PolicyKit authentication always fails

As I suggested on the other report (bug 295405), could you try setting UID for user messagebus to 102 (if that's not used by another one)? More generally, please follow the procedures I described there to check that it's not the same problem (very likely).

(BTW, when I said liboobs, I thought liboobs-1-4, sorry.)

The UID for user 'messagebus' is already 102. Not sure what you are asking there.

# apt-cache policy liboobs-1-4
liboobs-1-4:
  Installed: 2.30.0-0ubuntu1
  Candidate: 2.30.0-0ubuntu1
  Version table:
 *** 2.30.0-0ubuntu1 0
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

# apt-get install --reinstall liboobs-1-4

Reinstalling liboobs made no difference, still have error.

What I got out of the other bugs comment was that it needs to be checked that there is not two groups using same ids. I don't see that as the case here.

I meant 108 of course.

When I referred to the other report, I thought about things like:
ls -l /lib/dbus-1.0/dbus-daemon-launch-helper
Or the one explained at:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/295405/comments/10

The idea is that I'm going to have to reproduce the same steps since the symptoms are the same, at least from what I can see now. So if you could have a look there and see if you can get more information, that will be far more efficient! I suspect something is wrong with permissions, e.g. the UID has changed but not the files on the system.

Ok, here is some more info:

# ls -l /lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-- 1 root avahi 47520 2010-03-30 18:43 /lib/dbus-1.0/dbus-daemon-launch-helper

# cat /etc/group | grep -e 108 -e avahi
messagebus:x:108:
avahi-autoipd:x:111:
avahi:x:112:

# cat /etc/passwd | grep -e messagebus -e 108 -e avahi
messagebus:x:102:108::/var/run/dbus:/bin/false
avahi-autoipd:x:103:111:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:104:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
haldaemon:x:108:115:Hardware abstraction layer,,,:/var/run/hald:/bin/false

# sudo strace -s 4096 -f -o /tmp/trace -p `ps h -o %p -U messagebus`
Process 409 attached - interrupt to quit
Process 21785 attached
Process 21786 attached
Process 21786 detached
Process 21785 detached
Process 21851 attached
Process 21852 attached
Process 21852 detached
Process 21851 detached

# ck-list-sessions

** (ck-list-sessions:21850): WARNING **: Failed to get list of seats: Failed to execute program /lib/dbus-1.0/dbus-daemon-launch-helper: Success

If I change the UID for messagebus it will be the same id as haldaemon so I don't think I should do this.

Really I can see nothing wrong with the ids. There are no duplicated id's.

OK, the problem is obvious and exactly the same as for the other report. /lib/dbus-1.0/dbus-daemon-launch-helper shouldn't be owned by the 'avahi' group, but by 'messagebus'.

See my comment at
https://bugs.launchpad.net/ubuntu/+source/consolekit/+bug/475503/comments/20
for instructions to fix this.

Marking as duplicate, feel free to ask if that doesn't work though!

This is NOT the same problem! This is not a duplicate bug. The other cases were about duplicated GID's.

# grep messagebus /etc/passwd
messagebus:x:102:108::/var/run/dbus:/bin/false

# grep 108 /etc/group
messagebus:x:108:

There is no duplicated GID as there was in the cases in the other bugs.

# awk -F: '{print $3}' /etc/group | sort -u | wc -l
66
# awk -F: '{print $3}' /etc/group | sort | wc -l
66

As you can see there are no duplicated GID's of any kind.

I changed the group on /lib/dbus-1.0/dbus-daemon-launch-helper from avahi to messagebus and it didn't change anything. Still getting the same error.

Ah, I hadn't noticed this comment before posting on the other bug, where you didn't mention the fix didn't work.

Could you try the solution described at:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/295405/comments/26

If the solutions of the duplicate didn't work, it may be something different in the end. Have you tried the suggestion above too?

Do you get the same problem when try to run other programs, e.g. jockey-gtk (from the console to see messages)?

