Public bug reported:
On 16.04 and using the Xubuntu session (this isn't limited to XFCE) I
noticed that my notebook fails to suspend via power-management when the
idle timeout expires. When returning to it, if it still has power, I see
a polkit-agent GUI dialog asking me to authenticate.
In /var/log/auth.log is:
polkitd(authority=local): Operator of unix-session:c2 FAILED to
authenticate to gain authorization for action
org.freedesktop.login1.suspend for system-bus-name::1.47 [xfce4-power-
manager --restart --sm-client-id 2992705d4-6fa2-4fba-966c-f7631ecd0b46]
(owned by unix-user:tj)
So I started digging:
# inactive sleep is enabled
$ xfconf-query -c xfce4-power-manager -lv | grep inactivity
/xfce4-power-manager/inactivity-on-ac 14
/xfce4-power-manager/inactivity-on-battery 15
/xfce4-power-manager/inactivity-sleep-mode-on-battery 1
$ awk '/login1\.suspend"/ {E=1;print} /defaults/ && E == 1 {E++} E > 1 {print}
/<\/action>/ && E > 1 {exit}'
/usr/share/polkit-1/actions/org.freedesktop.login1.policy
<action id="org.freedesktop.login1.suspend">
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
# member of sudo and adm
$ groups
tj adm dialout cdrom sudo dip plugdev lpadmin sambashare sbuild lxd libvirtd
two_factor_auth
$ sudo find /etc/polkit-1/ -type f -exec sh -c 'echo === {} ===; cat {}' \; |
egrep -v '^(#|$)'
=== /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla ===
[Enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
ResultInactive=yes
[Enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes
ResultInactive=yes
=== /etc/polkit-1/nullbackend.conf.d/50-nullbackend.conf ===
[Configuration]
Priority=-10
=== /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf ===
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
=== /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ===
[Configuration]
AdminIdentities=unix-user:0
ubuntu-admin.conf policy sets AdminIdentities to include group 'sudo'
but seems to be ignored
"man 8 pklocalauthority" states that these files are parsed in C locale
lexical order, and gives examples of "...given the name 60-desktop-
policy.conf to ensure that it is evaluted after the
50-localauthority.conf file shipped with PolicyKit."
However:
$ sudo inotifywait -r -m /etc/polkit-1/localauthority.conf.d
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/etc/polkit-1/localauthority.conf.d/ OPEN,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE,ISDIR
/etc/polkit-1/localauthority.conf.d/ OPEN 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 50-localauthority.conf
This seems to show that the sort order might be high-low not low-high
(unless they're sorted once in memory).
In view of the fact that ubuntu-admin.conf appears to be ignored I
suspect 50-localauthority.conf is replacing the ubuntu conf with the
default:
AdminIdentities=unix-group:sudo;unix-group:admin
AdminIdentities=unix-user:0
** Affects: policykit-1 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
On 16.04 and using the Xubuntu session (this isn't limited to XFCE) I
noticed that my notebook fails to suspend via power-management when the
idle timeout expires. When returning to it, if it still has power, I see
a polkit-agent GUI dialog asking me to authenticate.
In /var/log/auth.log is:
polkitd(authority=local): Operator of unix-session:c2 FAILED to
authenticate to gain authorization for action
org.freedesktop.login1.suspend for system-bus-name::1.47 [xfce4-power-
manager --restart --sm-client-id 2992705d4-6fa2-4fba-966c-f7631ecd0b46]
(owned by unix-user:tj)
So I started digging:
# inactive sleep is enabled
$ xfconf-query -c xfce4-power-manager -lv | grep inactivity
/xfce4-power-manager/inactivity-on-ac 14
/xfce4-power-manager/inactivity-on-battery 15
/xfce4-power-manager/inactivity-sleep-mode-on-battery 1
- $ awk '/login1\.suspend"/ {E=1;print} /defaults/ && E == 1 {E++} E > 1
{print} /<\/action>/ && E > 1 {exit}'
/usr/share/polkit-1/actions/org.freedesktop.login1.policy
- <action id="org.freedesktop.login1.suspend">
- <defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
+ $ awk '/login1\.suspend"/ {E=1;print} /defaults/ && E == 1 {E++} E > 1
{print} /<\/action>/ && E > 1 {exit}'
/usr/share/polkit-1/actions/org.freedesktop.login1.policy
+ <action id="org.freedesktop.login1.suspend">
+ <defaults>
+ <allow_any>auth_admin_keep</allow_any>
+ <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ </action>
# member of sudo and adm
$ groups
tj adm dialout cdrom sudo dip plugdev lpadmin sambashare sbuild lxd libvirtd
two_factor_auth
-
$ sudo find /etc/polkit-1/ -type f -exec sh -c 'echo === {} ===; cat {}' \; |
egrep -v '^(#|$)'
=== /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla ===
[Enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
ResultInactive=yes
[Enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes
ResultInactive=yes
=== /etc/polkit-1/nullbackend.conf.d/50-nullbackend.conf ===
[Configuration]
Priority=-10
=== /etc/polkit-1/localauthority.conf.d/51-localauthority.conf ===
[Configuration]
AdminIdentities=unix-user:0
=== /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf ===
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
=== /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ===
[Configuration]
AdminIdentities=unix-user:0
ubuntu-admin.conf policy sets AdminIdentities to include group 'sudo'
but seems to be ignored
"man 8 pklocalauthority" states that these files are parsed in C locale
lexical order, and gives examples of "...given the name 60-desktop-
policy.conf to ensure that it is evaluted after the
50-localauthority.conf file shipped with PolicyKit."
