#StackBounty: #gnome #security #18.04 #xrdp #policykit Polkit pkla rule is not working on 18.04

Bounty: 50

I have troubles with infamous colord policy prompts on Gnome 3.28.1. With XFCE desktop on the same system I have no such problem.

I work via xrdp and always get this prompt and I cannot disable it.

Whenever I change <action id="org.freedesktop.color-manager.create-device"> policy in /usr/share/polkit-1/actions/org.freedesktop.color.policy to <allow_any>yes</allow_any> I get Gnome fatal error in logs:

 kernel: [ 116.602287] traps: gsd-color[1071] trap divide error ip:55e3474a894a sp:7ffe943c05b0 error:0 in gsd-color[55e34749f000+12000]
 gnome-session[857]: gnome-session-binary[857]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
 gnome-session-binary[857]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
 gsd-color[1266]: failed to get edid: unable to get EDID for output
 PackageKit: search-file transaction /284_eeeceace from uid 1000 finished with success after 2458ms
 PackageKit: search-file transaction /285_deacbcca from uid 1000 finished with success after 673ms
 PackageKit: search-file transaction /286_ddddaaac from uid 1000 finished with success after 632ms
 PackageKit: search-file transaction /287_adbbdacc from uid 1000 finished with success after 631ms
 PackageKit: search-file transaction /288_baabcbea from uid 1000 finished with success after 647ms
 PackageKit: search-file transaction /289_addccebd from uid 1000 finished with success after 644ms
 colord[1135]: failed to get seat for session c1 [pid 1266]: No data available
 gsd-color[1266]: unable to get EDID for xrandr-rdp0: unable to get EDID for output
 kernel: [ 122.249719] traps: gsd-color[1266] trap divide error ip:55cbb120994a sp:7ffc0b145e60 error:0 in gsd-color[55cbb1200000+12000]
 gnome-session[857]: gnome-session-binary[857]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
 gnome-session-binary[857]: WARNING: Application 'org.gnome.SettingsDaemon.Color.desktop' killed by signal 8
 gnome-session[857]: gnome-session-binary[857]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
 gnome-session[857]: gnome-session-binary[857]: CRITICAL: We failed, but the fail whale is dead. Sorry....
 gnome-session-binary[857]: Unrecoverable failure in required component org.gnome.SettingsDaemon.Color.desktop
 gnome-session-binary[857]: WARNING: App 'org.gnome.SettingsDaemon.Color.desktop' respawning too quickly
 gnome-session-binary[857]: CRITICAL: We failed, but the fail whale is dead. Sorry....
 xrdp-sesman[839]: (839)(140650868393024)[CORE ] window manager (pid 852) did exit, cleaning up session
 xrdp-sesman[839]: (839)(140650868393024)[INFO ] calling auth_stop_session and auth_end from pid 839
 xrdp-sesman[839]: (839)(140650868393024)[DEBUG] cleanup_sockets:
 xrdp[837]: (837)(139809021074688)[DEBUG] Closed socket 26 (AF_UNIX)
 xrdp-sesman[839]: (839)(140650868393024)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_out_socket_10
 xrdp-sesman[839]: (839)(140650868393024)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_audio_in_socket_10
 xrdp-sesman[839]: (839)(140650868393024)[DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
 gsd-power[1030]: gsd-power: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
 xrdp-sesman[619]: (619)(140650868393024)[INFO ] ++ terminated session: username buza, display :10.0, session_pid 839, ip 192.168.1.100:6760 - socket: 12
 gsd-xsettings[1050]: gsd-xsettings: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
 gsd-wacom[1058]: gsd-wacom: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
 gsd-clipboard[1070]: gsd-clipboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
 gsd-keyboard[1078]: gsd-keyboard: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
 gsd-media-keys[1079]: gsd-media-keys: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
 kerneloops-applet.desktop[1137]: kerneloops-applet: Fatal IO error 11 (Resource temporarily unavailable) on X server :10.0.
 PackageKit: search-file transaction /290_ebadbabe from uid 1000 finished with success after 1241ms
 xrdp[837]: (837)(139809021074688)[DEBUG] Closed socket 12 (AF_INET 192.168.1.201:7777)
 xrdp[837]: (837)(139809021074688)[DEBUG] xrdp_mm_module_cleanup
 xrdp[837]: (837)(139809021074688)[DEBUG] Closed socket 25 (AF_UNIX)
 gnome-shell[909]: gnome-shell: Fatal IO error 0 (Success) on X server :10.0.

The same happens if I simply try to login interactively with password prompt.

I tried to create custom pkla file in /var/lib/polkit-1/localauthority/50-local.d:

<action id="org.freedesktop.color-manager.create-device">
  <description xml:lang="en">Create a color managed device</description>
  <message xml:lang="en">Authentication is required to create a color managed device</message>
  <defaults>
    <allow_any>yes</allow_inactive>
    <allow_inactive>yes</allow_inactive>
    <allow_active>yes</allow_active>
  </defaults>
</action>

It seems to me it’s equivalent to directly changing actions is /usr/share/polkit-1/actions.

I also tried to create global allow pkla rule as per this proposal:

[No password prompt]
Identity=unix-group:sudo
Action=*
ResultActive=yes

I also have global rule in /etc/polkit-1/rules.d

polkit.addRule(function(action, subject) {
if (subject.isInGroup("group")) {
      return polkit.Result.YES;
   }
});

As I got it, if I have polkit < 0.106, the rules are not processed, and one should use pkla files. Correct me, if I’m wrong. My pkaction --version shows 0.105.

None of the above worked. Which steps should I try and how to debug this?


Get this bounty!!!

Leave a Reply