$ jockey-gtk
Traceback (most recent call last):
  File "/usr/bin/jockey-gtk", line 417, in <module>
    sys.exit(u.run())
  File "/usr/lib/python2.6/dist-packages/jockey/ui.py", line 428, in run
    self.ui_show_main()
  File "/usr/bin/jockey-gtk", line 101, in ui_show_main
    self.update_tree_model()
  File "/usr/bin/jockey-gtk", line 277, in update_tree_model
    for h_id in self.get_displayed_handlers():
  File "/usr/lib/python2.6/dist-packages/jockey/ui.py", line 772, in get_displayed_handlers
    return self.backend().available(self.argv_options.mode)
  File "/usr/lib/python2.6/dist-packages/jockey/ui.py", line 98, in backend
    self._dbus_iface = Backend.create_dbus_client()
  File "/usr/lib/python2.6/dist-packages/jockey/backend.py", line 686, in create_dbus_client
    obj = bus.get_object(DBUS_BUS_NAME, '/DeviceDriver')
  File "/usr/lib/pymodules/python2.6/dbus/bus.py", line 244, in get_object
    follow_name_owner_changes=follow_name_owner_changes)
  File "/usr/lib/pymodules/python2.6/dbus/proxies.py", line 241, in __init__
    self._named_service = conn.activate_name_owner(bus_name)
  File "/usr/lib/pymodules/python2.6/dbus/bus.py", line 183, in activate_name_owner
    self.start_service_by_name(bus_name)
  File "/usr/lib/pymodules/python2.6/dbus/bus.py", line 281, in start_service_by_name
    'su', (bus_name, flags)))
  File "/usr/lib/pymodules/python2.6/dbus/connection.py", line 620, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program /lib/dbus-1.0/dbus-daemon-launch-helper: Success

I've tried changing the permissions as you suggested and that did not help at all.

OK, so that's not a bug specific to users-admin. Didn't reinstalling the package solve the problem?

As I said above, /even if it's not the same issue/, please follow the instructions given by Martin Pitt for the other report, especially:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/295405/comments/10

Thanks!

Scroll just a little bit. You have my strace here in comment #5 https://bugs.launchpad.net/ubuntu/+source/system-tools-backends/+bug/598909/comments/5

Also, look back and you'll see that I've reinstalled all the requested packages. It didn't change anything.

Ah, sorry for missing the strace! I've looked at it, and comparing with other bug, the same permission issues appear. So, please continue the steps described by Martin from comment #12, and go on while you're able to draw the same conclusions as the other reporter.
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/295405/comments/12

When I said reinstalling "the package", I meant dbus, since the gnome-system-tools are not at fault here. Sorry for not being explicit. This could fix permissions automatically.

I reinstalled 'dbus' and this cleared the error but I'm seeing strange behavior.

Logged in as a regular user.

Time and Date: all greyed out and "you are not authorized...", no prompt to enter root password.

Users and Groups: can only change Password for current user, the other Change buttons do nothing and can do nothing with any other users.

Just for background info: The 'root' account on this machine is linked to 'ubuntu' account sudo. And there is no password, when you 'sudo' from ubuntu account it automatically goes to 'root' account without password.

So, if I get into a terminal and from one of the regular user accounts do:
$ sudo time-admin
Then the time and date window displays fully accessible to all functions.

$ sudo users-admin
(users-admin:5154): Liboobs-WARNING **: There was an unknown error communicating asynchronously with the backends: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

After about a minute, then the Users and Groups window displays fully accessible to all functions.

But clearly there is still a problem.

So we're on a completely different bug now. The dbus issue was likely related to permissions on a file included in the package. It would be interesting to reproduce in a virtual machine a fresh install of ubuntu-server and then install ubuntu-desktop, checking if the issue happens everytime. But the desktop team is busy with other things, and I'm not sure they will consider this as high priority. So if you have some free time... :-p

About the authentication issue, there are cases where PolicyKit considers it won't be able to check for privileges. I don't remember exactly what they are - it's very likely that an account with an empty password won't be able to authenticate, so you may check this.

Else, please run 'users-admin' in a terminal without the sudo (which is not supported), and see whether interesting messages appear. If not, kill the 'polkitd' system daemon, and restart it via:
sudo /usr/lib/policykit-1/polkitd
Then, reproducing the problem should show interesting information.

You may also need to start /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1, which should be started on login normally.

I wouldn't say it's completely different. Just maybe that the permissions aspect of the bug has been solved but there are still other related errors showing.

