[SOLVED] Plasma doesn't ask for root|sudo password on vncserver

SanskritFritz · 2019-02-01 11:31:55

I have a virtual machine on a VMware server, with Archlinux and KDE Plasma installed.
Plasma is started via .vnc/xtartup:

#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
startkde

Vncserver is started via systemd at boot because

loginctl enable-linger sans

sans@SansVM ~> systemctl --user status vncserver@:1 
● vncserver@:1.service - Remote desktop service (VNC)
   Loaded: loaded (/usr/lib/systemd/user/vncserver@.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-01-31 01:02:54 CET; 14h ago
   CGroup: /user.slice/user-1000.slice/user@1000.service/vncserver.slice/vncserver@:1.service
           ├─  485 /usr/bin/dbus-daemon --syslog --fork --print-pid 4 --print-address 6 --session
           ├─  493 /usr/bin/Xvnc :1 -auth /home/sans/.Xauthority -desktop SansVM:1 (sans) -geometry 1024x768 -httpd /usr/share/vnc/classes -pn -rf>
           ├─  504 /bin/sh /usr/bin/startkde
           ├─  538 /usr/lib/kf5/start_kdeinit --kded +kcminit_startup
           ├─  539 kdeinit5: Running...
           ...

My problem is that system settings does not ask for root|sudo password when needed. For example I want to disable a font, I press the disable button and I get an error message saying "Authentication failed". When staring systemsettings5 from the terminal, this is the output:

1548945414 Call  "toggle"  on helper
kauth action failed "" ""

I also noticed that /usr/lib/polkit-kde-authentication-agent-1 is not running in this session.

The same problem arises when I disable the service and start vncserver manually in an ssh session.

However, password prompt works just fine if I first login on the VMware console and start vncserver from there either by simply entering vncserver or by the same "systemctl --user start vncserver@:1" command. polkit-kde-authentication-agent-1 gets started just fine.

From this I suspected that either d-bus or polkit is to blame. So I tried the following changes (none of these fixed my problem):
1 I deleted the unset ... lines from xstartup
2 Tried "exec startkde" "exec startkde &" "startkde &" in xstartup
3 Modified the service file through systemctl edit: [Service] Type=d-bus
4 Modified the service file through systemctl edit: [Service] ExecStartPre=/bin/dbus-launch
5 Started /usr/lib/polkit-kde-authentication-agent-1 manually

So it looks like some user initialisation steps are missing when vncserver is started at boot or via ssh login.
Could you please help me with this.

UPDATE:
Interestingly in the working scenario described in bold above, the moment I log off from the VMware console, leaving the service running of course, the error reappears! So it only works when I stay logged in from the console. I tried it also the other way around, namely rebooted with the --user service enabled, connected via vncclient, and then logged in on the VMware console, but that didn't work.
I also tried the method described in https://wiki.archlinux.org/index.php/Vnc#System_mode but it gave no cure.

UPDATE2:
Contrary to try Nr.5, starting /usr/lib/polkit-kde-authentication-agent-1 actually sometimes worked (not always, I don't know why) if I was also logged in on the VMware console. When I log out on the console, the error reappears.

UPDATE3:
This thread gave me the idea to modify the file /usr/share/polkit-1/actions/org.kde.fontinst.policy:

<allow_any>auth_admin_keep</allow_any>

Now when I start /usr/lib/polkit-kde-authentication-agent-1 manually, the password prompt appears in the system settings font management module.

Last edited by SanskritFritz (2022-01-16 14:14:22)

SanskritFritz · 2019-02-02 20:20:10

OK after lots of RTFM about policykit I found what the problem is.

There are actually two problems:

1. When I remotely login, the system categorises me as "inactive" from polkit viewpoint anyway. That means polkit rules prohibit the password prompt for vnc sessions. I was able to solve this with a similar rule to this: https://wiki.archlinux.org/index.php/Po … ord_prompt

2. Somehow /usr/lib/polkit-kde-authentication-agent-1 cannot be started at startup, journalctl says:

Feb 02 20:18:44 SansVM polkit-kde-authentication-agent-1[643]: New PolkitAgentListener  0x56511388caa0
Feb 02 20:18:44 SansVM polkit-kde-authentication-agent-1[643]: Adding new listener  PolkitQt1::Agent::Listener(0x7f7254013ca0) for  0x56511388caa0
Feb 02 20:18:44 SansVM polkit-kde-authentication-agent-1[643]: Listener online
Feb 02 20:18:44 SansVM polkit-kde-authentication-agent-1[643]: "Cannot create unix session: No session for pid 643"
Feb 02 20:18:44 SansVM polkit-kde-authentication-agent-1[643]: "Cannot register authentication agent!"
Feb 02 20:18:44 SansVM polkit-kde-authentication-agent-1[643]: Authentication agent result: false
Feb 02 20:18:44 SansVM polkit-kde-authentication-agent-1[643]: Couldn't register listener!

I can manually start the agent from console and it does work well with the new rule.

But I don't know why it fails at startup.

Arch Linux

#1 2019-02-01 11:31:55

[SOLVED] Plasma doesn't ask for root|sudo password on vncserver

#2 2019-02-02 20:20:10

Re: [SOLVED] Plasma doesn't ask for root|sudo password on vncserver

Board footer