Polkitd (Policy Kit Daemon) in Trixie ... getting rid of "Authentication is required to create a color profile"

On the way to Trixie, polkitd (Policy Kit Daemon) has lost the functionality to evaluate its .pkla (Polkit Local Authority) files.
$ zcat /usr/share/doc/polkitd/NEWS.Debian.gz policykit-1 (121+compat0.1-2) experimental; urgency=medium This version of polkit changes the syntax used for local policy rules: it is now the same JavaScript-based format used by the upstream polkit project and by other Linux distributions. System administrators can override the default security policy by installing local policy overrides into /etc/polkit-1/rules.d/*.rules, which can either make the policy more restrictive or more permissive. Some sample policy rules can be found in the /usr/share/doc/polkitd/examples directory. Please see polkit(8) for more details. Some Debian packages include security policy overrides, typically to allow members of the sudo group to carry out limited administrative actions without re-authenticating. These packages should install their rules as /usr/share/polkit-1/rules.d/*.rules. Typical examples can be found in packages like flatpak, network-manager and systemd. Older Debian releases used the "local authority" rules format from upstream version 0.105 (.pkla files with an .desktop-like syntax, installed into subdirectories of /etc/polkit-1/localauthority or /var/lib/polkit-1/localauthority). The polkitd-pkla package provides compatibility with these files: if it is installed, they will be processed at a higher priority than most .rules files. If the polkitd-pkla package is removed, .pkla files will no longer be used. -- Simon McVittieWed, 14 Sep 2022 21:33:22 +0100
This applies now to the polkitd version 126-2 destined for Trixie.
The most prominent issue is that you will get an error message: "Authentication is required to create a color profile" asking for the root(!) password every time you remotely log into a Debian Trixie system via RDP, x2go or the like.
This used to be mendable with a .pkla file dropped into /etc/polkit-1/localauthority/50-local.d/
... but these .pkla files are void now and need to be replace with a Javascript "rules" file.
The background to his is quite a fascinating read ... 13 years later:
https://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html
The solution has been listed in DevAnswers as other distros (Fedora, ArchLinux, OpenSuse) have been faster to depreciate the .pkla files and require .rules files. I amended the solution given there with checking for root to be automatically authenticated, too.
So, create a 50-color-manager.rules
file in /etc/polkit-1/rules.d/
:
if (action.id.startsWith("org.freedesktop.color-manager.") && (subject.isInGroup("users") || (subject.user == "root"))) {
return polkit.Result.YES;
}
});
and run systemctl restart polkit
.
You should be good until polkit is rewritten in Rust.
Comments
Display comments as Linear | Threaded
Timo Lindfors on :
Gdm and gnome in Debian 13 support headless remote desktops that you can connect with RDP. I don't recall seeing these colord warnings anymore after upgrading, I suppose these sessions are somehow more "normal"?
Daniel Lange on :
May be something got fixed in this setup, there's https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970211 reporting the GDM XDMCP to be showing the error. And no follow-ups for 5 years, of course.
I saw the "colord needs authentication" bug re-surface right after the Trixie upgrade. I use RDP without GNOME and x2go to connect to remote systems. The
polkitd-pkla
package was removed during upgrade and it was dropped from thepolkitd
packages built for Trixie completely. Hence my/etc/polkit-1/localauthority/50-local.d/color-manager.pkla
wasn't read any more. I had used that for 5+ years to mend the bug on various systems.I replaced this with the
/etc/polkit-1/rules.d/50-color-manager.rules
as detailed in the blog article. All well again.Timo Lindfors on :
On my system gdm is apparently speaking wayland so XDMCP is not involved at all.
Kelly on :
JS? For fucks sake, why? If you must replace a config format with a Turing complete language (seems like a bad idea in general...), there are so many better options. C. Python. Perl. Lua. Guile. Hell, bust out some Prolog or Haskell, I'd rather mess with that than JS
Kelly on :
Wow. 2012. just a few years after the first versions of node, and long before JS consumed the world. And being before node took over, he used spidermonkey.
I mean yeah, inventing your own language can be a bad idea... though DSLs definitely have a place... But that doesn't excuse JS and spidermonkey when things like Lua are right there