Without sudo:
$ users-admin
(users-admin:18974): Liboobs-WARNING **: There was an unknown error communicating asynchronously with the backends: Malformed message was sent

And the window button behavior is as I described from the menu. Only Password button for current user is accessible. No other buttons for anything else work.

And what about the other questions? The error message you see can be related to several know bugs and may not be related. The output of polkitd might be much more interesting.

I do not have the time at the moment to create another fresh install of Lucid using ubuntu-server followed by ubuntu-desktop.

I've been reading the wiki entry about PolicyKit. But there is nothing that says anything about accounts w/o password.

And the 'users-admin' command worked so I didn't need to kill policykitd.

Was there anything else?

users-admin "worked" but it didn't provide interesting information. The polkitd output would still be required to understand why PolicyKit thinks you cannot authenticate. See the end of my comment #17, after "see whether interesting messages appear".

# ps -ef | grep polkitd
root 2552 1 0 15:33 ? 00:00:00 /usr/lib/policykit-1/polkitd
# killall polkitd
# ps -ef | grep polkitd
#

# sudo /usr/lib/policykit-1/polkitd &
[1] 32132
# Registering null backend at priority -10
** (process:32132): DEBUG: Added `/var/lib/polkit-1/localauthority/10-vendor.d' as a local authorization store
** (process:32132): DEBUG: Added `/etc/polkit-1/localauthority/10-vendor.d' as a local authorization store
** (process:32132): DEBUG: Added `/var/lib/polkit-1/localauthority/20-org.d' as a local authorization store
** (process:32132): DEBUG: Added `/etc/polkit-1/localauthority/20-org.d' as a local authorization store
** (process:32132): DEBUG: Added `/var/lib/polkit-1/localauthority/30-site.d' as a local authorization store
** (process:32132): DEBUG: Added `/etc/polkit-1/localauthority/30-site.d' as a local authorization store
** (process:32132): DEBUG: Added `/var/lib/polkit-1/localauthority/50-local.d' as a local authorization store
** (process:32132): DEBUG: Added `/etc/polkit-1/localauthority/50-local.d' as a local authorization store
** (process:32132): DEBUG: Added `/var/lib/polkit-1/localauthority/90-mandatory.d' as a local authorization store
** (process:32132): DEBUG: Added `/etc/polkit-1/localauthority/90-mandatory.d' as a local authorization store
** (process:32132): DEBUG: Monitoring `/var/lib/polkit-1/localauthority' for changes
** (process:32132): DEBUG: Monitoring `/etc/polkit-1/localauthority' for changes
Using authority class PolkitBackendLocalAuthority

# ps -ef | grep polkitd
root 32132 24906 0 19:17 pts/1 00:00:00 /usr/lib/policykit-1/polkitd

Logged in as a regular user (davidr) and accessing Users and Groups from menues and then selecting current user and clicking on the Change button for Name:

# ** (process:32132): DEBUG: system-bus-name::1.231589 is inquiring whether system-bus-name::1.231663 is authorized for org.freedesktop.systemtoolsbackends.self.set
** (process:32132): DEBUG: user of caller is unix-user:root
** (process:32132): DEBUG: user of subject is unix-user:davidr
** (process:32132): DEBUG: checking whether system-bus-name::1.231663 is authorized for org.freedesktop.systemtoolsbackends.self.set

** (process:32132): WARNING **: skipping unknown tag <_description> at line 12

** (process:32132): WARNING **: skipping unknown tag <_message> at line 13

** (process:32132): WARNING **: skipping unknown tag <_description> at line 21

** (process:32132): WARNING **: skipping unknown tag <_message> at line 22

** (process:32132): WARNING **: skipping unknown tag <_description> at line 30

** (process:32132): WARNING **: skipping unknown tag <_message> at line 31

** (process:32132): WARNING **: skipping unknown tag <_description> at line 39

** (process:32132): WARNING **: skipping unknown tag <_message> at line 40

** (process:32132): WARNING **: skipping unknown tag <_description> at line 11

** (process:32132): WARNING **: skipping unknown tag <_message> at line 12

** (process:32132): WARNING **: skipping unknown tag <_description> at line 15

** (process:32132): WARNING **: skipping unknown tag <_message> at line 16
** (process:32132): DEBUG: (nil)
** (proce...

** (process:32132): DEBUG: not authorized

So that's polkitd that thinks you don't have the required privileges. Does that user have a password? I not, please try with a user with a password.

