commands will not run as user. For example, drakconf is not in this file, if I click on the MCC icon, nothing happens, if I run it from a console as user, I have the following message :

Code: Select all

$ drakconf
Error executing command as another user: Not authorized

This incident has been reported.

But draknetcenter will run (without prompting password) :

Code: Select all

$ draknetcenter
Ignore the following Glib::Object::Introspection & Gtk3 warnings
Subroutine Gtk3::main redefined at /usr/lib/perl5/vendor_perl/5.20.1/Gtk3.pm line 296.
$VAR1 = [
          bless( do{\(my $o = 83001200)}, 'Gtk3::TreePath' )
        ];

and drakrpm will be launched after prompting for root password, so as far as I understand, polkit works even if I disable password for one command.

My idea is that after the update to the new version of polkit, the default polkit rule that asks for user or root password doesn't work any more or is missing, certainly because of a precedence problem in the rules.
I have the problem with polkit again, that's why I could do these tests. (no, rebooting doesn't solve the problem nor restarting polkit service).

Maybe you will thing I'm wrong and I should just wait until the problem is solved, but I'm used to try to solve problems by myself and to try to understand things.
Thanks for your time if you have read this.

[jkerr82508]

It may not help, but shouldn't do any harm, to re-install polkit:

Code: Select all

urpmi --replacepkgs polkit

Jim

[doktor5000]

No point in arguing with really smart people ...

I'm not pretending I'm smart but I was expecting a more helpful and supporting welcome, and after all you don't know me, maybe I can have some ideas too.

My apologies, you're correct with that. Seems my current early shift duty leads to slightly grumpier replies then usual

My point was not to disable polkit, my point was to change something in polkit settings, to see if it works better or has any effect, because in reality I don't know how polkit works, I just think that polkit is a tool that allows users not being root to run some tools as root with eventually a preliminary authentication. In a way, polkit allows not having to do "su -" or "sudo" to run commands that require privileges.

Yes and no It's actually more then just a tool and it's a little more complex.
It consists of two parts, one system authority, and a polkit agent for every user session, which will display the authentication requests.
For the documentation see http://www.freedesktop.org/software/pol ... kit.8.html

You can see the status and the last 10 lines of logs (e.g. authentication requests) of the system daemon as root via

Code: Select all

systemctl status polkit.service -a

You can check if the system daemon and the user polkit agent is running via

Code: Select all

ps -ef | grep -v grep | grep polkit

The systemwide rules are kep under /usr/share/polkit-1/rules.d (e.g. the one for all our drakxtools is /usr/share/polkit-1/rules.d/org.mageia.draksec.rules )
and the actions requested by certain programs are located in /usr/share/polkit-1/actions/

For your problem with polkit, there are certain issues that might come into play. First there was an issue (in the bug report linked to a few posts above)
after a polkit update. It either required a restart of the polkit system daemon or in some cases a complete reboot so it was functional again.
Apart from that, members of the wheel group are handled specially by default, see https://wiki.archlinux.org/index.php/Po ... identities
Also when using a remote X session or remote ssh session there may be issues using polkit. See e.g. https://bugs.mageia.org/show_bug.cgi?id=13834

BTW: For the reinstallation I'd also amend Jim's command by --replacefiles.