However:
- $ sudo inotifywait -r -m /etc/polkit-1/localauthority.conf.d
+ $ sudo inotifywait -r -m /etc/polkit-1/localauthority.conf.d
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
- /etc/polkit-1/localauthority.conf.d/ OPEN,ISDIR
- /etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
- /etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
- /etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE,ISDIR
+ /etc/polkit-1/localauthority.conf.d/ OPEN,ISDIR
+ /etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
+ /etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
+ /etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE,ISDIR
/etc/polkit-1/localauthority.conf.d/ OPEN 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE
51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE
50-localauthority.conf
This seems to show that the sort order might be high-low not low-high
(unless they're sorted once in memory).
- In view of the fact that ubutun-admin.conf appears to be ignored I
+ In view of the fact that ubuntu-admin.conf appears to be ignored I
suspect 50-localauthority.conf is replacing the ubuntu conf with the
default:
AdminIdentities=unix-group:sudo;unix-group:admin
AdminIdentities=unix-user:0
** Description changed:
On 16.04 and using the Xubuntu session (this isn't limited to XFCE) I
noticed that my notebook fails to suspend via power-management when the
idle timeout expires. When returning to it, if it still has power, I see
a polkit-agent GUI dialog asking me to authenticate.
In /var/log/auth.log is:
polkitd(authority=local): Operator of unix-session:c2 FAILED to
authenticate to gain authorization for action
org.freedesktop.login1.suspend for system-bus-name::1.47 [xfce4-power-
manager --restart --sm-client-id 2992705d4-6fa2-4fba-966c-f7631ecd0b46]
(owned by unix-user:tj)
So I started digging:
# inactive sleep is enabled
$ xfconf-query -c xfce4-power-manager -lv | grep inactivity
/xfce4-power-manager/inactivity-on-ac 14
/xfce4-power-manager/inactivity-on-battery 15
/xfce4-power-manager/inactivity-sleep-mode-on-battery 1
$ awk '/login1\.suspend"/ {E=1;print} /defaults/ && E == 1 {E++} E > 1
{print} /<\/action>/ && E > 1 {exit}'
/usr/share/polkit-1/actions/org.freedesktop.login1.policy
<action id="org.freedesktop.login1.suspend">
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
# member of sudo and adm
$ groups
tj adm dialout cdrom sudo dip plugdev lpadmin sambashare sbuild lxd libvirtd
two_factor_auth
$ sudo find /etc/polkit-1/ -type f -exec sh -c 'echo === {} ===; cat {}' \; |
egrep -v '^(#|$)'
=== /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla ===
[Enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
ResultInactive=yes
[Enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes
ResultInactive=yes
=== /etc/polkit-1/nullbackend.conf.d/50-nullbackend.conf ===
[Configuration]
Priority=-10
- === /etc/polkit-1/localauthority.conf.d/51-localauthority.conf ===
- [Configuration]
- AdminIdentities=unix-user:0
=== /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf ===
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
=== /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ===
[Configuration]
AdminIdentities=unix-user:0
ubuntu-admin.conf policy sets AdminIdentities to include group 'sudo'
but seems to be ignored
"man 8 pklocalauthority" states that these files are parsed in C locale
lexical order, and gives examples of "...given the name 60-desktop-
policy.conf to ensure that it is evaluted after the
50-localauthority.conf file shipped with PolicyKit."
However:
$ sudo inotifywait -r -m /etc/polkit-1/localauthority.conf.d
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/etc/polkit-1/localauthority.conf.d/ OPEN,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE,ISDIR
/etc/polkit-1/localauthority.conf.d/ OPEN 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-ubuntu-admin.conf
- /etc/polkit-1/localauthority.conf.d/ OPEN 51-localauthority.conf
- /etc/polkit-1/localauthority.conf.d/ ACCESS 51-localauthority.conf
- /etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE
51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE
50-localauthority.conf
This seems to show that the sort order might be high-low not low-high
(unless they're sorted once in memory).
In view of the fact that ubuntu-admin.conf appears to be ignored I
suspect 50-localauthority.conf is replacing the ubuntu conf with the
default:
AdminIdentities=unix-group:sudo;unix-group:admin
AdminIdentities=unix-user:0
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1757266
Title:
/etc/polkit-1/localauthority.conf.d/ parsed in wrong order?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1757266/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
