X2Go Bug report logs - #459
PolicyKit authentication within apps often fails

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Michael DePaulo <mikedep333@gmail.com>

Date: Sun, 23 Mar 2014 16:30:02 UTC

Severity: normal

Found in version 4.0.1.13

Full log


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#459; Package x2goserver. (Sun, 23 Mar 2014 16:30:02 GMT) (full text, mbox, link).


Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sun, 23 Mar 2014 16:30:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 23 Mar 2014 16:26:00 +0000
From mikedep333@gmail.com  Sun Mar 23 17:25:59 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,FREEMAIL_FROM,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51])
	by ymir (Postfix) with ESMTPS id 3DFAD5DB11
	for <submit@bugs.x2go.org>; Sun, 23 Mar 2014 17:25:59 +0100 (CET)
Received: by mail-wg0-f51.google.com with SMTP id k14so2779241wgh.34
        for <submit@bugs.x2go.org>; Sun, 23 Mar 2014 09:25:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=08xu99wyhjitU57D7Clbca+IRH81ajBJGPWr4ds36C8=;
        b=YE52g6LAMJQmZV836DtfidPzBPBarbmlRLpXSTU+CaPOwFXMuiIi5L3T52es13jngy
         uEHcWtK5uCKPlU5v3n3KUo19g8vg/YMya47xwlOTRw/QjPeY53NZfLInziHQvM2ZleQF
         vNvESRqTHCGjmAitsKRYFLQV6YihEe7uNk8xQS6kN0V27tM/+JRrlnPNt4dDEhlP+zJV
         Jk9AypNdTfzNZKATeJHAu1nh6smXheefi0XzoAGb9Rs/17Jnu/SrAILMF/0M40mI46K9
         Us5Q4vKSK/BZ1aY7zIS9zM8Trj3W3Uow/UWVFnIOQ++jERJFX/s6mmKwuYbtn66oo38U
         uInA==
MIME-Version: 1.0
X-Received: by 10.180.91.164 with SMTP id cf4mr10354784wib.37.1395591958716;
 Sun, 23 Mar 2014 09:25:58 -0700 (PDT)
Received: by 10.181.11.130 with HTTP; Sun, 23 Mar 2014 09:25:58 -0700 (PDT)
Date: Sun, 23 Mar 2014 12:25:58 -0400
Message-ID: <CAMKht8hxORsAXk32K=9ruNpF-PYWLUeyVvWqyeMsZhhb4uTWEQ@mail.gmail.com>
Subject: PolicyKit authentication within apps often fails
From: Michael DePaulo <mikedep333@gmail.com>
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=ISO-8859-1
Package: x2goserver
Version: 4.0.1.13

Notes:

1. I am not sure if this is a bug in x2goserver, x2goserver-xsession,
or in nx-libs.

2. PolicyKit depends on ConsoleKit (and on systemd-logind in
newer distros.)

3. The behavior seems to be distro-specific and/or app-specific.

4. This bug report differs from 458 because PolicyKit authentication
is being called within an app, not when launching the app. This is
part of the PolilcyKit architecture: The apps run unprivileged and
rely on PolicyKit in order to speak to privileged processes that do
the actual task. For example, in test case 2, gpk-application is
launched unprivileged. It uses PolicyKit to speak to the PackageKit
backend, and the PackageKit backend does the package install.

Test system:
Fedora 20 64-bit
MATE Desktop 1.6.2.1.fc20 - used for all 3 test cases
x2goserver 4.0.1.13.2.fc20
x2goserver-xsession 4.0.1.13.2.fc20
nxlibs 3.5.0.22.1-fc20
(This distro uses logind)
(/usr/libexec/polkit-mate-authentication-agent-1 is launched
automatically when I login over X2Go. This distro is not affected by
bug 457)

Test Case 1:
Steps:
1. Launch yumex (from start menu or from console)
2. Switch to the yumex's "history" tab on the left..

