/etc/polkit-1/localauthority.conf.d/ parsed in wrong order?

Bug #1757266 reported by TJ
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
New
Undecided
Unassigned

Bug Description

On 16.04 and using the Xubuntu session (this isn't limited to XFCE) I noticed that my notebook fails to suspend via power-management when the idle timeout expires. When returning to it, if it still has power, I see a polkit-agent GUI dialog asking me to authenticate.

In /var/log/auth.log is:

polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action org.freedesktop.login1.suspend for system-bus-name::1.47 [xfce4-power-manager --restart --sm-client-id 2992705d4-6fa2-4fba-966c-f7631ecd0b46] (owned by unix-user:tj)

So I started digging:

# inactive sleep is enabled
$ xfconf-query -c xfce4-power-manager -lv | grep inactivity
/xfce4-power-manager/inactivity-on-ac 14
/xfce4-power-manager/inactivity-on-battery 15
/xfce4-power-manager/inactivity-sleep-mode-on-battery 1

$ awk '/login1\.suspend"/ {E=1;print} /defaults/ && E == 1 {E++} E > 1 {print} /<\/action>/ && E > 1 {exit}' /usr/share/polkit-1/actions/org.freedesktop.login1.policy
        <action id="org.freedesktop.login1.suspend">
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
        </action>

# member of sudo and adm
$ groups
tj adm dialout cdrom sudo dip plugdev lpadmin sambashare sbuild lxd libvirtd two_factor_auth

$ sudo find /etc/polkit-1/ -type f -exec sh -c 'echo === {} ===; cat {}' \; | egrep -v '^(#|$)'
=== /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla ===
[Enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
ResultInactive=yes
[Enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes
ResultInactive=yes
=== /etc/polkit-1/nullbackend.conf.d/50-nullbackend.conf ===
[Configuration]
Priority=-10
=== /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf ===
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
=== /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ===
[Configuration]
AdminIdentities=unix-user:0

ubuntu-admin.conf policy sets AdminIdentities to include group 'sudo' but seems to be ignored

"man 8 pklocalauthority" states that these files are parsed in C locale lexical order, and gives examples of "...given the name 60-desktop-policy.conf to ensure that it is evaluted after the 50-localauthority.conf file shipped with PolicyKit."

However:

$ sudo inotifywait -r -m /etc/polkit-1/localauthority.conf.d
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/etc/polkit-1/localauthority.conf.d/ OPEN,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE,ISDIR
/etc/polkit-1/localauthority.conf.d/ OPEN 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 50-localauthority.conf

This seems to show that the sort order might be high-low not low-high (unless they're sorted once in memory).

In view of the fact that ubuntu-admin.conf appears to be ignored I suspect 50-localauthority.conf is replacing the ubuntu conf with the default:

AdminIdentities=unix-group:sudo;unix-group:admin
AdminIdentities=unix-user:0

TJ (tj)
description: updated
description: updated
Revision history for this message
TJ (tj) wrote :

Related Suspend bug (and fix) "Desktop unable to Suspend when Inactive Edit" bug #1757375

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.