FFE: Provide some policykit privileges by default on desktops

Bug #455694 reported by Thomas Trummer on 2009-10-19
110
This bug affects 21 people
Affects Status Importance Assigned to Milestone
netbook-meta (Ubuntu)
Undecided
Martin Pitt
Declined for Karmic by Martin Pitt
Lucid
Undecided
Martin Pitt
policykit-desktop-privileges (Ubuntu)
Medium
Martin Pitt
Declined for Karmic by Martin Pitt
Lucid
Medium
Martin Pitt
ubuntu-meta (Ubuntu)
Undecided
Martin Pitt
Declined for Karmic by Martin Pitt
Lucid
Undecided
Martin Pitt
ubuntustudio-meta (Ubuntu)
Medium
Unassigned
Declined for Karmic by Martin Pitt
Lucid
Medium
Unassigned

Bug Description

Please see comment 16 for details of the FFE.

Binary package hint: gnome-applets

This is a regression from Jaunty. It doesn't provide an option for saving the authentication information and requires to enter the password every time a different option is selected.

ProblemType: Bug
Architecture: i386
Date: Mon Oct 19 20:55:20 2009
DistroRelease: Ubuntu 9.10
Package: gnome-applets 2.28.0-0ubuntu1
ProcEnviron:
 LC_TIME=de_DE.UTF-8
 LANGUAGE=en_US.UTF-8
 PATH=(cususername, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: gnome-applets
Uname: Linux 2.6.31-14-generic i686

Thomas Trummer (truetom) wrote :
Sebastien Bacher (seb128) wrote :

Thank you for your bug report. The issue is an upstream one and it would be nice if somebody having it could send the bug the to the people writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME)

Changed in gnome-applets (Ubuntu):
assignee: nobody → Ubuntu Desktop Bugs (desktop-bugs)
importance: Undecided → Low
philinux (philcb) wrote :

How do you send a bug upstream?

Changed in gnome-applets (Ubuntu):
status: New → Confirmed

I've the same issue... Sebastien, are you sure this is an upstream bug? Or this is only a misconfiguration of policikit for "org.gnome.cpufreqselector.policy"
See post #5 on http://ubuntuforums.org/showthread.php?t=1299820

Eugene Crosser (crosser) wrote :

I am affected too. I have to change the governor before playing video, and entering password every time is quite annoying.

I fail to see what is the danger of letting an active user to change frequency without authenticating as admin. Why not set 'allow_active' to 'yes' in org.gnome.cpufreqselector.policy ? (is it really upstream?)

Desh Danz (nicoluno) wrote :

Same problem here, though I don't know whether this is a bug or simply a wrong decision about the desktop management policy it's really quite annoying re-enter your password every single time you have to change frequency of your microprocessor after a couple of minutes.
Hope it can be fixed soon!

steros (steros) wrote :

Hi,

i hopefully filed a bug at the correct place here:
https://bugzilla.gnome.org/show_bug.cgi?id=601797

Changed in gnome-applets (Ubuntu):
status: Confirmed → Triaged
steros (steros) wrote :

answer at bugzilla.gnome.org was:

"hmm, I would report it to launchpad then, since it looks like a PolicyKit or
ubuntu issue.

Thanks."

Changed in gnome-applets (Ubuntu):
status: Triaged → New
Bartek Celary (karaphka) wrote :

What is wrong with allowing users changing this setting? Worst things is that machine gets slower... Or maybe I am missing something?

The password prompt is very annoying and I also change this setting quite often. Wouldn't it be better to just change the policy?

