From mikedep333@gmail.com Sun Mar 23 17:25:59 2014 Received: (at submit) by bugs.x2go.org; 23 Mar 2014 16:26:00 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,FREEMAIL_FROM, T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51]) by ymir (Postfix) with ESMTPS id 3DFAD5DB11 for ; Sun, 23 Mar 2014 17:25:59 +0100 (CET) Received: by mail-wg0-f51.google.com with SMTP id k14so2779241wgh.34 for ; Sun, 23 Mar 2014 09:25:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=08xu99wyhjitU57D7Clbca+IRH81ajBJGPWr4ds36C8=; b=YE52g6LAMJQmZV836DtfidPzBPBarbmlRLpXSTU+CaPOwFXMuiIi5L3T52es13jngy uEHcWtK5uCKPlU5v3n3KUo19g8vg/YMya47xwlOTRw/QjPeY53NZfLInziHQvM2ZleQF vNvESRqTHCGjmAitsKRYFLQV6YihEe7uNk8xQS6kN0V27tM/+JRrlnPNt4dDEhlP+zJV Jk9AypNdTfzNZKATeJHAu1nh6smXheefi0XzoAGb9Rs/17Jnu/SrAILMF/0M40mI46K9 Us5Q4vKSK/BZ1aY7zIS9zM8Trj3W3Uow/UWVFnIOQ++jERJFX/s6mmKwuYbtn66oo38U uInA== MIME-Version: 1.0 X-Received: by 10.180.91.164 with SMTP id cf4mr10354784wib.37.1395591958716; Sun, 23 Mar 2014 09:25:58 -0700 (PDT) Received: by 10.181.11.130 with HTTP; Sun, 23 Mar 2014 09:25:58 -0700 (PDT) Date: Sun, 23 Mar 2014 12:25:58 -0400 Message-ID: Subject: PolicyKit authentication within apps often fails From: Michael DePaulo To: submit@bugs.x2go.org Content-Type: text/plain; charset=ISO-8859-1 Package: x2goserver Version: 4.0.1.13 Notes: 1. I am not sure if this is a bug in x2goserver, x2goserver-xsession, or in nx-libs. 2. PolicyKit depends on ConsoleKit (and on systemd-logind in newer distros.) 3. The behavior seems to be distro-specific and/or app-specific. 4. This bug report differs from 458 because PolicyKit authentication is being called within an app, not when launching the app. This is part of the PolilcyKit architecture: The apps run unprivileged and rely on PolicyKit in order to speak to privileged processes that do the actual task. For example, in test case 2, gpk-application is launched unprivileged. It uses PolicyKit to speak to the PackageKit backend, and the PackageKit backend does the package install. Test system: Fedora 20 64-bit MATE Desktop 1.6.2.1.fc20 - used for all 3 test cases x2goserver 4.0.1.13.2.fc20 x2goserver-xsession 4.0.1.13.2.fc20 nxlibs 3.5.0.22.1-fc20 (This distro uses logind) (/usr/libexec/polkit-mate-authentication-agent-1 is launched automatically when I login over X2Go. This distro is not affected by bug 457) Test Case 1: Steps: 1. Launch yumex (from start menu or from console) 2. Switch to the yumex's "history" tab on the left.. Expected result: A policykit authentication window opens up, I select a user to authenticate as (myself or root), enter my password, and then the history is populated within yumex. Here is an image of that policykit authentication window: http://imgur.com/JUZTBHo Actual result: The authentication window does not open up and the history is no populated. Instead, I get an error message windows. When I click "Close" on the window, yumex closes. Error message: Fatal Error: polkit-not-authorized Could not get polkit autherisation to start backend Yum Extender will terminate Here's an image of the error message window http://imgur.com/ABYETM0 >From the command-line, I can see this output when I select the history tab: 15:53:07 : INFO - YUM: Error executing command as another user: Not authorized 15:53:14 : INFO - yum backend process is ended 15:53:14 : INFO - yum backend process is ended Test Case 2: Steps: 1. Launch gpk-application (GNOME "Software Install" AKA "Add/Remove Software") 2. Select to install a single package. 