gui window for ask user password not everywhere work (polkit not work on hardened Linux)

[1223421]

Describe the bug you encountered:

I can't change settings

What did you expect to happen instead?

change settings

How did you install RustDesk?

github night release rustdesk-1.2.0-0-x86_64.pkg.tar.zst

---

RustDesk version and environment

1.2.0-0
Gentoo, xfce4.

gui window for ask user password not everywhere work, and this is really bad idea, i don't want write my password for change settings, it's bad.

[rustdesk]

@21pages need to test on xfce, or even gentoo xfce4.

[21pages]

Input correct password and not pass or permission messagebox not pop up? What about typing pkexec echo in terminal?

rustdesk/src/platform/linux.rs

Line 678 in e9e8620

pub fn check_super_user_permission() -> ResultType<bool> {

[1223421]

Input correct password and not pass or permission messagebox not pop up? What about typing pkexec echo in terminal?

rustdesk/src/platform/linux.rs

Line 678 in e9e8620

pub fn check_super_user_permission() -> ResultType<bool> {

OK, i am fixed my problem by turn on this in autorun settings:

But i really think this is bad idea -- ask password for this. You ruin a great program by this:(

[rustdesk]

autorun settings

@21pages can we check if this is turned on and ask users to turn it on?

[1223421]

autorun settings

@21pages can we check if this is turned on and ask users to turn it on?

This is start "/usr/libexec/polkit-gnome-authentication-agent-1" in user session, maybe you can check it, this is turn on by default, this is i turn off because i don't need it...

[rustdesk]

Why do you turn it off?

[1223421]

Why do you turn it off?

i am paranoid 🙃

[rustdesk]

i am paranoid

Perfect.

[21pages]

autorun settings

@21pages can we check if this is turned on and ask users to turn it on?

check polkitd daemon process
https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html

[rustdesk]

@21pages let me handle this

[rustdesk]

/usr/libexec/polkit-gnome-authentication-agent-1
@143981 Can you check which process is it? On Ubuntu, it is /usr/lib/policykit-1/polkitd.

[1223421]

/usr/libexec/polkit-gnome-authentication-agent-1
@143981 Can you check which process is it? On Ubuntu, it is /usr/lib/policykit-1/polkitd.

$ ps ax | grep polkit
839 ? Ssl 0:01 /usr/lib/polkit-1/polkitd --no-debug
52287 ? Sl 0:00 /usr/libexec/polkit-gnome-authentication-agent-1

polkitd -- start by root(systemd)
/usr/libexec/polkit-gnome-authentication-agent-1 -- user

[rustdesk]

@143981 Thanks, how about if you turn polkit off?

[rustdesk]

turn this off

[1223421]

turn this off

Turned off and systemctl stop polkit, so everything is the same as in the first message

started by itself
$ ps ax | grep polkit
132653 ? Ssl 0:00 /usr/lib/polkit-1/polkitd --no-debug
132689 pts/8 S+ 0:00 /usr/lib/polkit-1/polkit-agent-helper-1 user

if i "mv /usr/lib/polkit-1/polkitd /", then nothing happens when pressing the button in rustdesk

[rustdesk]

polkitd process is still there when you turn off policykit auth

[1223421]

polkitd process is still there when you turn off policykit auth

if i "mv /usr/lib/polkit-1/polkitd /", then nothing happens when pressing the button in rustdesk

[rustdesk]

Not find a good way to know if policykit auth turned on or off.

[1223421]

Not find a good way to know if policykit auth turned on or off.

I repeat - this is a bad idea initially, it's better to disable it completely in linux, leave it for windows ...

[powerman]

Yesterday I've installed nightly (because I need "Always connect via relay" feature to work around disconnects/timeouts every 15 seconds) and have same issue.

• Yes, I'm also using Gentoo.
• No, I don't use systemd.
• No, I don't use XFCE - I'm using Fluxbox.
• I've polkitd running, but no polkit-{gnome,kde}-authentication-agent:

$ ps -uw --pid $(pgrep polkit)
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
polkitd   3026  0.0  0.0 309452  9116 ?        Sl   Feb06   0:45 /usr/lib/polkit-1/polkitd --no-debug

• No, I didn't disabled anything polkit-related manually in autorun (actually I have /usr/libexec/polkit-gnome-authentication-agent-1 & in ~/.fluxbox/startup but it turns out it fails to start - more details below).
• When I click "Unlock security settings" I got password prompt in terminal where I started rustdesk (only if I've started it from terminal instead of using Fluxbox menu - when it's started from menu there is no password prompt at all). But after entering password nothing happens except some errors in console and kernel log:

authpriv.notice: Feb  8 13:37:03 polkitd[3026]: Operator of unix-process:26661:14073275 FAILED to authenticate to gain authorization for action com.rustdesk.RustDesk.options for unix-process:26661:14073275 [rustdesk] (owned by unix-user:powerman)
authpriv.warn: Feb  8 13:37:03 pkexec[27479]: powerman: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/5] [CWD=/home/powerman] [COMMAND=/usr/share/rustdesk/files/polkit]
authpriv.notice: Feb  8 13:37:03 polkitd[3026]: Unregistered Authentication Agent for unix-process:26661:14073275 (system bus name :1.317779, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