CharlieAshford (chezzo) wrote :

See post 5 in this thread for a workaround: http://ubuntuforums.org/showthread.php?t=1299820

upromis (promisman) wrote :

I also have to enter password every time when i want to change cpu speed. The workaround worked.

fontinalis (sfontinalis) wrote :

Confirmed that the workaround did the trick. Thanks mc4man and Charlie! Now I don't feel like I'm doing something bad when I change my CPU freq. Doh! :)

Phillip Susi (psusi) wrote :

Indeed, changing the policy from auth_admin_keep to yes does the trick. The package uses quilt for patch management, but also seems to be maintained in BZR on launchpad so I'm not sure how I should go about submitting the change. Do I make a quilt patch and attach the debdiff here? Do I make a bzr branch on lp and add the quilt patch to that? Or do I just directly make the change on a bzr branch, and link it here?

Changed in gnome-applets (Ubuntu):
status: New → Confirmed
Martin Pitt (pitti) wrote :

I have sort of a personal interest in this as well (so that a friend of mine finally stops complaining :-) ) and it is a part of the PK privileges reshuffling that I still need to do for lucid.

In short, we really want to allow some privileges by default for admins on desktop boxes. Amongst those are mounting internal drives, setting the clock, and changing the CPU frequency.

udisks currently ships a .pkla file for internal drives, but I'd really like to move that into a "policykit-desktop-privileges" package, so that we don't need to provide the privileges by default on servers. This package should then also allow setting the time and CPU frequency.

Changed in gnome-applets (Ubuntu Lucid):
assignee: Ubuntu Desktop Bugs (desktop-bugs) → Martin Pitt (pitti)
importance: Low → Medium
milestone: none → ubuntu-10.04-beta-2
status: Confirmed → Triaged
Martin Pitt (pitti) on 2010-03-16
summary: - CPU Frequency Scaling Monitor asks for authentication all the time
+ Provide some policykit privileges by default on desktops
Changed in gnome-applets:
importance: Unknown → Undecided
status: Unknown → New
affects: gnome-applets → null

We'll build that as a new source, or a new binary from policykit-1. Will discuss with Michael Biebl.

affects: gnome-applets (Ubuntu Lucid) → policykit-1 (Ubuntu Lucid)
Martin Pitt (pitti) on 2010-03-16
summary: - Provide some policykit privileges by default on desktops
+ FFE: Provide some policykit privileges by default on desktops
Martin Pitt (pitti) wrote :

Subscribing release team. This will be a new binary package which will need to be seeded to desktop-common. It will contain one file (see below) which will allow common desktop actions without asking for the password if (1) the user is an administrator, and (2) is on a currently active foreground console.

The udisks privs part is currently shipped by the udisks package, but it's not a good fit there: udisks might eventually be used on servers as well, where such default privileges are not appropriate (they weren't shipped in karmic's devicekit-disks yet). Thus this part is not a behavioural change, just a change in packaging for flexibility.

The CPU frequency scaling is this bug. It's especially noticeable on laptops where people want to have some manual control over CPU scaling, and currently these auth dialogs make this a nuisance.

I also propose to allow changing the time and timezone by default on desktops. But if that is considered evil or questionable by anyone in -release, I'm also happy to back that out for lucid.

# cat /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
[Mounting, checking, etc. of internal drives]
Identity=unix-group:admin
Action=org.freedesktop.udisks.filesystem-*;org.freedesktop.udisks.change-system-internal
ResultActive=yes

[Change CPU Frequency scaling]
Identity=unix-group:admin
Action=org.gnome.cpufreqselector
ResultActive=yes

[Setting the clock]
Identity=unix-group:admin
Action=org.gnome.clockapplet.mechanism.*
ResultActive=yes

So in summary, I request an FFE for the new binary package, and for adding the two new privileges.

description: updated
Martin Pitt (pitti) wrote :

For the record, I dropped "org.freedesktop.udisks.change-system-internal"; repartitioning hard drives isn't such a common task that authorizing it is a nuisance, and it's good to not have it happen accidentally or maliciously.

I added org.freedesktop.udisks.drive-ata-smart*, so that you can run SMART self tests without password.