3. Click "Apply Changes" Expected result: A policykit authentication window opens up, I select a user to authenticate as (myself or root), enter my password, and then the package is downloaded & installed (over the course of at least a few seconds), during which a progress bar is displayed. Screenshot: http://imgur.com/lLNof08 Actual result: The authentication window does not open up. The progress bar for the install completes in about 1 second. The package is not installed. (Interestingly enough, the package is still selected to be installed, but the "Apply Changes" and "cancel" button are hidden. This is a bug in gpk-application, it does not know how to handle policykit having an error. But this gpk-application bug is besides the point.) Screenshot: http://i.imgur.com/28lCZF5.png Also, the command-line does not show any relevant output. Test Case 3: Steps: 1. Launch virt-manager (AKA "Virtual Machine Manager") This test case actually passes! Expected & Actual result: A policykit authentication window opens up, I select a user to authenticate as (e.g., myself or root), enter my password, and then I am connected to the local libvirtd instance and see the VMs running. Screenshot: http://imgur.com/mZSgdMW Also, the command-line output does not include any details about PolicyKit (succeeding.) Note: Test case 3 fails on CentOS 6.5 64-bit. However, CentOS 6.5 64-bit is affected by bug 457, so that precludes running this test case. From mike.gabriel@das-netzwerkteam.de Wed Aug 20 11:31:17 2014 Received: (at 459) by bugs.x2go.org; 20 Aug 2014 09:31:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 29B0A5DB17 for <459@bugs.x2go.org>; Wed, 20 Aug 2014 11:31:16 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C03911F9F; Wed, 20 Aug 2014 11:31:15 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 0DF293BBF5; Wed, 20 Aug 2014 11:31:16 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKpDrQg-HE2D; Wed, 20 Aug 2014 11:31:15 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id B31D63BBF4; Wed, 20 Aug 2014 11:31:15 +0200 (CEST) Received: from m-031.informatik.uni-kiel.de (m-031.informatik.uni-kiel.de [134.245.254.31]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Wed, 20 Aug 2014 09:31:15 +0000 Date: Wed, 20 Aug 2014 09:31:15 +0000 Message-ID: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Michael DePaulo , 459@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.2.0) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.31 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.0 Content-Type: multipart/signed; boundary="=_zcKA2IqlTdpNWRLDTcC5ug1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_zcKA2IqlTdpNWRLDTcC5ug1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Michael, On So 23 M=C3=A4r 2014 17:25:58 CET, Michael DePaulo wrote: > Package: x2goserver > Version: 4.0.1.13 > > Notes: > > 1. I am not sure if this is a bug in x2goserver, x2goserver-xsession, > or in nx-libs. > > 2. PolicyKit depends on ConsoleKit (and on systemd-logind in > newer distros.) > > 3. The behavior seems to be distro-specific and/or app-specific. > > 4. This bug report differs from 458 because PolicyKit authentication > is being called within an app, not when launching the app. This is > part of the PolilcyKit architecture: The apps run unprivileged and > rely on PolicyKit in order to speak to privileged processes that do > the actual task. For example, in test case 2, gpk-application is > launched unprivileged. It uses PolicyKit to speak to the PackageKit > backend, and the PackageKit backend does the package install. > > Test system: > Fedora 20 64-bit > MATE Desktop 1.6.2.1.fc20 - used for all 3 test cases > x2goserver 4.0.1.13.2.fc20 > x2goserver-xsession 4.0.1.13.2.fc20 > nxlibs 3.5.0.22.1-fc20 > (This distro uses logind) > (/usr/libexec/polkit-mate-authentication-agent-1 is launched > automatically when I login over X2Go. This distro is not affected by > bug 457) > > Test Case 1: > Steps: > 1. Launch yumex (from start menu or from console) > 2. Switch to the yumex's "history" tab on the left.. > > Expected result: > A policykit authentication window opens up, I select a user to > authenticate as (myself or root), enter my password, and then the > history is populated within yumex. > > Here is an image of that policykit authentication window: > http://imgur.com/JUZTBHo > > Actual result: > The authentication window does not open up and the history is no > populated. Instead, I get an error message windows. When I click > "Close" on the window, yumex closes. > > Error message: > Fatal Error: polkit-not-authorized > > Could not get polkit autherisation to start backend > > Yum Extender will terminate > > Here's an image of the error message window > http://imgur.com/ABYETM0 > > From the command-line, I can see this output when I select the history ta= b: > 15:53:07 : INFO - YUM: Error executing command as another user: Not=20=20 >=20authorized > 15:53:14 : INFO - yum backend process is ended > 15:53:14 : INFO - yum backend process is ended > > Test Case 2: > Steps: > 1. Launch gpk-application (GNOME "Software Install" AKA "Add/Remove=20=20 >=20Software") > 2. Select to install a single package. > 3. Click "Apply Changes" > > Expected result: A policykit authentication window opens up, I select > a user to authenticate as (myself or root), enter my password, and > then the package is downloaded & installed (over the course of at > least a few seconds), during which a progress bar is displayed. > > Screenshot: > http://imgur.com/lLNof08 > > Actual result: > The authentication window does not open up. The progress bar for the > install completes in about 1 second. The package is not installed. > (Interestingly enough, the package is still selected to be installed, > but the "Apply Changes" and "cancel" button are hidden. This is a bug > in gpk-application, it does not know how to handle policykit having an > error. But this gpk-application bug is besides the point.) > > Screenshot: > http://i.imgur.com/28lCZF5.png > > Also, the command-line does not show any relevant output. > > Test Case 3: > Steps: > 1. Launch virt-manager (AKA "Virtual Machine Manager") > > This test case actually passes! > > Expected & Actual result: > A policykit authentication window opens up, I select a user to > authenticate as (e.g., myself or root), enter my password, and then I > am connected to the local libvirtd instance and see the VMs running. > > Screenshot: > http://imgur.com/mZSgdMW > > Also, the command-line output does not include any details about > PolicyKit (succeeding.) > > Note: Test case 3 fails on CentOS 6.5 64-bit. However, CentOS 6.5 > 64-bit is affected by bug 457, so that precludes running this test > case. I just fixed #458 by exporting $XAUTHORITY in x2goruncommand. Do you have any clue what this issue may be related to? As I don't=20=20 have=20any of the failing apps on Debian, I cannot reproduce your test=20= =20 results=20right away. Any hint, if this issues also occurs on Debian? Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_zcKA2IqlTdpNWRLDTcC5ug1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJT9GrjAAoJEJr0azAldxsxOswP/RzbtmE048n3F3sOVMSSZYrA k+36d+QjKt6qS+ILMmM6OKpTl2ImqW8m1amfCyVS9Cyn3375KdUsDvlzbZmkVM6r Kmn5r724SqyVLLKst1Fnm71eu27PQJQIRupXEEVQ/VzQvnWWN5IMNWYsPwHPlgFN Kmg8/eWS4bLPE6Ybk117sYx7D3k8hPq8SJAQ6YVpFrzlX74G8fbw3HyFy/QDu++C tLZ1vccs1N8wqyJzbgztWT84fOVGNBi+uF45mrwarzFq2sCNiFDagSYkNF8J6+nB Y2VKABJGM9GXNCyWIOXe78+ocrbWlNXK5h34yuFxgHp/bQGDyyaSrD/T5ZGDG6DW /ZOVMil0tlnmwKmr4ML2v+qpyP6Rnu1kpeWK8X3JSAmFAP6HjPmslcDnlLTAB83+ 6brTjHBbbisLjFp5gejFDi9qseaWLhr72vL3wtifLpyL3koZgGj0szfJlNi0N1qE fTCXbhYv3549QW5s37O7xbyI7q8wXx3hfj/BGcp0Otkan0T47oYZlSHDK/9bel6h swjT5A4uQ4EUU9unvAEs/YH5WEssmE7PqiVOrBdDIAjxcHY+Kw3hnZZbaqtOhO8s h56RkA9IwMDsbq/HRsC0o4AeGy6oQkdJuH1joLgjfD1S2GGNbCaDdWEH0KQNIsY9 sC5WlqLBN0w+JJD3KHm+ =q/xg -----END PGP SIGNATURE----- --=_zcKA2IqlTdpNWRLDTcC5ug1-- From mikedep333@gmail.com Wed Aug 20 16:04:04 2014 Received: (at 459) by