Skip to content

Polkitd (Policy Kit Daemon) in Trixie ... getting rid of "Authentication is required to create a color profile"

Debian

On the way to Trixie, polkitd (Policy Kit Daemon) has lost the functionality to evaluate its .pkla (Polkit Local Authority) files.

$ zcat /usr/share/doc/polkitd/NEWS.Debian.gz 
policykit-1 (121+compat0.1-2) experimental; urgency=medium

  This version of polkit changes the syntax used for local policy rules:
  it is now the same JavaScript-based format used by the upstream polkit
  project and by other Linux distributions.

  System administrators can override the default security policy by
  installing local policy overrides into /etc/polkit-1/rules.d/*.rules,
  which can either make the policy more restrictive or more
  permissive. Some sample policy rules can be found in the
  /usr/share/doc/polkitd/examples directory. Please see polkit(8) for
  more details.

  Some Debian packages include security policy overrides, typically to
  allow members of the sudo group to carry out limited administrative
  actions without re-authenticating. These packages should install their
  rules as /usr/share/polkit-1/rules.d/*.rules. Typical examples can be
  found in packages like flatpak, network-manager and systemd.

  Older Debian releases used the "local authority" rules format from
  upstream version 0.105 (.pkla files with an .desktop-like syntax,
  installed into subdirectories of /etc/polkit-1/localauthority
  or /var/lib/polkit-1/localauthority). The polkitd-pkla package
  provides compatibility with these files: if it is installed, they
  will be processed at a higher priority than most .rules files. If the
  polkitd-pkla package is removed, .pkla files will no longer be used.

 -- Simon McVittie   Wed, 14 Sep 2022 21:33:22 +0100

This applies now to the polkitd version 126-2 destined for Trixie.

The most prominent issue is that you will get an error message: "Authentication is required to create a color profile" asking for the root(!) password every time you remotely log into a Debian Trixie system via RDP, x2go or the like.

This used to be mendable with a .pkla file dropped into /etc/polkit-1/localauthority/50-local.d/ ... but these .pkla files are void now and need to be replace with a Javascript "rules" file.

The background to his is quite a fascinating read ... 13 years later:
https://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html

The solution has been listed in DevAnswers as other distros (Fedora, ArchLinux, OpenSuse) have been faster to depreciate the .pkla files and require .rules files. I amended the solution given there with checking for root to be automatically authenticated, too.

So, create a 50-color-manager.rules file in /etc/polkit-1/rules.d/:

polkit.addRule(function(action, subject) {
    if (action.id.startsWith("org.freedesktop.color-manager.") && (subject.isInGroup("users") || (subject.user == "root"))) {
        return polkit.Result.YES;
    }
});

and run systemctl restart polkit.

You should be good until polkit is rewritten in Rust.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Timo Lindfors on :

Gdm and gnome in Debian 13 support headless remote desktops that you can connect with RDP. I don't recall seeing these colord warnings anymore after upgrading, I suppose these sessions are somehow more "normal"?

Daniel Lange on :

May be something got fixed in this setup, there's https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970211 reporting the GDM XDMCP to be showing the error. And no follow-ups for 5 years, of course.

I saw the "colord needs authentication" bug re-surface right after the Trixie upgrade. I use RDP without GNOME and x2go to connect to remote systems. The polkitd-pkla package was removed during upgrade and it was dropped from the polkitd packages built for Trixie completely. Hence my /etc/polkit-1/localauthority/50-local.d/color-manager.pkla wasn't read any more. I had used that for 5+ years to mend the bug on various systems.

I replaced this with the /etc/polkit-1/rules.d/50-color-manager.rules as detailed in the blog article. All well again.

Timo Lindfors on :

On my system gdm is apparently speaking wayland so XDMCP is not involved at all.

Kelly on :

JS? For fucks sake, why? If you must replace a config format with a Turing complete language (seems like a bad idea in general...), there are so many better options. C. Python. Perl. Lua. Guile. Hell, bust out some Prolog or Haskell, I'd rather mess with that than JS

Kelly on :

Wow. 2012. just a few years after the first versions of node, and long before JS consumed the world. And being before node took over, he used spidermonkey.

The first requirement clearly indicates that we want some kind of programming language. However, inventing your own programming language is rarely a good idea so I decided to just embed a JavaScript interpreter (specifically SpiderMonkey) and try that out.

I mean yeah, inventing your own language can be a bad idea... though DSLs definitely have a place... But that doesn't excuse JS and spidermonkey when things like Lua are right there

Add Comment

Markdown format allowed
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options

Submitted comments will be subject to moderation before being displayed.