What does
ck-list-sessions
return?

The user does not have a password. All users are keyed access.

# ck-list-sessions
Session20:
 unix-user = '1001'
 realname = 'David Reno'
 seat = 'Seat18'
 session-type = ''
 active = FALSE
 x11-display = ''
 x11-display-device = ''
 display-device = '/dev/ssh'
 remote-host-name = 'XX.XX.XX.XX'
 is-local = FALSE
 on-since = '2010-06-29T17:33:27.204342Z'
 login-session-id = '4294967295'
Session21:
 unix-user = '1001'
 realname = 'David Reno'
 seat = 'Seat19'
 session-type = ''
 active = FALSE
 x11-display = ''
 x11-display-device = ''
 display-device = '/dev/ssh'
 remote-host-name = 'XX.XX.XX.XX'
 is-local = FALSE
 on-since = '2010-06-29T17:33:27.207013Z'
 login-session-id = '4294967295'
Session23:
 unix-user = '1001'
 realname = 'David Reno'
 seat = 'Seat21'
 session-type = ''
 active = FALSE
 x11-display = ''
 x11-display-device = ''
 display-device = '/dev/ssh'
 remote-host-name = 'XX.XX.XX.XX'
 is-local = FALSE
 on-since = '2010-06-29T17:33:39.108880Z'
 login-session-id = '4294967295'

IP hidden...

I have three open distinct sessions to this user.

Maybe PolicyKit is unable to authenticate a user with its key. Could you try with a test account that has a password?

ConsoleKit seems to work fine, so it's very likely that password is the problem.

Created a user 'test' with a password:

$ sudo adduser test
Adding user `test' ...
Adding new group `test' (1002) ...
Adding new user `test' (1002) with group `test' ...
Creating home directory `/home/test' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
 Full Name []: TEST USER
 Room Number []:
 Work Phone []:
 Home Phone []:
 Other []:
Is the information correct? [Y/n] Y

Then did:

$ sudo su - test

$ users-admin

(users-admin:10699): Liboobs-WARNING **: There was an unknown error communicating asynchronously with the backends: Malformed message was sent

# ** (process:32132): DEBUG: system-bus-name::1.231589 is inquiring whether system-bus-name::1.231671 is authorized for org.freedesktop.systemtoolsbackends.self.set
** (process:32132): DEBUG: user of caller is unix-user:root
** (process:32132): DEBUG: user of subject is unix-user:test
** (process:32132): DEBUG: checking whether system-bus-name::1.231671 is authorized for org.freedesktop.systemtoolsbackends.self.set
** (process:32132): DEBUG: 0x13e9c30
** (process:32132): DEBUG: subject is in session /org/freedesktop/ConsoleKit/Session26 (local=1 active=0)
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/10-vendor.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/10-vendor.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/20-org.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/20-org.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/30-site.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/30-site.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/50-local.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/50-local.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/90-mandatory.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/90-mandatory.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/10-vendor.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/10-vendor.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/20-org.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/20-org.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/30-site.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/etc/polkit-1/localauthority/30-site.d'
** (process:32132): DEBUG: Dropping all .pkla caches for directory `/var/lib/polkit-1/localauthority/50-local.d'
*...

And here is Session 26:

Session26:
 unix-user = '1002'
 realname = 'TEST USER'
 seat = 'Seat1'
 session-type = ''
 active = FALSE
 x11-display = ''
 x11-display-device = ''
 display-device = '/dev/pts/2'
 remote-host-name = ''
 is-local = TRUE
 on-since = '2010-06-29T20:41:12.373274Z'
 login-session-id = '4294967295'
 idle-since-hint = '2010-06-29T20:42:01.010623Z'

Thanks for the infos. So that's really a problem with PolicyKit or it's configuration files. Pretty hard to guess where the problem may come from.

Please check that your /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf file contains,
> [Configuration]
> AdminIdentities=unix-group:admin
and check that users you tried to authenticate with are members of the 'admin' group. Also have a look at all files in /etc/polkit-1/ and check there's nothing weird.