$ LANG= apulse rustdesk
flutter: launch args: []
flutter: initializing FFI main
flutter: _appType:main,info1-id:fe0097106080aa05546584dc00000261,info2-name:Gentoo,dir:/home/powerman/doc
flutter: _globalFFI init
flutter: _globalFFI init end
flutter: registerEventHandler callback_query_onlines recent peer
flutter: registerEventHandler load_recent_peers recent peer
flutter: handled by uni links: false, handled by cli: false
flutter: [MultiWindowHandler] active window changed: [0]
==== AUTHENTICATING FOR com.rustdesk.RustDesk.options ====
Authentication is required to change RustDesk options
Authenticating as: powerman
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

This incident has been reported.

I'm second one for leaving this "unlock security" feature to Windows users, configuration of usual user-space app shouldn't require sudo-like-ish on *NIX systems.

I've tried to manually run /usr/libexec/polkit-gnome-authentication-agent-1 but got this error:

(polkit-gnome-authentication-agent-1:15181): polkit-gnome-1-WARNING **: 14:04:50.308: Unable to determine the session we are in: No session for pid 15181

It turns out this error happens because of "hardened" system configuration: mounting /proc with hidepid=2 option. Here is open (3 years ago) bugreport on polkit: https://gitlab.freedesktop.org/polkit/polkit/-/issues/79.

While I'm not going to remove hidepid option just because of rustdesk anyway, I've tried this just to find out is it helps… This way I get polkit window asking for my password, but… you won't believe but I can't enter it there - my password contains some special chars which can't be entered in such a naıve GUI form as used by polkit (other tools, e.g. ssh-agent or console passwd/sudo/etc., handle it without issues). After changing my password to less strong by removing such special chars everything worked okay.

Resume. This "security" feature is actually incompatible with real "hardened" Linux systems. Please remove it!

[rustdesk]

hardened

@21pages let's take note of this.

[rustdesk]

PR is welcome

[kwisatz]

ChatGPT

;)

root@thufir:~# systemctl status polkit
● polkit.service - Authorization Manager
     Loaded: loaded (/lib/systemd/system/polkit.service; static)
     Active: active (running) since Wed 2022-12-28 15:14:36 CET; 1 months 23 days ago

I don't seem to have any rules.d directory, but neither do any of my colleagues for whom the pkexec command works.

root@thufir:~# ls /etc/polkit-1/
localauthority	localauthority.conf.d

And these results are consistent with what we've seen above:

kwisatz@thufir:~$ pkexec echo "Hello, Polkit!"
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/usr/bin/echo' as the super user
Authenticating as: David Raison,,, (kwisatz)
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

I'm guessing that in my case, the problem is not a hardened system, but a potentially incomplete polkit installation or an incompatibility with the awesome (sic!) window manager. I will look into that, sorry I mistook that for a rustdesk issue.

I'll leave this here for others to read before posting the same thing unless you'd prefer me to delete both comments?

EDIT: Turns out, polkit needs an authentication agent helper utility running in the background which wasn't the case for me (not using a desktop environment). One option is thus to install and then start one of the agent tools with your window manager, e.g.

kwisatz@thufir:~$ /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 &

[rustdesk]

Got from chatgpt, @21pages try it out, including the same issue on mac.

#include <stdio.h>
#include <stdlib.h>
#include <glib.h>
#include <glib/gstdio.h>
#include <gtk/gtk.h>
#include <gdk/gdkx.h>
#include <gksu/gksu.h>

int main() {
    GError *error = NULL;
    gchar *stdout_str = NULL, *stderr_str = NULL;
    gint exit_status = 0;
    gchar *argv[] = {"ls", NULL};

    gboolean ret = gksu_run_command(argv, &stdout_str, &stderr_str, &exit_status, &error);

    if (!ret) {
        printf("Error executing gksu command: %s\n", error->message);
        g_error_free(error);
        return 1;
    }

    if (exit_status == 0) {
        printf("gksu command executed successfully\n");
        g_free(stdout_str);
        g_free(stderr_str);
        return 0;
    } else {
        printf("gksu command returned error: %s\n", stderr_str);
        g_free(stdout_str);
        g_free(stderr_str);
        return 1;
    }
}

#include <Security/Authorization.h>
#include <Security/AuthorizationTags.h>

int main(int argc, char *argv[]) {
  AuthorizationRef authRef;
  OSStatus status;

  status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment,
                               kAuthorizationFlagDefaults, &authRef);
  if (status != errAuthorizationSuccess) {
    printf("Failed to create AuthorizationRef\n");
    return status;
  }

  AuthorizationItem authItem = {kAuthorizationRightExecute, 0, NULL, 0};
  AuthorizationRights authRights = {1, &authItem};
  AuthorizationFlags flags = kAuthorizationFlagDefaults |
                             kAuthorizationFlagInteractionAllowed |
                             kAuthorizationFlagPreAuthorize |
                             kAuthorizationFlagExtendRights;
  status = AuthorizationCopyRights(authRef, &authRights, kAuthorizationEmptyEnvironment, flags, NULL);
  if (status != errAuthorizationSuccess) {
    printf("Failed to authorize\n");
    return status;
  }

  // your logic here

  AuthorizationFree(authRef, kAuthorizationFlagDestroy);

  return 0;
}

and below is not greyed.