Expected result:
A policykit authentication window opens up, I select a user to
authenticate as (myself or root), enter my password, and then the
history is populated within yumex.

Here is an image of that policykit authentication window:
http://imgur.com/JUZTBHo

Actual result:
The authentication window does not open up and the history is no
populated. Instead, I get an error message windows. When I click
"Close" on the window, yumex closes.

Error message:
Fatal Error: polkit-not-authorized

Could not get polkit autherisation to start backend

Yum Extender will terminate

Here's an image of the error message window
http://imgur.com/ABYETM0

From the command-line, I can see this output when I select the history tab:
15:53:07 : INFO - YUM: Error executing command as another user: Not authorized
15:53:14 : INFO - yum backend process is ended
15:53:14 : INFO - yum backend process is ended

Test Case 2:
Steps:
1. Launch gpk-application (GNOME "Software Install" AKA "Add/Remove Software")
2. Select to install a single package.
3. Click "Apply Changes"

Expected result: A policykit authentication window opens up, I select
a user to authenticate as (myself or root), enter my password, and
then the package is downloaded & installed (over the course of at
least a few seconds), during which a progress bar is displayed.

Screenshot:
http://imgur.com/lLNof08

Actual result:
The authentication window does not open up. The progress bar for the
install completes in about 1 second. The package is not installed.
(Interestingly enough, the package is still selected to be installed,
but the "Apply Changes" and "cancel" button are hidden. This is a bug
in gpk-application, it does not know how to handle policykit having an
error. But this gpk-application bug is besides the point.)

Screenshot:
http://i.imgur.com/28lCZF5.png

Also, the command-line does not show any relevant output.

Test Case 3:
Steps:
1. Launch virt-manager (AKA "Virtual Machine Manager")

This test case actually passes!

Expected & Actual result:
A policykit authentication window opens up, I select a user to
authenticate as (e.g., myself or root), enter my password, and then I
am connected to the local libvirtd instance and see the VMs running.

Screenshot:
http://imgur.com/mZSgdMW

Also, the command-line output does not include any details about
PolicyKit (succeeding.)

Note: Test case 3 fails on CentOS 6.5 64-bit. However, CentOS 6.5
64-bit is affected by bug 457, so that precludes running this test
case.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#459; Package x2goserver. (Wed, 20 Aug 2014 09:35:01 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 20 Aug 2014 09:35:01 GMT) (full text, mbox, link).


Message #10 received at 459@bugs.x2go.org (full text, mbox, reply):

Received: (at 459) by bugs.x2go.org; 20 Aug 2014 09:31:22 +0000
From mike.gabriel@das-netzwerkteam.de  Wed Aug 20 11:31:17 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 29B0A5DB17
	for <459@bugs.x2go.org>; Wed, 20 Aug 2014 11:31:16 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C03911F9F;
	Wed, 20 Aug 2014 11:31:15 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 0DF293BBF5;
	Wed, 20 Aug 2014 11:31:16 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id uKpDrQg-HE2D; Wed, 20 Aug 2014 11:31:15 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id B31D63BBF4;
	Wed, 20 Aug 2014 11:31:15 +0200 (CEST)
Received: from m-031.informatik.uni-kiel.de (m-031.informatik.uni-kiel.de
 [134.245.254.31]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Wed, 20 Aug 2014 09:31:15 +0000
Date: Wed, 20 Aug 2014 09:31:15 +0000
Message-ID: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Michael DePaulo <mikedep333@gmail.com>, 459@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often
 fails
In-Reply-To: <CAMKht8hxORsAXk32K=9ruNpF-PYWLUeyVvWqyeMsZhhb4uTWEQ@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.0)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 134.245.254.31
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
 Firefox/31.0 Iceweasel/31.0
Content-Type: multipart/signed; boundary="=_zcKA2IqlTdpNWRLDTcC5ug1";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Hi Michael,