Please also post the outputs of:
pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process PID
pkcheck --action-id com.ubuntu.systemservice.setproxy --allow-user-interaction --process PID
replacing PID with the PID of any process you own. Do the same with a process owned by root (calling the tool with sudo).

If you get an error about an authentication agent, please start
/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
and retry.

# cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:admin

The users were not members of 'admin' group. I added them and reran the tests. Still got the exact same results. It didn't seem to make any difference.

$ ps
  PID TTY TIME CMD
20575 pts/0 00:00:00 ps
31357 pts/0 00:00:00 bash
$
$ pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process 31357
Not authorized.

$ pkcheck --action-id com.ubuntu.systemservice.setproxy --allow-user-interaction --process 31357
Not authorized.

How are the users supposed to get sudo powers if their are not in the admin group? Anyway, with them not members of this group authenticating via PolicyKit was clearly impossible. As I'm not familiar at all with how ubuntu-server works, I may be good to find somebody who is, which could explain this bug much better. How are you supposed to make users administrators?

Just to be sure: did you restart the system (or at least log out the user) before retrying?

You didn't post the output of the pkcheck commands when run as root and on a PID owned by root.

I logged out the user and started a new session:

I went to try accessing Users and Groups from the menu and got the same behavior as before. Only the Password button for the current user worked, nothing else.

$ ps
  PID TTY TIME CMD
12237 pts/3 00:00:00 bash
12284 pts/3 00:00:00 ps

$ pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process 12284
Error checking for authorization org.freedesktop.systemtoolsbackends.set: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: stat() failed for /proc/12284: No such file or directory
$ ps
  PID TTY TIME CMD
12237 pts/3 00:00:00 bash
12484 pts/3 00:00:00 ps
$ pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process 12484
Error checking for authorization org.freedesktop.systemtoolsbackends.set: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: stat() failed for /proc/12484: No such file or directory
$ ps
  PID TTY TIME CMD
12237 pts/3 00:00:00 bash
12573 pts/3 00:00:00 ps

$ ps
  PID TTY TIME CMD
12237 pts/3 00:00:00 bash
12994 pts/3 00:00:00 ps
$ pkcheck --action-id com.ubuntu.systemservice.setproxy --allow-user-interaction --process 12994
Error checking for authorization com.ubuntu.systemservice.setproxy: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.CheckAuthorization() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: stat() failed for /proc/12994: No such file or directory
$ ps
  PID TTY TIME CMD
12237 pts/3 00:00:00 bash
13039 pts/3 00:00:00 ps

pkcheck is now killing the process!!

The user is in the admin group.

Now for root:

# ps
  PID TTY TIME CMD
13535 pts/3 00:00:00 su
13543 pts/3 00:00:00 bash
13568 pts/3 00:00:00 ps
# pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process 13543
# ps
  PID TTY TIME CMD
13535 pts/3 00:00:00 su
13543 pts/3 00:00:00 bash
13750 pts/3 00:00:00 ps
# pkcheck --action-id com.ubuntu.systemservice.setproxy --allow-user-interaction --process 13543
#

root works fine.

So some observations:

It looks like to me that some of the tools like 'useradd', 'adduser' need to be updated so that they put the user into the 'admin' group on those installations that rely on PolicyKit. Since the menues were not working using these tools was the only way that I could add users to the system but obviously they knew nothing about PolicyKit and they need to.

Even with the users in the admin group the access still isn't working even if you restart polkitd.

So root is working, good point.

$ ps
  PID TTY TIME CMD
12237 pts/3 00:00:00 bash
12994 pts/3 00:00:00 ps
$ pkcheck --action-id com.ubuntu.systemservice.setproxy --allow-user-interaction --process 12994
Obviously this won't work, since 12994 is the PID of ps, which has died by the time you call pkcheck. Could you retry with the PID of bash?

I don't know how you installed your system, but you can't create the administrator with 'useradd' since for that you need an account with administrator rights. What groups is the default user member of?

Anyway, 'useradd' can't add users to 'admin', since most users shouldn't be granted administration rights. More generally, you shouldn't use 'useradd' to create users, but 'adduser'. Granted, this distinction is silly, but the second is an improved wrapper around the first, and it adds the users to the right groups.

