On 16.04 and using the Xubuntu session (this isn't limited to XFCE) I noticed that my notebook fails to suspend via power-management when the idle timeout expires. When returning to it, if it still has power, I see a polkit-agent GUI dialog asking me to authenticate.
In /var/log/auth.log is:
polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action org.freedesktop.login1.suspend for system-bus-name::1.47 [xfce4-power-manager --restart --sm-client-id 2992705d4-6fa2-4fba-966c-f7631ecd0b46] (owned by unix-user:tj)
ubuntu-admin.conf policy sets AdminIdentities to include group 'sudo' but seems to be ignored
"man 8 pklocalauthority" states that these files are parsed in C locale lexical order, and gives examples of "...given the name 60-desktop-policy.conf to ensure that it is evaluted after the 50-localauthority.conf file shipped with PolicyKit."
However:
$ sudo inotifywait -r -m /etc/polkit-1/localauthority.conf.d
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/etc/polkit-1/localauthority.conf.d/ OPEN,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ ACCESS,ISDIR
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE,ISDIR
/etc/polkit-1/localauthority.conf.d/ OPEN 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-ubuntu-admin.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 51-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ OPEN 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ ACCESS 50-localauthority.conf
/etc/polkit-1/localauthority.conf.d/ CLOSE_NOWRITE,CLOSE 50-localauthority.conf
This seems to show that the sort order might be high-low not low-high (unless they're sorted once in memory).
In view of the fact that ubutun-admin.conf appears to be ignored I suspect 50-localauthority.conf is replacing the ubuntu conf with the default:
On 16.04 and using the Xubuntu session (this isn't limited to XFCE) I noticed that my notebook fails to suspend via power-management when the idle timeout expires. When returning to it, if it still has power, I see a polkit-agent GUI dialog asking me to authenticate.
In /var/log/auth.log is:
polkitd( authority= local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action org.freedesktop .login1. suspend for system- bus-name: :1.47 [xfce4- power-manager --restart --sm-client-id 2992705d4- 6fa2-4fba- 966c-f7631ecd0b 46] (owned by unix-user:tj)
So I started digging:
# inactive sleep is enabled power-manager/ inactivity- on-ac 14 power-manager/ inactivity- on-battery 15 power-manager/ inactivity- sleep-mode- on-battery 1
$ xfconf-query -c xfce4-power-manager -lv | grep inactivity
/xfce4-
/xfce4-
/xfce4-
$ awk '/login1\.suspend"/ {E=1;print} /defaults/ && E == 1 {E++} E > 1 {print} /<\/action>/ && E > 1 {exit}' /usr/share/ polkit- 1/actions/ org.freedesktop .login1. policy freedesktop. login1. suspend" >
<defaults>
<allow_ any>auth_ admin_keep< /allow_ any>
<allow_ inactive> auth_admin_ keep</allow_ inactive>
<allow_ active> yes</allow_ active>
</defaults>
<action id="org.
</action>
# member of sudo and adm
$ groups
tj adm dialout cdrom sudo dip plugdev lpadmin sambashare sbuild lxd libvirtd two_factor_auth
$ sudo find /etc/polkit-1/ -type f -exec sh -c 'echo === {} ===; cat {}' \; | egrep -v '^(#|$)' 1/localauthorit y/50-local. d/com.ubuntu. desktop. pkla === unix-user: * org.freedesktop .upower. hibernate unix-user: * org.freedesktop .login1. hibernate; org.freedesktop .login1. handle- hibernate- key;org. freedesktop. login1; org.freedesktop .login1. hibernate- multiple- sessions; org.freedesktop .login1. hibernate- ignore- inhibit 1/nullbackend. conf.d/ 50-nullbackend. conf === 1/localauthorit y.conf. d/51-localautho rity.conf === =unix-user: 0 1/localauthorit y.conf. d/51-ubuntu- admin.conf === =unix-group: sudo;unix- group:admin 1/localauthorit y.conf. d/50-localautho rity.conf === =unix-user: 0
=== /etc/polkit-
[Enable hibernate by default in upower]
Identity=
Action=
ResultActive=yes
ResultInactive=yes
[Enable hibernate by default in logind]
Identity=
Action=
ResultActive=yes
ResultInactive=yes
=== /etc/polkit-
[Configuration]
Priority=-10
=== /etc/polkit-
[Configuration]
AdminIdentities
=== /etc/polkit-
[Configuration]
AdminIdentities
=== /etc/polkit-
[Configuration]
AdminIdentities
ubuntu-admin.conf policy sets AdminIdentities to include group 'sudo' but seems to be ignored
"man 8 pklocalauthority" states that these files are parsed in C locale lexical order, and gives examples of "...given the name 60-desktop- policy. conf to ensure that it is evaluted after the 50-localauthori ty.conf file shipped with PolicyKit."
However:
$ sudo inotifywait -r -m /etc/polkit- 1/localauthorit y.conf. d 1/localauthorit y.conf. d/ OPEN,ISDIR 1/localauthorit y.conf. d/ ACCESS,ISDIR 1/localauthorit y.conf. d/ ACCESS,ISDIR 1/localauthorit y.conf. d/ CLOSE_NOWRITE, CLOSE,ISDIR 1/localauthorit y.conf. d/ OPEN 51-ubuntu- admin.conf 1/localauthorit y.conf. d/ ACCESS 51-ubuntu- admin.conf 1/localauthorit y.conf. d/ CLOSE_NOWRITE,CLOSE 51-ubuntu- admin.conf 1/localauthorit y.conf. d/ OPEN 51-localauthori ty.conf 1/localauthorit y.conf. d/ ACCESS 51-localauthori ty.conf 1/localauthorit y.conf. d/ CLOSE_NOWRITE,CLOSE 51-localauthori ty.conf 1/localauthorit y.conf. d/ OPEN 50-localauthori ty.conf 1/localauthorit y.conf. d/ ACCESS 50-localauthori ty.conf 1/localauthorit y.conf. d/ CLOSE_NOWRITE,CLOSE 50-localauthori ty.conf
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
/etc/polkit-
This seems to show that the sort order might be high-low not low-high (unless they're sorted once in memory).
In view of the fact that ubutun-admin.conf appears to be ignored I suspect 50-localauthori ty.conf is replacing the ubuntu conf with the default:
AdminIdentities =unix-group: sudo;unix- group:admin =unix-user: 0
AdminIdentities