On  So 23 Mär 2014 17:25:58 CET, Michael DePaulo wrote:

> Package: x2goserver
> Version: 4.0.1.13
>
> Notes:
>
> 1. I am not sure if this is a bug in x2goserver, x2goserver-xsession,
> or in nx-libs.
>
> 2. PolicyKit depends on ConsoleKit (and on systemd-logind in
> newer distros.)
>
> 3. The behavior seems to be distro-specific and/or app-specific.
>
> 4. This bug report differs from 458 because PolicyKit authentication
> is being called within an app, not when launching the app. This is
> part of the PolilcyKit architecture: The apps run unprivileged and
> rely on PolicyKit in order to speak to privileged processes that do
> the actual task. For example, in test case 2, gpk-application is
> launched unprivileged. It uses PolicyKit to speak to the PackageKit
> backend, and the PackageKit backend does the package install.
>
> Test system:
> Fedora 20 64-bit
> MATE Desktop 1.6.2.1.fc20 - used for all 3 test cases
> x2goserver 4.0.1.13.2.fc20
> x2goserver-xsession 4.0.1.13.2.fc20
> nxlibs 3.5.0.22.1-fc20
> (This distro uses logind)
> (/usr/libexec/polkit-mate-authentication-agent-1 is launched
> automatically when I login over X2Go. This distro is not affected by
> bug 457)
>
> Test Case 1:
> Steps:
> 1. Launch yumex (from start menu or from console)
> 2. Switch to the yumex's "history" tab on the left..
>
> Expected result:
> A policykit authentication window opens up, I select a user to
> authenticate as (myself or root), enter my password, and then the
> history is populated within yumex.
>
> Here is an image of that policykit authentication window:
> http://imgur.com/JUZTBHo
>
> Actual result:
> The authentication window does not open up and the history is no
> populated. Instead, I get an error message windows. When I click
> "Close" on the window, yumex closes.
>
> Error message:
> Fatal Error: polkit-not-authorized
>
> Could not get polkit autherisation to start backend
>
> Yum Extender will terminate
>
> Here's an image of the error message window
> http://imgur.com/ABYETM0
>
> From the command-line, I can see this output when I select the history tab:
> 15:53:07 : INFO - YUM: Error executing command as another user: Not  
> authorized
> 15:53:14 : INFO - yum backend process is ended
> 15:53:14 : INFO - yum backend process is ended
>
> Test Case 2:
> Steps:
> 1. Launch gpk-application (GNOME "Software Install" AKA "Add/Remove  
> Software")
> 2. Select to install a single package.
> 3. Click "Apply Changes"
>
> Expected result: A policykit authentication window opens up, I select
> a user to authenticate as (myself or root), enter my password, and
> then the package is downloaded & installed (over the course of at
> least a few seconds), during which a progress bar is displayed.
>
> Screenshot:
> http://imgur.com/lLNof08
>
> Actual result:
> The authentication window does not open up. The progress bar for the
> install completes in about 1 second. The package is not installed.
> (Interestingly enough, the package is still selected to be installed,
> but the "Apply Changes" and "cancel" button are hidden. This is a bug
> in gpk-application, it does not know how to handle policykit having an
> error. But this gpk-application bug is besides the point.)
>
> Screenshot:
> http://i.imgur.com/28lCZF5.png
>
> Also, the command-line does not show any relevant output.
>
> Test Case 3:
> Steps:
> 1. Launch virt-manager (AKA "Virtual Machine Manager")
>
> This test case actually passes!
>
> Expected & Actual result:
> A policykit authentication window opens up, I select a user to
> authenticate as (e.g., myself or root), enter my password, and then I
> am connected to the local libvirtd instance and see the VMs running.
>
> Screenshot:
> http://imgur.com/mZSgdMW
>
> Also, the command-line output does not include any details about
> PolicyKit (succeeding.)
>
> Note: Test case 3 fails on CentOS 6.5 64-bit. However, CentOS 6.5
> 64-bit is affected by bug 457, so that precludes running this test
> case.