Martin Pitt (pitti) wrote :

Pushed to lp:~pitti/+junk/policykit-desktop-privileges and the desktop PPA (https://launchpad.net/~ubuntu-desktop/+archive/ppa), and uploaded to NEW queue (we can still reject this in the case that the exception isn't granted).

Steve Langasek (vorlon) wrote :

FFe granted.

Martin Pitt (pitti) on 2010-03-22
Changed in null:
status: New → Invalid
Martin Pitt (pitti) on 2010-03-22
affects: policykit-1 (Ubuntu Lucid) → policykit-desktop-privileges (Ubuntu Lucid)
Changed in policykit-desktop-privileges (Ubuntu Lucid):
status: Triaged → Fix Released
Martin Pitt (pitti) wrote :

I added this package to platform.lucid desktop-common. This needs a couple of -meta rebuilds to work.

Changed in ubuntu-meta (Ubuntu Lucid):
assignee: nobody → Martin Pitt (pitti)
status: New → In Progress
Changed in netbook-meta (Ubuntu Lucid):
status: New → In Progress
assignee: nobody → Martin Pitt (pitti)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-meta - 1.191

---------------
ubuntu-meta (1.191) lucid; urgency=low

  * Refreshed dependencies
  * Added policykit-desktop-privileges to desktop-recommends (LP: #455694)
  * Removed xsplash from desktop
 -- Martin Pitt <email address hidden> Mon, 22 Mar 2010 16:23:23 +0100

Changed in ubuntu-meta (Ubuntu Lucid):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package netbook-meta - 2.016

---------------
netbook-meta (2.016) lucid; urgency=low

  * Refreshed dependencies
  * Added policykit-desktop-privileges to netbook-recommends (LP: #455694)
  * Removed xsplash from netbook
 -- Martin Pitt <email address hidden> Mon, 22 Mar 2010 16:20:50 +0100

Changed in netbook-meta (Ubuntu Lucid):
status: In Progress → Fix Released
froynlaven (froynlaven) wrote :

upgrade (invoked and completed successfully 25-Mar-2010 15:00 EDT), ubuntustudio 9.10 (karmic koala) 64bit --> ["update-manager -d"] --> ubuntustudio 10.04 (lucid lynx) beta1 64bit.

cpufreq-applet was configured to not require password prior to upgrade.

cpufreq-applet prompts for password on change post-upgrade.

should the existing config have been retained during upgrade?

froynlaven [2010-03-26 15:34 -0000]:
> cpufreq-applet was configured to not require password prior to upgrade.

How did you do that?

> should the existing config have been retained during upgrade?

Depends on how you changed it. However, now you shouldn't need a
password by default. Can you please give me the output of

  pkaction --action-id org.gnome.cpufreqselector --verbose
  pkcheck --action-id org.gnome.cpufreqselector --process $$; echo $?

?
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

froynlaven (froynlaven) wrote :

my memory is a little fuzzy; i wouldn't stake my life on it, but fairly certain i modified:
/usr/share/polkit-1/actions/org.gnome.cpufreqselector.policy

as per
http://ubuntuforums.org/showthread.php?t=1310034

and changed this:
<defaults>

    <allow_inactive>no</allow_inactive>
    <allow_active>auth_admin_keep</allow_active>

</defaults>

to this:
<defaults>

    <allow_inactive>no</allow_inactive>
    <allow_active>yes</allow_active>

</defaults>

currently,
 rise@noon:/usr/share/polkit-1/actions$ tail -n7 org.gnome.cpufreqselector.policy
    <defaults>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

--------------------

rise@noon:~$ pkaction --action-id org.gnome.cpufreqselector --verbose
org.gnome.cpufreqselector:
  description: Change CPU Frequency scaling
  message: Privileges are required to change the CPU Frequency scaling.
  vendor: The GNOME Project
  vendor_url: http://www.gnome.org/
  icon: gnome-cpu-frequency-applet
  implicit any: no
  implicit inactive: no
  implicit active: auth_admin_keep

--------------------

rise@noon:~$ pkcheck --action-id org.gnome.cpufreqselector --process $$; echo $?
polkit\56retains_authorization_after_challenge=1
Authorization requires authentication and -u wasn't passed.
2

[end]

Martin Pitt (pitti) wrote :

froynlaven [2010-03-26 17:31 -0000]:
> my memory is a little fuzzy; i wouldn't stake my life on it, but fairly certain i modified:
> /usr/share/polkit-1/actions/org.gnome.cpufreqselector.policy

Ah, that would certainly be overwritten by the newer package version
from lucid. Only modifications in /etc stay around.