bugs.x2go.org; 20 Aug 2014 14:04:05 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id E4B605DB17 for <459@bugs.x2go.org>; Wed, 20 Aug 2014 16:04:03 +0200 (CEST) Received: by mail-wg0-f45.google.com with SMTP id x12so7774125wgg.28 for <459@bugs.x2go.org>; Wed, 20 Aug 2014 07:04:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=6x6g6tfBloD/y2phK3xVS0o4BpcDPqEvGlABun6NkV0=; b=DvenV8CA1XBNqRQuZ/yKgUvw6rKwAqnwMxB68pX6lMSW/4XLjuLzGPH2Rdyax3XmUr w7uxEupi3VPfAyzeF3I3XfACGkdKaC4cRIpfVnyCoT6yWo81nWs/qATIND/P+o3VosNR DKgyO0dF4iCgxfZULIl5l8TZa27wPIyF4fbrT94Pm+9RNxN7Ki86ajIj1IWC/kDDhrv/ YB419h/j5TY30IHQpVvGmPm9EB7ldKgsaIm5jENihYpuHEd766rPpQr4Cl0EGFljDXN0 MkBtPTiWjaefgA6jzgeAEwUzPp8ViJJcYP2Js6IAKQ8PYQvPNEcl15+Q8LhkiudhM5zZ WJKg== MIME-Version: 1.0 X-Received: by 10.180.186.3 with SMTP id fg3mr15195285wic.78.1408543443231; Wed, 20 Aug 2014 07:04:03 -0700 (PDT) Received: by 10.180.238.66 with HTTP; Wed, 20 Aug 2014 07:04:03 -0700 (PDT) In-Reply-To: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de> References: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de> Date: Wed, 20 Aug 2014 10:04:03 -0400 Message-ID: Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails From: Michael DePaulo To: Mike Gabriel Cc: 459@bugs.x2go.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel wrote: > Hi Michael, > > > On So 23 M=C3=A4r 2014 17:25:58 CET, Michael DePaulo wrote: > >>[...] > > > I just fixed #458 by exporting $XAUTHORITY in x2goruncommand. Thank you :) > Do you have any clue what this issue may be related to? As I don't have a= ny > of the failing apps on Debian, I cannot reproduce your test results right > away. 2 possible theories: 1. We are not integrating with ConsoleKit and/or logind properly. (Although it appears that our integration with logind is better, since Fedora 20 works better than CentOS 6.) 2. We have issues with the polcykit authentication windows not being permitted to show up. I think that there is different behavior when using XDMCP. I'll double check after work. Also, Red Hat has some KB articles on this subject. I noticed them after I bought a RHEL subscription for home. I'll look over them again, and update this bug with any relevant info. > Any hint, if this issues also occurs on Debian? I can test this with VMs. I've already created some Debian VMs for compatibility testing with X2Go. Which of the 3 releases (squeeze, wheezy and jessie) should I test? Squeeze is similar to CentOS 6 in terms of versions of packages like ConsoleKit. > Mike [...] From mikedep333@gmail.com Wed Aug 20 16:14:35 2014 Received: (at 459) by bugs.x2go.org; 20 Aug 2014 14:14:36 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=ham version=3.3.2 Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id D8F085DB17 for <459@bugs.x2go.org>; Wed, 20 Aug 2014 16:14:34 +0200 (CEST) Received: by mail-we0-f180.google.com with SMTP id w61so7924110wes.39 for <459@bugs.x2go.org>; Wed, 20 Aug 2014 07:14:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ya7C/nxeb40z7wnyRDn8iIcuIFzOs067jtxwDipCD44=; b=kh/TXGTukUycIRYvSb4/Wao34QLL55Df7gmnQxNEVS1PZ8h/tbVNdsRxUdCbJiZ3n3 AYJz3y18GflYuaPIAtwmbrY23Rn2imL1M7E4GphqmxoIlq5k7XiGTUJYHbI1IRXCnEaB jDqF2kAmK9nSmWKsOez8KASoQs1hPtgfyu8rgso0qjTu1cqmUVePAXpxJxDUvdREOKQ2 oGd6BCcV9hxasCVk6/NbRsApW4MhIhALsGVd5wGGg1H805cmF1dXjb16SOU4HvTqjQZG ZcVjYYPLQUm47+xkWk5DgndudVj0LKoKyZYHtfAr7ueVr8G/ZivNxUGxukD2Tg7yYhbE r+Iw== MIME-Version: 1.0 X-Received: by 10.180.85.136 with SMTP id h8mr15498348wiz.67.1408544074598; Wed, 20 Aug 2014 07:14:34 -0700 (PDT) Received: by 10.180.238.66 with HTTP; Wed, 20 Aug 2014 07:14:34 -0700 (PDT) In-Reply-To: References: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de> Date: Wed, 20 Aug 2014 10:14:34 -0400 Message-ID: Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails From: Michael DePaulo To: Mike Gabriel , 459@bugs.x2go.