I just fixed #458 by exporting $XAUTHORITY in x2goruncommand.

Do you have any clue what this issue may be related to? As I don't  
have any of the failing apps on Debian, I cannot reproduce your test  
results right away.

Any hint, if this issues also occurs on Debian?

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#459; Package x2goserver. (Wed, 20 Aug 2014 14:05:01 GMT) (full text, mbox, link).


Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 20 Aug 2014 14:05:02 GMT) (full text, mbox, link).


Message #15 received at 459@bugs.x2go.org (full text, mbox, reply):

Received: (at 459) by bugs.x2go.org; 20 Aug 2014 14:04:05 +0000
From mikedep333@gmail.com  Wed Aug 20 16:04:04 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id E4B605DB17
	for <459@bugs.x2go.org>; Wed, 20 Aug 2014 16:04:03 +0200 (CEST)
Received: by mail-wg0-f45.google.com with SMTP id x12so7774125wgg.28
        for <459@bugs.x2go.org>; Wed, 20 Aug 2014 07:04:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=6x6g6tfBloD/y2phK3xVS0o4BpcDPqEvGlABun6NkV0=;
        b=DvenV8CA1XBNqRQuZ/yKgUvw6rKwAqnwMxB68pX6lMSW/4XLjuLzGPH2Rdyax3XmUr
         w7uxEupi3VPfAyzeF3I3XfACGkdKaC4cRIpfVnyCoT6yWo81nWs/qATIND/P+o3VosNR
         DKgyO0dF4iCgxfZULIl5l8TZa27wPIyF4fbrT94Pm+9RNxN7Ki86ajIj1IWC/kDDhrv/
         YB419h/j5TY30IHQpVvGmPm9EB7ldKgsaIm5jENihYpuHEd766rPpQr4Cl0EGFljDXN0
         MkBtPTiWjaefgA6jzgeAEwUzPp8ViJJcYP2Js6IAKQ8PYQvPNEcl15+Q8LhkiudhM5zZ
         WJKg==
MIME-Version: 1.0
X-Received: by 10.180.186.3 with SMTP id fg3mr15195285wic.78.1408543443231;
 Wed, 20 Aug 2014 07:04:03 -0700 (PDT)
Received: by 10.180.238.66 with HTTP; Wed, 20 Aug 2014 07:04:03 -0700 (PDT)
In-Reply-To: <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de>
References: <CAMKht8hxORsAXk32K=9ruNpF-PYWLUeyVvWqyeMsZhhb4uTWEQ@mail.gmail.com>
	<20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de>
Date: Wed, 20 Aug 2014 10:04:03 -0400
Message-ID: <CAMKht8jYno1FNzfcmmo29SMHO4fx6e78Q+zOLnbky0Sv5qtE-A@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails
From: Michael DePaulo <mikedep333@gmail.com>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 459@bugs.x2go.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel
<mike.gabriel@das-netzwerkteam.de> wrote:
> Hi Michael,
>
>
> On  So 23 Mär 2014 17:25:58 CET, Michael DePaulo wrote:
>
>>[...]
>
>
> I just fixed #458 by exporting $XAUTHORITY in x2goruncommand.

Thank you :)

> Do you have any clue what this issue may be related to? As I don't have any
> of the failing apps on Debian, I cannot reproduce your test results right
> away.

2 possible theories:
1. We are not integrating with ConsoleKit and/or logind properly.
(Although it appears that our integration with logind is better, since
Fedora 20 works better than CentOS 6.)
2. We have issues with the polcykit authentication windows not being
permitted to show up.

I think that there is different behavior when using XDMCP. I'll double
check after work.

Also, Red Hat has some KB articles on this subject. I noticed them
after I bought a RHEL subscription for home. I'll look over them
again, and update this bug with any relevant info.