[SiddheshKukade]

@rustdesk Hello, I'm coming from here https://github.com/rustdesk-org/Octernships_Project and the README suggested this link as resource. My question is that Is this the task that we have to solve during the github Octernship ?

[rustdesk]

Yes, but this is a simple task, you will have more challenging job to do.

[SiddheshKukade]

@rustdesk where can I find these tasks ?

[rustdesk]

#918

[vamsimadhav]

Hi @rustdesk
This would be my first open source project.
So I wanted to know whether we should complete this task below

Elevate priviledge to run ls -la /root/ with Rust, and print the result on the Flutter window

or take a task from #918 ?
Suggestions would be helpful
Thank you

[rustdesk]

Elevate priviledge to run ls -la /root/ with Rust, and print the result on the Flutter window

Octernships_Project is an exam for applying for GitHub Octernship.

[Srishti-j18]

Hello @rustdesk !!
I am setting up for the assignment "Elevate priviledge to run a Linux command with Rust" from the this github readme file as suggested in the Project ..
My question is that

As this suggested to install Android NDK 22 but in the given link these are unsuppported version and it's suggesting to install current release NDK 25 ..
Please clarify which version I should download..?

[R-ohit-B-isht]

@rustdesk the pr is supposed to be merged by the teacher right ?

[spaul-12]

@rustdesk I have completed the assignment task and created the pull request. should I merge the changes into main branch (instructions regarding this is not clearly mentioned)?

[rustdesk]

The private one.

[spaul-12]

@rustdesk yes i have created a pull request in the private repo. So should I merge it (as it is showing option to merge the branch into main)?

[rustdesk]

No

[c1tyguide]

I had the same problem with polkit.

Describe the bug you encountered:
I can't change settings

What did you expect to happen instead?
change settings

How did you install RustDesk?
github night release rustdesk-1.2.0-0.x86_64-suse.rpm

RustDesk version and environment
1.2.0-0
Leap15.4, xfce4.

Solved it by starting app this way:
xdg-su -c rustdesk

[rustdesk]

Can you try out below and tell me the result.

pkexec echo x; echo $?;

[c1tyguide]

pkexec echo x; echo $?;
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/echo' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

This incident has been reported.
127

[rustdesk]

Please run this in a Desktop env. gnome terminal or the other gui terminal.

[c1tyguide]

The same:

But if I start terminal with xdg-su -c it works:

[rustdesk]

How about if your run xdg-su -c echo; echo $?? Please test both clicking on cancel and clicking on yes after entering password.

[c1tyguide]

[basncy]

open a new terminal, execute and input password here
pkttyagent --process $(pidof rustdesk)

if failed, pkill rustdesk and start over again.

[bones0]

I get "Connection refused" when trying to connect to my Debian 10.13 Linux PC (3.16.0-4-amd64 1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux) in xfce4. So I tried to stop the service and start it again at the Rustdesk GUI on said PC. The Stop-Button has no effect.

I have the password prompt if I run rustdesk 1.2.3 from the terminal in my debian linux. But it does neither accept the root-password nor the user-password (sudo would be allowed) If I run polkitd in another terminal I get the following combination of errors (Let's assume my username is "user"):

Rustdesk:
/bin/systemctl
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/sh' as the super user
Authenticating as: user,,, (user)
Password:
==== AUTHENTICATION FAILED ===

polkitd:
Invalid Locale "en_US.UTF-8"

My system indeed is not running on en_US.UTF-8. It's on de_CH.UTF-8.

I was able to connect to rustdesk once. But I guess that was before the reboot and another source of trouble may be that I am already connected using xrdp and the Windows Remotedesktopclient via another tunnel already. xfce4 seems to have a problem to share sessions with multiple remote-applications.

I run policykit as root with /usr/lib/policykit-1/polkitd -r. The gnome-agent does not exist in my system and polkit-agent-helper-1 requires an argument but does not tell me which one. Since I get some reaction when running polkitd -r I guess that's not entirely wrong. But it may be worth a try to use the helper. But having to run rustdesk from the terminal in order to enter passwords there is not really the expected level of usability anyway.

I have seen the discussion about the "unlock security" button not working. Did not find the link, though. But I get the same authentication-prompt when clicking this button. My workaround there was downgrading to 1.2.1 where this button works, do the settings and then re-upgrade to 1.2.3. But, well, now I have "connection refused". Also with 1.2.1, but I did the analysis with 1.2.3.

[bones0]

#2756 (comment) works as a workaround. And stopping the service and starting it again solved my connection issues. Which are a different ticket anyway.