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Aug 20, 2014 at 10:04 AM, Michael DePaulo wr= ote: > On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel > wrote: >> Hi Michael, >> >> >> On So 23 M=C3=A4r 2014 17:25:58 CET, Michael DePaulo wrote: >> >>>[...] >> >> >> I just fixed #458 by exporting $XAUTHORITY in x2goruncommand. > > Thank you :) > >> Do you have any clue what this issue may be related to? As I don't have = any >> of the failing apps on Debian, I cannot reproduce your test results righ= t >> away. > > 2 possible theories: > 1. We are not integrating with ConsoleKit and/or logind properly. > (Although it appears that our integration with logind is better, since > Fedora 20 works better than CentOS 6.) > 2. We have issues with the polcykit authentication windows not being > permitted to show up. > A 3rd possible theory: 3. PolicyKit policies are blocking certain actions from happening over any sort of remote session. PolicyKit refers to local sessions as "Active" and remote sessions as "Inactive". It appears that the X11RDP project has run into this problem: http://scarygliders.net/2012/06/20/a-brief-guide-to-policykit/ http://scarygliders.net/category/policykit/ > I think that there is different behavior when using XDMCP. I'll double > check after work. > > Also, Red Hat has some KB articles on this subject. I noticed them > after I bought a RHEL subscription for home. I'll look over them > again, and update this bug with any relevant info. > >> Any hint, if this issues also occurs on Debian? > > I can test this with VMs. I've already created some Debian VMs for > compatibility testing with X2Go. Which of the 3 releases (squeeze, > wheezy and jessie) should I test? Squeeze is similar to CentOS 6 in > terms of versions of packages like ConsoleKit. > >> Mike > [...] From mike.gabriel@das-netzwerkteam.de Fri Aug 22 23:30:10 2014 Received: (at 459) by bugs.x2go.org; 22 Aug 2014 21:30:12 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 770815DCA9 for <459@bugs.x2go.org>; Fri, 22 Aug 2014 23:30:10 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 5BDF31EFC; Fri, 22 Aug 2014 23:30:09 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 39ED83BBE6; Fri, 22 Aug 2014 23:30:09 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwZudyZFoKcC; Fri, 22 Aug 2014 23:30:09 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id EC7A13BBE5; Fri, 22 Aug 2014 23:30:08 +0200 (CEST) Received: from p5B3B9266.dip0.t-ipconnect.de (p5B3B9266.dip0.t-ipconnect.de [91.59.146.102]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 22 Aug 2014 21:30:08 +0000 Date: Fri, 22 Aug 2014 21:30:08 +0000 Message-ID: <20140822213008.Horde.R6akvt34g-EHKCIUuyh_tQ1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Michael DePaulo Cc: 459@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails References: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de> In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.2.0) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 91.59.146.102 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.0 Content-Type: multipart/signed; boundary="=_OOvMBLIgf6hKKypbDWT2XQ1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_OOvMBLIgf6hKKypbDWT2XQ1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mi 20 Aug 2014 16:04:03 CEST, Michael DePaulo wrote: > On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel > wrote: >> Hi Michael, >> >> >> On So 23 M=C3=A4r 2014 17:25:58 CET, Michael DePaulo wrote: >> >>> [...] >> >> >> I just fixed #458 by exporting $XAUTHORITY in x2goruncommand. > > Thank you :) > >> Do you have any clue what this issue may be related to? As I don't have = any >> of the failing apps on Debian, I cannot reproduce your test results righ= t >> away. > > 2 possible theories: > 1. We are not integrating with