> Any hint, if this issues also occurs on Debian?

I can test this with VMs. I've already created some Debian VMs for
compatibility testing with X2Go. Which of the 3 releases (squeeze,
wheezy and jessie) should I test? Squeeze is similar to CentOS 6 in
terms of versions of packages like ConsoleKit.

> Mike
[...]


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#459; Package x2goserver. (Wed, 20 Aug 2014 14:15:02 GMT) (full text, mbox, link).


Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 20 Aug 2014 14:15:02 GMT) (full text, mbox, link).


Message #20 received at 459@bugs.x2go.org (full text, mbox, reply):

Received: (at 459) by bugs.x2go.org; 20 Aug 2014 14:14:36 +0000
From mikedep333@gmail.com  Wed Aug 20 16:14:35 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
	T_DKIM_INVALID autolearn=ham version=3.3.2
Received: from mail-we0-f180.google.com (mail-we0-f180.google.com [74.125.82.180])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id D8F085DB17
	for <459@bugs.x2go.org>; Wed, 20 Aug 2014 16:14:34 +0200 (CEST)
Received: by mail-we0-f180.google.com with SMTP id w61so7924110wes.39
        for <459@bugs.x2go.org>; Wed, 20 Aug 2014 07:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=ya7C/nxeb40z7wnyRDn8iIcuIFzOs067jtxwDipCD44=;
        b=kh/TXGTukUycIRYvSb4/Wao34QLL55Df7gmnQxNEVS1PZ8h/tbVNdsRxUdCbJiZ3n3
         AYJz3y18GflYuaPIAtwmbrY23Rn2imL1M7E4GphqmxoIlq5k7XiGTUJYHbI1IRXCnEaB
         jDqF2kAmK9nSmWKsOez8KASoQs1hPtgfyu8rgso0qjTu1cqmUVePAXpxJxDUvdREOKQ2
         oGd6BCcV9hxasCVk6/NbRsApW4MhIhALsGVd5wGGg1H805cmF1dXjb16SOU4HvTqjQZG
         ZcVjYYPLQUm47+xkWk5DgndudVj0LKoKyZYHtfAr7ueVr8G/ZivNxUGxukD2Tg7yYhbE
         r+Iw==
MIME-Version: 1.0
X-Received: by 10.180.85.136 with SMTP id h8mr15498348wiz.67.1408544074598;
 Wed, 20 Aug 2014 07:14:34 -0700 (PDT)
Received: by 10.180.238.66 with HTTP; Wed, 20 Aug 2014 07:14:34 -0700 (PDT)
In-Reply-To: <CAMKht8jYno1FNzfcmmo29SMHO4fx6e78Q+zOLnbky0Sv5qtE-A@mail.gmail.com>
References: <CAMKht8hxORsAXk32K=9ruNpF-PYWLUeyVvWqyeMsZhhb4uTWEQ@mail.gmail.com>
	<20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de>
	<CAMKht8jYno1FNzfcmmo29SMHO4fx6e78Q+zOLnbky0Sv5qtE-A@mail.gmail.com>
Date: Wed, 20 Aug 2014 10:14:34 -0400
Message-ID: <CAMKht8gOyOr8_-DNtwXPXZfNuweG7EQ4NLc2Cnuv8BOPZCQ4Qg@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often fails
From: Michael DePaulo <mikedep333@gmail.com>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 459@bugs.x2go.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Wed, Aug 20, 2014 at 10:04 AM, Michael DePaulo <mikedep333@gmail.com> wrote:
> On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel
> <mike.gabriel@das-netzwerkteam.de> wrote:
>> Hi Michael,
>>
>>
>> On  So 23 Mär 2014 17:25:58 CET, Michael DePaulo wrote:
>>
>>>[...]
>>
>>
>> I just fixed #458 by exporting $XAUTHORITY in x2goruncommand.
>
> Thank you :)
>
>> Do you have any clue what this issue may be related to? As I don't have any
>> of the failing apps on Debian, I cannot reproduce your test results right
>> away.
>
> 2 possible theories:
> 1. We are not integrating with ConsoleKit and/or logind properly.
> (Although it appears that our integration with logind is better, since
> Fedora 20 works better than CentOS 6.)
> 2. We have issues with the polcykit authentication windows not being
> permitted to show up.
>
A 3rd possible theory:
3. PolicyKit policies are blocking certain actions from happening over
any sort of remote session. PolicyKit refers to local sessions as
"Active" and remote sessions as "Inactive".
It appears that the X11RDP project has run into this problem:
http://scarygliders.net/2012/06/20/a-brief-guide-to-policykit/
http://scarygliders.net/category/policykit/