(for the record, the "sticky" way of modifying PolicyKit permissions
is with man pklocalauthority)

> rise@noon:~$ pkcheck --action-id org.gnome.cpufreqselector --process $$; echo $?
> polkit\56retains_authorization_after_challenge=1
> Authorization requires authentication and -u wasn't passed.

OK, that looks wrong then.

 (1) Is your user in the "admin" group?
 (2) do you have the policykit-desktop-privileges package installed?

Martin

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

froynlaven (froynlaven) wrote :

> froynlaven [2010-03-26 17:31 -0000]:
>> my memory is a little fuzzy; i wouldn't stake my life on it, but fairly certain i modified:
>> /usr/share/polkit-1/actions/org.gnome.cpufreqselector.policy
>
> Ah, that would certainly be overwritten by the newer package version
> from lucid. Only modifications in /etc stay around.
>
> (for the record, the "sticky" way of modifying PolicyKit permissions
> is with man pklocalauthority)

got it. learned something new. thanks :)

>
>> rise@noon:~$ pkcheck --action-id org.gnome.cpufreqselector --process $$; echo $?
>> polkit\56retains_authorization_after_challenge=1
>> Authorization requires authentication and -u wasn't passed.
>
> OK, that looks wrong then.
>
> (1) Is your user in the "admin" group?

appears to be:
rise@noon:~$ sudo groups rise
rise : rise adm dialout cdrom audio plugdev lpadmin admin sambashare

> (2) do you have the policykit-desktop-privileges package installed?
>

apparently not:
rise@noon:~$ sudo aptitude search policykit-desktop-privileges
p policykit-desktop-privileges - run common desktop actions without password

[end]

Martin Pitt (pitti) wrote :

Ah, please install policykit-desktop-privileges then. It is a recommends of ubuntu-desktop these days, so you should have it.

froynlaven (froynlaven) wrote :

thanks, martin.
i inquired on the support channel (#ubuntu+1). it seems policykit-desktop-privileges is not included by default in ubuntustudio. i can understand that, given what ubuntustudio is designed for.

/*
Mar 27 15:22:51 <xcv> greets! lobbed this question into the ubuntustudio room a couple of hours ago, no reply yet. ubuntustudio lucid 64bit beta1 (upgrade from karmic) my question -- package policykit-desktop-privileges is or is not included with the ubuntustudio lucid by default? trying to figure out if I need to report a bug.
Mar 27 15:26:28 <yofel> xcv: according to apt-cache the only packages that recommend polkit-d-priv are ubuntu-desktop and -netbook, so I don't think it's included
Mar 27 15:28:03 <xcv> yofel: thanks. not a bug, then :)
*/

[end]

Martin Pitt (pitti) wrote :

I think it should be included by default. I can't do that myself, though, since I cannot commit to the ubuntustudio seeds. Assigning to ubuntustudio developers.

Changed in ubuntustudio-meta (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Triaged
Curtis Hovey (sinzui) on 2011-11-11
no longer affects: null
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in ubuntustudio-meta (Ubuntu Lucid):
status: Triaged → Won't Fix
Ross Gammon (rosco2) wrote :

policykit-desktop-privileges is seeded in Ubuntu Studio (probably for a while now). It is pulled in by desktop-common, which is pulled on by the Ubuntu Studio desktop seed.

Changed in ubuntustudio-meta (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.