ConsoleKit and/or logind properly. > (Although it appears that our integration with logind is better, since > Fedora 20 works better than CentOS 6.) On Debian systems all is handled via the /etc/X11/Xsession.d directory. For RHEL et al I see this in the /etc/x2go/Xsession script: """ CK_XINIT_SESSION=3D if [ -x /usr/bin/ck-xinit-session -a -z "$XDG_SESSION_COOKIE" ]; t= hen CK_XINIT_SESSION=3D"/usr/bin/ck-xinit-session" fi # At the time of integrating X2Go Xsession support for RHEL6 / Fed= ora # the Xsession stuff in Fedora/RHEL6 seems to be a little mess. # The proposed strategy is to have Xclients.$WM.sh files in # /etc/X11/xinit/Xclients.d. Currently, only wmx uses this mechani= sm. # As it is a described but rather unused ,,standard'' we will=20= =20 not=20support it # in X2Go for now, but leave it here as a reminder... # XCLIENTS_D=3D/etc/x2go/Xclients.d #if [ -d "$XCLIENTS_D" -a -x=20=20 "$XCLIENTS_D/Xclients.${XSESSION_EXEC}.sh"=20]; then # exec -l $SHELL -c "$CK_XINIT_SESSION $SSH_AGENT=20=20 $XCLIENTS_D/Xclients.$1.sh" =20 #fi # switchdesk support is also totally deprecated in RHEL, but=20=20 we=20leave it here # as a reminder, as well, in case we need it in the future=20=20 for=20special setups... #if [ -x "$SWITCHDESKPATH/Xclients.${XSESSION_EXEC}" ]; then # exec -l "$SHELL" -c=20=20 "$SWITCHDESKPATH/Xclients.${XSESSION_EXEC}"; =20 #fi exec $CK_XINIT_SESSION $SSH_AGENT /bin/sh -c "exec -l $SHELL=20=20 -c=20\"$STARTUP\"" """ It has been derived from the X11 session startup on SL6. Maybe we need=20= =20 to=20tweak this CK_XINIT_SESSION variable and change over to using=20=20 ck-launch-session=20here. Maybe this is hint enough for you to play with this some more.?... > 2. We have issues with the polcykit authentication windows not being > permitted to show up. > > I think that there is different behavior when using XDMCP. I'll double > check after work. Ok. Any results? > Also, Red Hat has some KB articles on this subject. I noticed them > after I bought a RHEL subscription for home. I'll look over them > again, and update this bug with any relevant info. > >> Any hint, if this issues also occurs on Debian? > > I can test this with VMs. I've already created some Debian VMs for > compatibility testing with X2Go. Which of the 3 releases (squeeze, > wheezy and jessie) should I test? Squeeze is similar to CentOS 6 in > terms of versions of packages like ConsoleKit. squeeze has CK and GNOMEv2, wheezy has CK and XFCE or GNOMEv3... jessie has systemd and MATE, GNOMEv3, etc. So I guess, you should stick with wheezy for CK testing and use jessie=20= =20 for=20systemd testing. Mike#1 --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_OOvMBLIgf6hKKypbDWT2XQ1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJT97ZgAAoJEJr0azAldxsxVAgQALMbGnhMBSgd8ShcL4zHRrCR 1R6ySAaj6CBvbSyiNSy0jkiaLVjNMfeKEs84fy1U4PZ59zoB7TopsRNt+Gu3GpvI VYQafLOgD4CqZcFB8Hgly/U6p9Bhf/Y89Kxy66vLyYNlJDFWNkwHPh7qRU1vLnNp WYpZvjS/PA+SAS/M+7tkQNA2b9z0jQT9S7MZLLlMkOSUMF2392njNMPxXB6gJtui xaGNVT5ta/igqrJq8Spf/qhEHGnfHxFzCIuPGjkYB2cdDjHqVaQVzCX7dYwKwrg+ frLmMORwgq38jsXQA93ERNNYwDbk44tKORlT/tFwFhTWJ7x9YZCZ+oIHj4CqTAAZ 00iJiYYo6gGkcGtucyO6iF0OmsxLaVwqPHCNNxgUsfaA2nNKgWmqcgnOy5SHiluR 5qHue+gQK8GPQo8mfa1GSgx9OoMxu4rx9xn7MkSj1Wob7ED1FMDaZvFwcQY+uohR TL11njwxuvhxAr9nSntAN/HdVpCnsK71l1zHp+t25STok7UtOR/SUocERMeZTlxP JVa9Vh/Md+XOuVFMC1IjkBzcH9ogGycfyozdAdOToXIMPrbesHDSUSsHDxzkhW2P fZA8+EEp/clMJNjMvYB3OZr1OR2t3tENI95SgToV5ZZ62tf+nYoKHHKhPiDEsNKQ RBSipR6M7kiTsEjIgyzB =9xTX -----END PGP SIGNATURE----- --=_OOvMBLIgf6hKKypbDWT2XQ1-- From mike.gabriel@das-netzwerkteam.de Fri Aug 22 23:33:40 2014 Received: (at 459) by bugs.x2go.org; 22 Aug 2014 21:33:41 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 0BCD45DCA9 for <459@bugs.x2go.org>; Fri, 22 Aug 2014 23:33:40 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 