> I think that there is different behavior when using XDMCP. I'll double
> check after work.
>
> Also, Red Hat has some KB articles on this subject. I noticed them
> after I bought a RHEL subscription for home. I'll look over them
> again, and update this bug with any relevant info.
>
>> Any hint, if this issues also occurs on Debian?
>
> I can test this with VMs. I've already created some Debian VMs for
> compatibility testing with X2Go. Which of the 3 releases (squeeze,
> wheezy and jessie) should I test? Squeeze is similar to CentOS 6 in
> terms of versions of packages like ConsoleKit.
>
>> Mike
> [...]


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#459; Package x2goserver. (Fri, 22 Aug 2014 21:35:01 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 22 Aug 2014 21:35:01 GMT) (full text, mbox, link).


Message #25 received at 459@bugs.x2go.org (full text, mbox, reply):

Received: (at 459) by bugs.x2go.org; 22 Aug 2014 21:30:12 +0000
From mike.gabriel@das-netzwerkteam.de  Fri Aug 22 23:30:10 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 770815DCA9
	for <459@bugs.x2go.org>; Fri, 22 Aug 2014 23:30:10 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 5BDF31EFC;
	Fri, 22 Aug 2014 23:30:09 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 39ED83BBE6;
	Fri, 22 Aug 2014 23:30:09 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id lwZudyZFoKcC; Fri, 22 Aug 2014 23:30:09 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id EC7A13BBE5;
	Fri, 22 Aug 2014 23:30:08 +0200 (CEST)
Received: from p5B3B9266.dip0.t-ipconnect.de (p5B3B9266.dip0.t-ipconnect.de
 [91.59.146.102]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Fri, 22 Aug 2014 21:30:08 +0000
Date: Fri, 22 Aug 2014 21:30:08 +0000
Message-ID: <20140822213008.Horde.R6akvt34g-EHKCIUuyh_tQ1@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Michael DePaulo <mikedep333@gmail.com>
Cc: 459@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often
 fails
References: <CAMKht8hxORsAXk32K=9ruNpF-PYWLUeyVvWqyeMsZhhb4uTWEQ@mail.gmail.com>
 <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de>
 <CAMKht8jYno1FNzfcmmo29SMHO4fx6e78Q+zOLnbky0Sv5qtE-A@mail.gmail.com>
In-Reply-To: <CAMKht8jYno1FNzfcmmo29SMHO4fx6e78Q+zOLnbky0Sv5qtE-A@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.0)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 91.59.146.102
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
 Firefox/31.0 Iceweasel/31.0
Content-Type: multipart/signed; boundary="=_OOvMBLIgf6hKKypbDWT2XQ1";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
On  Mi 20 Aug 2014 16:04:03 CEST, Michael DePaulo wrote:

> On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel
> <mike.gabriel@das-netzwerkteam.de> wrote:
>> Hi Michael,
>>
>>
>> On  So 23 Mär 2014 17:25:58 CET, Michael DePaulo wrote:
>>
>>> [...]
>>
>>
>> I just fixed #458 by exporting $XAUTHORITY in x2goruncommand.
>
> Thank you :)
>
>> Do you have any clue what this issue may be related to? As I don't have any
>> of the failing apps on Debian, I cannot reproduce your test results right
>> away.
>
> 2 possible theories:
> 1. We are not integrating with ConsoleKit and/or logind properly.
> (Although it appears that our integration with logind is better, since
> Fedora 20 works better than CentOS 6.)

