You are not logged in.
I've recently updated my ArchLinux system, and after update the KDE plasma-powerdevil daemon stopped working. I've found that the reason it's not working is because it's actually a problem with the polkitd daemon, which doesn't start properly. After trying to find out why it's not working, I've encountered this error:
[root@succubus ~]# sudo -u polkitd -g polkitd /usr/lib/polkit-1/polkitd -r
Error switching to user polkitd: Error clearing groups: Operation not permittedAccording to the source code (https://fossies.org/linux/polkit/src/po … /polkitd.c), the "Error clearing groups" is printed if "setgroups(0, NULL)" returns failure, which is what it seems is happening (verified by strace):
geteuid() = 102
getuid() = 102
getegid() = 976
setgroups(0, NULL) = -1 EPERM (Operation not permitted)According to "man 2 setgroups", the "EPERM" error code is returned when:
EPERM The calling process has insufficient privilege (the caller does not have the CAP_SETGID capability in the user namespace in which it resides).And indeed, if I set this capability manually and try to restart polkitd, it works properly, and KDE plasma-powerdevil starts properly, allowing me to control the brightness and everything in theory works.
[root@succubus ~]# setcap cap_setgid=pe /usr/lib/polkit-1/polkitd
[root@succubus ~]# sudo -u polkitd -g polkitd /usr/lib/polkit-1/polkitd
Successfully changed to user polkitd
21:25:14.010: Loading rules from directory /etc/polkit-1/rules.d
21:25:14.010: Loading rules from directory /usr/share/polkit-1/rules.d
21:25:14.012: Finished loading, compiling and executing 12 rules
Entering main event loop
Connected to the system bus
21:25:14.013: Acquired the name org.freedesktop.PolicyKit1 on the system busThe problem is that when now I start polkitd by using systemctl start polkitd, my manually set capabilities are cleared by systemd, and it doesn't want to start again. So I've modified the polkit.service file by adding this:
[Service]
Type=dbus
BusName=org.freedesktop.PolicyKit1
+ CapabilityBoundingSet=CAP_SETGID
+ AmbientCapabilities=CAP_SETGID
DeviceAllow=/dev/null rw
...and now polkit starts when I launch it with systemctl start polkit.
But I have a feeling this is not a properly fixed issue. Why polkit doesn't have CAP_SETGID on my system? What could be the core problem for this (and, the real fix?)
Last edited by bodysativa (2023-08-05 08:05:32)
Offline
https://gitlab.freedesktop.org/polkit/p … 549a8d624e looks like the plan was to use systemd to configure the polkit uid and not to attempt to drop privs when already running as the target UID
id polkitd
id 102
id 976 # id cleverly aborts when /any/ parameter doesn't match a user :rolleyes:
grep -rE '(polkit|102|976)' /etc/passwd /etc/group /{usr/lib,etc}/sysusers.dLast edited by seth (2023-08-04 20:23:35)
Offline
That's my output:
$ id polkitd
uid=102(polkitd) gid=102 groups=102,26(proc)
$ id 102
uid=102(polkitd) gid=102 groups=102,26(proc)
$ id 976
id: ‘976’: no such user
FAIL: 1
$ grep -rE '(polkit|102|976)' /etc/passwd /etc/group /{usr/lib,etc}/sysusers.d
/etc/passwd:polkitd:x:102:102:Policy Kit Daemon:/:/usr/bin/nologin
/etc/group:proc:x:26:polkitd
/etc/group:polkitd:x:976:
/usr/lib/sysusers.d/polkit.conf:u polkitd 102 "PolicyKit daemon"
/usr/lib/sysusers.d/polkit.conf:m polkitd proc
grep: /etc/sysusers.d: No such file or directory
FAIL: 2Offline
And we have a winner:
/etc/group:polkitd:x:976:Make that 102
Offline
Thanks. Changed it to 102, reverted the original polkit.service, and it seems to work. I wonder why it was 976, but I'm not sure I'm able to dig up that information. ![]()
Last edited by bodysativa (2023-08-05 08:05:10)
Offline