1C2141EFC; Fri, 22 Aug 2014 23:33:38 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 67C723BBE6; Fri, 22 Aug 2014 23:33:39 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pe3KzOzd02EI; Fri, 22 Aug 2014 23:33:39 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 26B083BBE5; Fri, 22 Aug 2014 23:33:39 +0200 (CEST) Received: from p5B3B9266.dip0.t-ipconnect.de (p5B3B9266.dip0.t-ipconnect.de [91.59.146.102]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 22 Aug 2014 21:33:39 +0000 Date: Fri, 22 Aug 2014 21:33:39 +0000 Message-ID: <20140822213339.Horde.0FGVLxzv6cUhXSZqYYA9vw1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Michael DePaulo Cc: 459@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails References: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de> In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.2.0) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 91.59.146.102 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.0 Content-Type: multipart/signed; boundary="=_uTBSffVbA4jZeChpfMyH3g1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_uTBSffVbA4jZeChpfMyH3g1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mi 20 Aug 2014 16:14:34 CEST, Michael DePaulo wrote: > On Wed, Aug 20, 2014 at 10:04 AM, Michael DePaulo=20=20 >=20 wrote: >> On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel >> wrote: >>> Hi Michael, >>> >>> >>> On So 23 M=C3=A4r 2014 17:25:58 CET, Michael DePaulo wrote: >>> >>>> [...] >>> >>> >>> I just fixed #458 by exporting $XAUTHORITY in x2goruncommand. >> >> Thank you :) >> >>> Do you have any clue what this issue may be related to? As I don't have= any >>> of the failing apps on Debian, I cannot reproduce your test results rig= ht >>> away. >> >> 2 possible theories: >> 1. We are not integrating with ConsoleKit and/or logind properly. >> (Although it appears that our integration with logind is better, since >> Fedora 20 works better than CentOS 6.) >> 2. We have issues with the polcykit authentication windows not being >> permitted to show up. >> > A 3rd possible theory: > 3. PolicyKit policies are blocking certain actions from happening over > any sort of remote session. PolicyKit refers to local sessions as > "Active" and remote sessions as "Inactive". > It appears that the X11RDP project has run into this problem: > http://scarygliders.net/2012/06/20/a-brief-guide-to-policykit/ > http://scarygliders.net/category/policykit/ > I stumbled over this the other day, when I was going through these=20=20 polkit=20bugs, myself. We don't want X2Go sessions to be "active=3DTRUE" and neither do we want=20= =20 them=20to be local. Sessions are marked as active and local sessions if the user is really=20= =20 sitting=20in front of a machine. Those session will accept USB=20=20 flashdrives=20when they are plugged into the workstation. We want that=20= =20 with=20local X.org sessions, but not in X2Go sessions. Greets, Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_uTBSffVbA4jZeChpfMyH3g1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJT97czAAoJEJr0azAldxsxzGIQAIfyFdVr4k/rVo809nbkT69F J1/NC1PK0czc+El+NgZB1j9YQoUlugbKDASg34BwIDGwCBCUP8RPq+COBdq2Zs8A yd3PegYyF5KhnahJvbdB7x6lgSc4yZDEjyI4LtFfZ6RdbffR/aTLTifdoXVbbcei IabywH5t1wqG4tOi2qRD7oB4pXbip5QHunnOr4hC46qQyAOk697wYgDgNthL3pqd nEK1oD7o7OpvXSKnMBUOI6s2+pGNDbAedhto6ukRtEd8P/1LcrnFrYiy0UWeM5mx xQWTWr5xfF2jnd+e+t1PWrwkRmI4FgCCaKPM5xyb+dXme4dHF6HY+NHIWmEAtP3F XaFginYzyyNzWnooQB/1g4GqtVZON1dEFgv8zrn7y25KvEvGFbCsjIMjix1msd3K NRO+jPpSfsvJ6jM8ttKt49VCG7X4bBJHDoWQ1Qt9oWQogpdHYiJDGYrLTrgRiK2c 2vKwxGmZ+yB0ThP/I1j81mujuzFe2YyFz3WJiAfPCkWaFKykEN8+Tl/EHCOgiJi0 2HRVORPmVIUH6KH298NDKr58V55kvY3x7VA9qqNEr7PNipoMlCqn/YWWXo9bvmR6 xne8iDCot/hdLBCO2U41poI6JvBC2uXuqhswaPYdmksmA7TYEBhrfX1j1ZofSNLP d1KZz6eVU/qouCNYBnda =FkJw -----END PGP SIGNATURE----- --=_uTBSffVbA4jZeChpfMyH3g1--