Comment 0 for bug 1757266

On 16.04 and using the Xubuntu session (this isn't limited to XFCE) I noticed that my notebook fails to suspend via power-management when the idle timeout expires. When returning to it, if it still has power, I see a polkit-agent GUI dialog asking me to authenticate.

In /var/log/auth.log is:

polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action org.freedesktop.login1.suspend for system-bus-name::1.47 [xfce4-power-manager --restart --sm-client-id 2992705d4-6fa2-4fba-966c-f7631ecd0b46] (owned by unix-user:tj)

So I started digging:

# inactive sleep is enabled
$ xfconf-query -c xfce4-power-manager -lv | grep inactivity
/xfce4-power-manager/inactivity-on-ac 14
/xfce4-power-manager/inactivity-on-battery 15
/xfce4-power-manager/inactivity-sleep-mode-on-battery 1

$ awk '/login1\.suspend"/ {E=1;print} /defaults/ && E == 1 {E++} E > 1 {print} /<\/action>/ && E > 1 {exit}' /usr/share/polkit-1/actions/org.freedesktop.login1.policy
        <action id="org.freedesktop.login1.suspend">
                <defaults>
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
                </defaults>
        </action>

# member of sudo and adm
$ groups
tj adm dialout cdrom sudo dip plugdev lpadmin sambashare sbuild lxd libvirtd two_factor_auth

$ sudo find /etc/polkit-1/ -type f -exec sh -c 'echo === {} ===; cat {}' \; | egrep -v '^(#|$)'
=== /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla ===
[Enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
ResultInactive=yes
[Enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes
ResultInactive=yes
=== /etc/polkit-1/nullbackend.conf.d/50-nullbackend.conf ===
[Configuration]
Priority=-10
=== /etc/polkit-1/localauthority.conf.d/51-localauthority.conf ===
[Configuration]
AdminIdentities=unix-user:0
=== /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf ===
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
=== /etc/polkit-1/localauthority.conf.d/50-localauthority.conf ===
[Configuration]
AdminIdentities=unix-user:0

ubuntu-admin.conf policy sets AdminIdentities to include group 'sudo' but seems to be ignored

"man 8 pklocalauthority" states that these files are parsed in C locale lexical order, and gives examples of "...given the name 60-desktop-policy.conf to ensure that it is evaluted after the 50-localauthority.conf file shipped with PolicyKit."

However:

$ sudo inotifywait -r -m /etc/polkit-1/localauthority.conf.d
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/etc/polkit-1/localauthority.conf.d/ OPEN,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE,ISDIR
/etc/polkit-1/localauthority.conf.d/ OPEN 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 50-localauthority.conf

This seems to show that the sort order might be high-low not low-high (unless they're sorted once in memory).

In view of the fact that ubutun-admin.conf appears to be ignored I suspect 50-localauthority.conf is replacing the ubuntu conf with the default:

AdminIdentities=unix-group:sudo;unix-group:admin
AdminIdentities=unix-user:0