Bugzilla – Bug 688267
KDE fails to remember authorization for polkit
Last modified: 2011-11-17 23:50:57 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.0) Gecko/20100101 Firefox/4.0 Default installation of openSUSE 11.4 / KDE 4.6. Whenever resuming from standby or switching to console and back, user is prompted for password to set brightness level (polkit action org.kde.powerdevil.backlighthelper.setbrightness). Option to "Remember authorization", with or without "for this session only", does not behave as described. Reproducible: Always Steps to Reproduce: 1. Standby or switch to console, then return 2. Fill in password as requested by polkit, choosing "Remember authorization" 3. Try standby / console again Actual Results: Prompted for password again Expected Results: Authorization is retained Adjusting brightness while KDE is running works fine. Is this an active/inactive console problem? I notice that the default privs are auth_admin:auth_admin:auth_admin (no keep_always, though I tried that and it didn't work either) Workaround is to add to /etc/polkit-default-privs.local org.kde.powerdevil.backlighthelper.brightness yes:yes:yes org.kde.powerdevil.backlighthelper.setbrightness yes:yes:yes and run /sbin/set_polkit_default_privs
Actually KDE seems to fail to "Remember authorization" from all PolKit dialogs, not just the set brightness one.
It always worked for me. What's special about your setup – or mine?
Any clues on which specific bits to look at? Does polkit-kde keep configuration files or logs? This issue has come up on the mailing lists for others as well.
polkit1 has no means to control "remember authorization" IIRC. It just does that always for a certain time and then forgets about it if the setting is auth_admin_keep. Switching the active console will activate a different setting. So the default setting of auth_admin:auth_admin:yes will require authorization if KDE tries to set brightness while in the background.
What I do not understand is that I am never asked for any brightness change, not after resuming, nor after changing to tty1 or anything else. So why do some get that dialogue and I do not? Does it depend on the notebook one uses?
Some hardware allows to change brightness via an X extension AFAIK, no policykit involved then.
Ah, sounds like a sensible explanation. Is there a way to check what kind of hardware one's notebook is using?
Further descriptions of the problem http://lists.opensuse.org/opensuse/2011-05/msg00857.html http://lists.opensuse.org/opensuse-kde/2011-04/msg00094.html http://lists.opensuse.org/opensuse-kde/2011-03/msg00078.html If polkit can't remember authorizations, why is that option available in the KDE polkit authorization dialog box? If it is true that there is no remember authorization facility, then something else has to be changed because asking for root password every time you wake the laptop is clearly unreasonable.
I received this after returning from locked (blank) screen saver on i686, Tumbleweed install. System policies prevent you from getting the brighness level. An application is attempting to perform an action that requires privileges. Authentication is req'd .. Password for root: [ ] Remember authorization Application : Action: Get brighness Vendor: KDE polkit.subject.pid: 3226 polkit.caller.pid: 3971 ladm@oak:~> ps aux |grep 3971 root 3971 0.0 0.7 38152 7428 ? Sl 11:37 0:00 /usr/lib/kde4/libexec/backlighthelper This popup authorisation should BE REMOVED, for security reasons it is very VERY misguided to have low level software be capable of asking for "authentication" at some random point. The purpose of authentication in features like login, su or kdesu, are to prove that you have "root access", the program already has the privileges. This ridiculous request for root pass for backlighthelper, will encourage social engineering pass collection attacks via popups, as well as infuriate end users, worse than Windows UAC (there a confirmation click on screen dim, is all that's required)! Issues like this should be handled by an error pop up, if the privileges of a "helper" program are insufficient for it to operate, it's a configuration error. The bug "rembering authorisation" ought not to be fixed, but the root pass Authentication, ought only be possible for programs that are setuid or have gain privileged capabilities, and wish to verify the end user's right. There's a design error in way polkit is implemented it seems, think LWN had an article a while back to on similar problems in Fedora, polkit introduction.
Had similar (but different) crazy popup asking for root password, for something wanting access to package kit, I suspect the updater applet. Unfortunately the popup disappearred before I copy and pasted the details to save them, this just reinforces my opinion that this "get root password" popup should be changed to something sane, like "Progam X does not have the rights in policy kit to do Y".
Dupe *** This bug has been marked as a duplicate of bug 680586 ***