[blfs-support] Another Polkit Action Problem

Armin K. krejzi at email.com
Fri Dec 13 12:31:12 PST 2013


On 13.12.2013 19:30, Dan McGhee wrote:
> On 12/13/2013 12:00 PM, Armin K. wrote:
>> On 12/13/2013 06:58 PM, Dan McGhee wrote:
>>> On 12/13/2013 11:23 AM, Armin K. wrote:
>>>> On 12/13/2013 06:18 PM, Dan McGhee wrote:
>>>>> Well, it seems that the knowledge I gained over the last few days about
>>>>> polkit and how to configure it isn't quite good enough yet.
>>>>>
>>>>> As I stated in the other thread there were two applications which need
>>>>> authorization to run and which I want to run from a menu selection in
>>>>> xfce4: gparted and Catalyst Control Center.  The latter configures my
>>>>> Radeon chip.  Gparted works fine--thanks, Armin.  But when selecting
>>>>> "Catalyst Control Center-Administrative" from the menu, nothing happens.
>>>>>
>>>>> The application is called "amdcccle," but invoking that gets only the
>>>>> "non-privileged" version to adjust brightness, contrast and color.  The
>>>>> privileged version is called "amdccclesu" which is actually an alias for
>>>>> <amdxdg-su -c amdcccle>.  The amdxdg-su is a "wrapper" GUI that requires
>>>>> "superuser" privileges.  Each is called from the menu by its own
>>>>> .desktop file.
>>>>>
>>>>> When I run <pkexec amdxdg-su -c amdcccle> from a terminal I get the
>>>>> dialogue that requires my password.  But when I enter my password and
>>>>> <Enter> nothing happens and I get the message in the terminal:
>>>>>
>>>>>> Failed to open connection to "session" message bus: Using X11 for
>>>>>> dbus-daemon autolaunch was disabled at compile time, set your
>>>>>> DBUS_SESSION_BUS_ADDRESS instead
>>>>>> xprop:  unable to open display ''
>>>>>> amdxdg-su: no graphical method available for invoking 'amdcccle' as 'root'
>>>>> This is reminiscent of the situation the other day, which I solved, with
>>>>> gparted and polkit, gnome-polkit and consolekit.  In addtion, when I
>>>>> open the "Details" drop down in the authentification window I see:
>>>>>
>>>>>> Action: org.freedesktop.policykit.exec
>>>>> as opposed to what I see when I run <pkexec gparted> in a terminal:
>>>>>
>>>>>> Action: org.freedesktop.policykit.pkexec.run-gparted
>>>>> I would have expected the "Action" statement in the details for
>>>>> authenticating amdxdg-su to be
>>>>> "org.freedeskto.policykit.pkexec.run-amdxdg-su".  Since I didn't get
>>>>> that, I think that there is something wrong in the pkexec policy file.
>>>>>
>>>>> Here is /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy:
>>>>>
>>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>>> <!DOCTYPE policyconfig PUBLIC
>>>>>>     "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
>>>>>>     "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
>>>>>> <policyconfig>
>>>>>>
>>>>>>      <action id="org.freedesktop.policykit.pkexec.run-gparted">
>>>>>>        <description>Run GParted</description>
>>>>>>        <message>Authentication is required to run GParted</message>
>>>>>>        <defaults>
>>>>>>          <allow_any>no</allow_any>
>>>>>>          <allow_inactive>no</allow_inactive>
>>>>>>          <allow_active>auth_admin_keep</allow_active>
>>>>>>        </defaults>
>>>>>>        <annotate
>>>>>> key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
>>>>>>        <annotate
>>>>>> key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
>>>>>>      </action>
>>>>>>
>>>>>>
>>>>>>      <action id="org.freedesktop.policykit.pkexec.run-amdxdg-su">
>>>>>>        <description>Run Catalyst Control Center</description>
>>>>>>        <message>Authentication is required to run Catalyst Control
>>>>>> Center</message>
>>>>>>        <defaults>
>>>>>>          <allow_any>no</allow_any>
>>>>>>          <allow_inactive>no</allow_inactive>
>>>>>>          <allow_active>auth_admin_keep</allow_active>
>>>>>>        </defaults>
>>>>>>        <annotate
>>>>>> key="org.freedesktop.policykit.exec.path">/usr/bin/amdxdg-su -c
>>>>>> amdccle</annotate>
>>>>>>        <annotate
>>>>>> key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
>>>>>>      </action>
>>>>>>
>>>>>> </policyconfig>
>>>> well. for a start I'd suggest keeping these two seperate. Not that it
>>>> would matter much. Second, you want to run amdcccle GUI program, not
>>>> amdxdg-su, which does EXACTLY what pkexec does, but amdxdg-su appears to
>>>> invoke gksu/gksudo. Saying so, you need to change this in the file above:
>>>>
>>>>>> key="org.freedesktop.policykit.exec.path">/usr/bin/amdxdg-su -c
>>>>>> amdccle</annotate>
>>>> to the full path to amdcccle executable.
>>>>
>>>> key="org.freedesktop.policykit.exec.path">/usr/bin/amdcccle</annotate>
>>>>
>>>> This means you want to drop amdxdg-su everywhere in the instructions
>>>> here which would make:
>>>>
>>>>> This is the same file I created the other day to get gparted to run from
>>>>> menu.  I "copied and pasted" the gparted <action>.....</action> and made
>>>>> the changes that I thought I needed for "amdxdg-su -c amdcccle".  The
>>>>> only difference I can see is the space-separted words in the "exec.path"
>>>>> line.  Should the spaces be "escaped" somhow?  (I would try that but I
>>>>> don't know the syntax for an XML file.)  Also, I don't know if the whole
>>>>> command should be in the "run-amdxdg-su"  line.  I just thought this
>>>>> particular item was a name of sorts.
>>>>>
>>>>> And here is the "Exec" line from the .desktop file.
>>>>>
>>>> This one:
>>>>
>>>>>> Exec=pkexec amdxdg-su -c amdcccle
>>>> Into this one:
>>>>
>>>> Exec=pkexec amdcccle
>>>>
>>> Didn't work. Didn't work after I changed things back to the way they
>>> were and corrected the typo in the action file from "amdccle" to "amdcccle."
>>>
>> Then you might want try to use full path to amdcccle in the desktop
>> file, like
>>
>> Exec=pkexec /usr/bin/amdcccle
>>
>>> One thing did change. This is with the changes you suggested in place.
>>> When I ran "pkexec amdcccle" I got the administrative gui without having
>>> to enter my password.
> Invoking the administrative gui from the menu still does not work--with
> or without the full path to amdcccle. But, and this must have been a
> typo somewhere, when I run <pkexec amdcccle> all works like it should.
>

Hm, this is interesting, however:

> Armin, I don't know if you're working on a "try this" basis. Hopefully
> to save us both some time and possible aggravation, I'm working on
> installing Qt 4 right now. When I'm done, I'll use the dbus "thing" I
> found in the article, to which David posted a link the other day, and
> try to see from the dbus messages what's going on--unless you have
> another way of trying to generate info for this. I get no messages
> whatsoever right now whether successfully calling this from the command
> line or unsuccessfully calling it from the menu.
>
> Dan
>

Desktop environment dumps the errors on stderr in case its started with 
startx/xinit. You can redirect stderr to a file when you run startx and 
examine it after you try to start amdcccle from the menu. When using a 
display maanager such as kdm or lightdm, stderr is redirected to 
$HOME/.xsession-errors, while on gdm is redirected to journal.



More information about the blfs-support mailing list