On Debian systems all is handled via the /etc/X11/Xsession.d directory.

For RHEL et al I see this in the /etc/x2go/Xsession script:

"""
        CK_XINIT_SESSION=
        if [ -x /usr/bin/ck-xinit-session -a -z "$XDG_SESSION_COOKIE" ]; then
                CK_XINIT_SESSION="/usr/bin/ck-xinit-session"
        fi

        # At the time of integrating X2Go Xsession support for RHEL6 / Fedora
        # the Xsession stuff in Fedora/RHEL6 seems to be a little mess.
        # The proposed strategy is to have Xclients.$WM.sh files in
        # /etc/X11/xinit/Xclients.d. Currently, only wmx uses this mechanism.
        # As it is a described but rather unused ,,standard'' we will  
not support it
        # in X2Go for now, but leave it here as a reminder...

        # XCLIENTS_D=/etc/x2go/Xclients.d
        #if [ -d "$XCLIENTS_D" -a -x  
"$XCLIENTS_D/Xclients.${XSESSION_EXEC}.sh" ]; then
        #       exec -l $SHELL -c "$CK_XINIT_SESSION $SSH_AGENT  
$XCLIENTS_D/Xclients.$1.sh"
        #fi

        # switchdesk support is also totally deprecated in RHEL, but  
we leave it here
        # as a reminder, as well, in case we need it in the future  
for special setups...
        #if [ -x "$SWITCHDESKPATH/Xclients.${XSESSION_EXEC}" ]; then
        #       exec -l "$SHELL" -c  
"$SWITCHDESKPATH/Xclients.${XSESSION_EXEC}";
        #fi

        exec $CK_XINIT_SESSION $SSH_AGENT /bin/sh -c "exec -l $SHELL  
-c \"$STARTUP\""
"""

It has been derived from the X11 session startup on SL6. Maybe we need  
to tweak this CK_XINIT_SESSION variable and change over to using  
ck-launch-session here.

Maybe this is hint enough for you to play with this some more.?...

> 2. We have issues with the polcykit authentication windows not being
> permitted to show up.
>
> I think that there is different behavior when using XDMCP. I'll double
> check after work.

Ok. Any results?

> Also, Red Hat has some KB articles on this subject. I noticed them
> after I bought a RHEL subscription for home. I'll look over them
> again, and update this bug with any relevant info.
>
>> Any hint, if this issues also occurs on Debian?
>
> I can test this with VMs. I've already created some Debian VMs for
> compatibility testing with X2Go. Which of the 3 releases (squeeze,
> wheezy and jessie) should I test? Squeeze is similar to CentOS 6 in
> terms of versions of packages like ConsoleKit.

squeeze has CK and GNOMEv2, wheezy has CK and XFCE or GNOMEv3...
jessie has systemd and MATE, GNOMEv3, etc.

So I guess, you should stick with wheezy for CK testing and use jessie  
for systemd testing.

Mike#1

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#459; Package x2goserver. (Fri, 22 Aug 2014 21:35:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 22 Aug 2014 21:35:02 GMT) (full text, mbox, link).