$ ps
  PID TTY TIME CMD
12237 pts/3 00:00:00 bash
19027 pts/3 00:00:00 ps
$ pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process 12237
Not authorized.
$ pkcheck --action-id com.ubuntu.systemservice.setproxy --allow-user-interaction --process 12237
Not authorized.

And yes, I knew about the difference between adduser and useradd. I always use 'adduser'.

The default 'ubuntu' user is a member of the following groups:
adm
dialout
cdrom
floppy
audio
dip
video
plugdev
fuse
lpadmin
netdev
admin
ubuntu

If ck-lists-sessions has "active = False" or "is-local = False" for your session then
the default policykit config won't let you do most actions.

If you are sat at the machine then it indicates something wrong, if you are over
vnc/ssh/nx or something then it is expected, if undesireable, behaviour.

Thanks,

James

I am remote logged into the machine using vnc/ssh/nx and this behavior is extremely undesirable.

Nobody would expect this type of behavior.

I have remote logged into machines for years like this and never saw this type of behavior.

OK, so that's just the result of a limitation in ConsoleKit. This is a major problem, but that's more a feature request than a bug.

If you want, please open a report against the consolekit package - but I don't think that will really help improve things, sadly. I'm closing this bug because there has been much noise when trying to debug. Opening a clear report with the request in the description will be better for everybody.

Milan, excuse me, but closing this report is ridiculous.

It is NOT at all a feature request. This is clearly a bug, a bad bug, and it needs fixed.

A lot of research and symptoms are detailed in this report that will be useful for those trying to fix this issue.

And the problem needs to be assigned.

Please read my comment carefully: did I say that wasn't a problem? Did I say it shouldn't be fixed? The only point I made was that given the mess we have created around the bug in this report, and given we have now identified the precise issue, you'd better file a new bug if you want people to understand quickly what it's about.

Debugging and symptoms won't help a developer to fix the bug: most of our comments deal with discovering what's going on, and half of them deal with a completely different bug. Developers know remote connections are not detected by ConsoleKit: they don't need debugging, they need to be paid to implement this feature, or, if you prefer, fix this bug. The cleaner the report, the more likely somebody will look at it.

Anyway, I've found the master bug for this: that's bug 221363. Discussion should happen there, and possibly on the ubuntu-devel-discuss mailing list, or on the #ubuntu-dev IRC channel, since that's a policy change.

But please stop assuming people here are fighting against you to prevent bugs from being fixed. When we mark a bug as duplicate, that doesn't mean it won't be fixed - on the contrary, it means it has less chances of being lost. And keeping a bug open as-is won't guarantee at all that it will be fixed, it may well be forgotten for ages. We're trying to regulate the flux of bugs by putting them in the appropriate categories, and personally, working as a benevolent, I'd like you to understand that my only goal is not to annoy reporters - else I wouldn't try to help here.

As the reporter, it seemed as if you were trying to push aside this bug. I'm glad to hear that is not the case. Thank you.

I have no problem with it being marked as a duplicate of a true bug that is for exactly the same problem. But the last time it was marked duplicate it was for a different problem.

The title of this latest duplicate Bug #221363 looks like it would be the same problem.
Both of these bugs need raised to Highest priority in my opinion.
Users hitting this bug have no idea that it is underlying policykit that is causing all the problem.

On Sat, 03 Jul 2010 16:06:07 -0000, Milan Bouchet-Valat <email address hidden> wrote:
> OK, so that's just the result of a limitation in ConsoleKit. This is a
> major problem, but that's more a feature request than a bug.
>
> If you want, please open a report against the consolekit package - but I
> don't think that will really help improve things, sadly. I'm closing
> this bug because there has been much noise when trying to debug. Opening
> a clear report with the request in the description will be better for
> everybody.

There is already a bug filed against consolekit about this issue. I
don't have the number to hand right now.

Thanks,

James

This is kind of old, but I just ran into it also.
I ended up finding the GID that was in error, but I also had to do dpkg-reconfigure dbus as a reboot did not seem to correct the issue. after the reconfig and reboot all is well.

Thanks,
Matt