[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

cannot use pkexec

Support
#6

But in the Whonix 15 there is already this file:

/etc/xdg/autostart/polkit-gnome-authentication-agent-1.desktop

containing this line:

Exec=/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1

Is that not a ‘policykit authentication agent’?

OK. To simplify it, for now, can we therefore make it ZuluCrypt.

Again and again I import the Whonix 15 OVA (and I’ve checked its hash to make sure not corrupt), and before doing anything else (after initial wizard), I click on ZuluCrypt from the Whisker Menu and it simply gives that polkit error I’ve provided in the screenshot.

Can you reproduce this? The answer to that question will guide us where to go next.

#7

pkexec seems to be a fancy su which won’t work when the root account is locked.

You don’t seem to realise that not every single password prompt is now broken. Only ones using su to switch to the root user are and if those applications are doing that, you can make a bug report to get them to switch to sudo.

I can reproduce it.

1 Like
#8

OK, so to fix this problem recently introduced into Whonix 15 that affects a rather core part of the Debian GUI experience that most of us have used for years, we can either:

  • Request upstream developers for dozens of famous packages used by vastly more people than in the Whonix community to change a long-standing element of how every one of their packages work, and if we’re lucky, wait 1-3 years for it to trickle down to Debian stable repo.

or

  • Fix Whonix at our own pace right now. (Very quick, appreciate that.)

There are probably hundreds of well-known packages that use root in the way that Whonix 15 right now has broken.

Of course, I’m with you here, who doesn’t like more security? I’m still interested in Qubes development, even though I’ve chosen amnesic Debian as my host OS security instead.

But we can’t break the universal user experience like this.

So what are we going to do?

#9

It will be fixed. Relax.There is no need for extended debate on priorities without contributing to solutions.

2 Likes
#10

and suffer a big security decrease…

As pointed out in use sudoedit in Whonix documentation

https://help.ubuntu.com/community/RootSudo says

even pkexec is being deprecated by the mainline Ubuntu developers

Probably won’t be long before Debian deprecates it too.

#11

As use sudoedit in Whonix documentation says, I’ve read conflicting information about the fate of pkexec. Citation required.

1 Like
#12

Thanks @Patrick.

In this situation, I’d ideally hope a solution was found to achieve both needs here. But I wouldn’t want that to delay fixing what I see as a more urgent problem (for basic pkexec to work again, a famous and fundamental part of current Debian). That bug should be rolled back first, then an ‘ideal’ fix researched after that.

Also, you can’t ask users who report bugs to always provide the solutions for them. We all have our place, and reporters can be very helpful. :slight_smile:

#13
1 Like
#14 
dpkg -S `which pkexec`

policykit-1: /usr/bin/pkexec

Quote https://wiki.debian.org/PolicyKit

While PolicyKit has been replaced by polkit (which rewrote system component, breaking backwards compatibility) in many distributions, Debian continues to use PolicyKit from wheezy through to buster.

Quote

Since version 0.105, released in April 2012,[2][3] the name of the project was changed[ by whom? ] from PolicyKit to polkit to emphasize that the system component was rewritten[4] and that the API had changed, breaking backward compatibility.[5][ dubiousdiscuss ]

Fedora became the first distribution to include PolicyKit, and it has since been used in other distributions, including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora,[6] have already switched to the rewritten polkit.

Quote https://tracker.debian.org/pkg/policykit-1

This is also interesting because at the moment packages by Whonix use lxsudo. Maybe bullseye based Whonix should be ported to use polkit.

1 Like
#15

@Patrick Thanks for starting to look into it.

I have found another major feature of XFCE that is also broken due due to the current whonix mod:

When you attach a VDI in VirtualBox to your Whonix-Workstation (as a way to easily expand your storage), you can no longer mount it via GUI in Thunar.

A hard disk item in Thunar appears under Devices (e.g. ‘200 GB Volume’), and when clicking on it, a GUI password prompt should appear to mount it, but nothing does in the current Whonix 15 OVA.

You have to turn off password security in the Thunar and/or UDisks2 policykit files in order to get it to work.

Kernel Hardening
zulucrypt failed to start helper application
#16

Could try this workaround. It replaces pkexec with lxsudo. That might fix all applications.

sudo cp /usr/bin/pkexec /usr/bin/pkexec.backup
sudo rm /usr/bin/pkexec
sudo ln -s /usr/bin/lxsudo /usr/bin/pkexec
1 Like
cannot access encrypted USB drive with Thunar in Whonix 15
#17

thunar-volman is disabled by default anyway.

#18

thunar volman discussion also here:

possibly related:

1 Like
#19

That doesn’t fix it. On a fresh Whonix-XFCE-15.0.0.4.9.ova, after doing those 3 commands:

Launching ZuluCrypt still doesn’t work, produces a pop-up:

lxqt-sudo: no backend chosen!

I click OK and then the same ZuluCrypt polkit error as before pops up.

Tried Synaptic as another test: same lxqt-sudo: no backend chosen! error.

#20

Try delete the symlink and use pkexec being a wrapper script calling lxsudo instead.

1 Like
#21

That might not have worked since lxsudo itself is just a symlink to lxqt-sudo.

Instructions:

sudo unlink /usr/bin/pkexec
sudo rm /usr/bin/pkexec
sudoedit /usr/bin/pkexec

contents of wrapper /usr/bin/pkexec:

#!/bin/bash
/usr/bin/lxqt-sudo "$@"

Save.

Make executable.

sudo chmod +x /usr/bin/pkexec

Try.

1 Like
#22

@Patrick OK I have tried the above.

It does make ZuluCryppt, Synaptic, and KDE Partition Manager (after you add pkexec to the .desktop Exec= command line) work.

However, mounting a vbox-added virtual hard drive in Thunar still doesn’t work. (only my very insecure .policy hack makes it work.)

So those commands aren’t a full fix - yet.

Happy to keep trying more instructions you provide.

#23

Correcting my previous post.

Wrong:

Edited, fixed:

I guess you had that right already?

I am surprised. No, I didn’t suppose editing .desktop Exec= files would be required. It looked plausible to me that replacing pkexec with lxqt-sudo should fix all applications which use Exec= pkexec (already default, no user modification) something or within their wrapper script.

1 Like
#24

@Patrick No, my .desktop mod only has to apply to KDE Partition Manager. (I’ve needed to do it ever since moving to XFCE from KDE Whonix. To me it is superior to / easier to use than GParted, even though it comes from KDE.) I just mentioned that detail to be more complete. Also, for what it’s worth, your previous instructions were incompatible with my own fix for Thunar disk mounting (UDisks2 .policy file).

I’ll have to try your corrected instructions another time soon, will report back.

#25

I am also experiencing issues starting Zulucrypt (the only application so far for me) with the error relating to pkexec. I applied the (edited) fix posted above, and the application starts, but exits with “unknown error status 255” when I try to mount a volume (in a file) previously created and opened using Zulucrypt in Whonix before the problem manifested. It might not be related (though it is curious timing if not), but wanted to convey my experience. Thanks for working on a solution.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]