Message #30 received at 459@bugs.x2go.org (full text, mbox, reply):

Received: (at 459) by bugs.x2go.org; 22 Aug 2014 21:33:41 +0000
From mike.gabriel@das-netzwerkteam.de  Fri Aug 22 23:33:40 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 0BCD45DCA9
	for <459@bugs.x2go.org>; Fri, 22 Aug 2014 23:33:40 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 1C2141EFC;
	Fri, 22 Aug 2014 23:33:38 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 67C723BBE6;
	Fri, 22 Aug 2014 23:33:39 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id pe3KzOzd02EI; Fri, 22 Aug 2014 23:33:39 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 26B083BBE5;
	Fri, 22 Aug 2014 23:33:39 +0200 (CEST)
Received: from p5B3B9266.dip0.t-ipconnect.de (p5B3B9266.dip0.t-ipconnect.de
 [91.59.146.102]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Fri, 22 Aug 2014 21:33:39 +0000
Date: Fri, 22 Aug 2014 21:33:39 +0000
Message-ID: <20140822213339.Horde.0FGVLxzv6cUhXSZqYYA9vw1@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Michael DePaulo <mikedep333@gmail.com>
Cc: 459@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#459: PolicyKit authentication within apps often
 fails
References: <CAMKht8hxORsAXk32K=9ruNpF-PYWLUeyVvWqyeMsZhhb4uTWEQ@mail.gmail.com>
 <20140820093115.Horde.TjoWeWlTUbpPl3j2vDFNFw1@mail.das-netzwerkteam.de>
 <CAMKht8jYno1FNzfcmmo29SMHO4fx6e78Q+zOLnbky0Sv5qtE-A@mail.gmail.com>
 <CAMKht8gOyOr8_-DNtwXPXZfNuweG7EQ4NLc2Cnuv8BOPZCQ4Qg@mail.gmail.com>
In-Reply-To: <CAMKht8gOyOr8_-DNtwXPXZfNuweG7EQ4NLc2Cnuv8BOPZCQ4Qg@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.0)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 91.59.146.102
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
 Firefox/31.0 Iceweasel/31.0
Content-Type: multipart/signed; boundary="=_uTBSffVbA4jZeChpfMyH3g1";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
On  Mi 20 Aug 2014 16:14:34 CEST, Michael DePaulo wrote:

> On Wed, Aug 20, 2014 at 10:04 AM, Michael DePaulo  
> <mikedep333@gmail.com> wrote:
>> On Wed, Aug 20, 2014 at 5:31 AM, Mike Gabriel
>> <mike.gabriel@das-netzwerkteam.de> wrote:
>>> Hi Michael,
>>>
>>>
>>> On  So 23 Mär 2014 17:25:58 CET, Michael DePaulo wrote:
>>>
>>>> [...]
>>>
>>>
>>> I just fixed #458 by exporting $XAUTHORITY in x2goruncommand.
>>
>> Thank you :)
>>
>>> Do you have any clue what this issue may be related to? As I don't have any
>>> of the failing apps on Debian, I cannot reproduce your test results right
>>> away.
>>
>> 2 possible theories:
>> 1. We are not integrating with ConsoleKit and/or logind properly.
>> (Although it appears that our integration with logind is better, since
>> Fedora 20 works better than CentOS 6.)
>> 2. We have issues with the polcykit authentication windows not being
>> permitted to show up.
>>
> A 3rd possible theory:
> 3. PolicyKit policies are blocking certain actions from happening over
> any sort of remote session. PolicyKit refers to local sessions as
> "Active" and remote sessions as "Inactive".
> It appears that the X11RDP project has run into this problem:
> http://scarygliders.net/2012/06/20/a-brief-guide-to-policykit/
> http://scarygliders.net/category/policykit/
>

I stumbled over this the other day, when I was going through these  
polkit bugs, myself.

We don't want X2Go sessions to be "active=TRUE" and neither do we want  
them to be local.

Sessions are marked as active and local sessions if the user is really  
sitting in front of a machine. Those session will accept USB  
flashdrives when they are plugged into the workstation. We want that  
with local X.org sessions, but not in X2Go sessions.

Greets,
Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#459; Package x2goserver. (Sat, 04 Mar 2017 15:55:07 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Oct 15 01:25:48 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.