On the way to Trixie, polkitd (Policy Kit Daemon) has lost the functionality to evaluate its .pkla (Polkit Local Authority) files.
$ zcat /usr/share/doc/polkitd/NEWS.Debian.gz
policykit-1 (121+compat0.1-2) experimental; urgency=medium
This version of polkit changes the syntax used for local policy rules:
it is now the same JavaScript-based format used by the upstream polkit
project and by other Linux distributions.
System administrators can override the default security policy by
installing local policy overrides into /etc/polkit-1/rules.d/*.rules,
which can either make the policy more restrictive or more
permissive. Some sample policy rules can be found in the
/usr/share/doc/polkitd/examples directory. Please see polkit(8) for
more details.
Some Debian packages include security policy overrides, typically to
allow members of the sudo group to carry out limited administrative
actions without re-authenticating. These packages should install their
rules as /usr/share/polkit-1/rules.d/*.rules. Typical examples can be
found in packages like flatpak, network-manager and systemd.
Older Debian releases used the "local authority" rules format from
upstream version 0.105 (.pkla files with an .desktop-like syntax,
installed into subdirectories of /etc/polkit-1/localauthority
or /var/lib/polkit-1/localauthority). The polkitd-pkla package
provides compatibility with these files: if it is installed, they
will be processed at a higher priority than most .rules files. If the
polkitd-pkla package is removed, .pkla files will no longer be used.
-- Simon McVittie Wed, 14 Sep 2022 21:33:22 +0100
This applies now to the polkitd version 126-2 destined for Trixie.
The most prominent issue is that you will get an error message:
"Authentication is required to create a color profile" asking for the root(!) password every time you remotely log into a Debian Trixie system via RDP, x2go or the like.
This used to be mendable with a .pkla file dropped into /etc/polkit-1/localauthority/50-local.d/
... but these .pkla files are void now and need to be replace with a Javascript "rules" file.
The background to his is quite a fascinating read ... 13 years later:
https://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html
The solution has been listed in DevAnswers as other distros (Fedora, ArchLinux, OpenSuse) have been faster to depreciate the .pkla files and require .rules files.
I amended the solution given there with checking for root to be automatically authenticated, too.
So, create a 50-color-manager.rules
file in /etc/polkit-1/rules.d/
:
polkit.addRule(function(action, subject) {
if (action.id.startsWith("org.freedesktop.color-manager.") && (subject.isInGroup("users") || (subject.user == "root"))) {
return polkit.Result.YES;
}
});
and run systemctl restart polkit
.
You should be good until polkit is rewritten in Rust.