OK, so to fix this problem recently introduced into Whonix 15 that affects a rather core part of the Debian GUI experience that most of us have used for years, we can either:
Request upstream developers for dozens of famous packages used by vastly more people than in the Whonix community to change a long-standing element of how every one of their packages work, and if we’re lucky, wait 1-3 years for it to trickle down to Debian stable repo.
or
Fix Whonix at our own pace right now. (Very quick, appreciate that.)
There are probably hundreds of well-known packages that use root in the way that Whonix 15 right now has broken.
Of course, I’m with you here, who doesn’t like more security? I’m still interested in Qubes development, even though I’ve chosen amnesic Debian as my host OS security instead.
But we can’t break the universal user experience like this.
In this situation, I’d ideally hope a solution was found to achieve both needs here. But I wouldn’t want that to delay fixing what I see as a more urgent problem (for basic pkexec to work again, a famous and fundamental part of current Debian). That bug should be rolled back first, then an ‘ideal’ fix researched after that.
Also, you can’t ask users who report bugs to always provide the solutions for them. We all have our place, and reporters can be very helpful.
While PolicyKit has been replaced by polkit (which rewrote system component, breaking backwards compatibility) in many distributions, Debian continues to use PolicyKit from wheezy through to buster.
Quote
Since version 0.105, released in April 2012,[2][3] the name of the project was changed[ by whom? ] from PolicyKit to polkit to emphasize that the system component was rewritten[4] and that the API had changed, breaking backward compatibility.[5][ dubious – discuss ]
Fedora became the first distribution to include PolicyKit, and it has since been used in other distributions, including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora,[6] have already switched to the rewritten polkit.
I have found another major feature of XFCE that is also broken due due to the current whonix mod:
When you attach a VDI in VirtualBox to your Whonix-Workstation (as a way to easily expand your storage), you can no longer mount it via GUI in Thunar.
A hard disk item in Thunar appears under Devices (e.g. ‘200 GB Volume’), and when clicking on it, a GUI password prompt should appear to mount it, but nothing does in the current Whonix 15 OVA.
You have to turn off password security in the Thunar and/or UDisks2 policykit files in order to get it to work.
I am surprised. No, I didn’t suppose editing .desktop Exec= files would be required. It looked plausible to me that replacing pkexec with lxqt-sudo should fix all applications which use Exec= pkexec (already default, no user modification) something or within their wrapper script.
@Patrick No, my .desktop mod only has to apply to KDE Partition Manager. (I’ve needed to do it ever since moving to XFCE from KDE Whonix. To me it is superior to / easier to use than GParted, even though it comes from KDE.) I just mentioned that detail to be more complete. Also, for what it’s worth, your previous instructions were incompatible with my own fix for Thunar disk mounting (UDisks2 .policy file).
I’ll have to try your corrected instructions another time soon, will report back.
I am also experiencing issues starting Zulucrypt (the only application so far for me) with the error relating to pkexec. I applied the (edited) fix posted above, and the application starts, but exits with “unknown error status 255” when I try to mount a volume (in a file) previously created and opened using Zulucrypt in Whonix before the problem manifested. It might not be related (though it is curious timing if not), but wanted to convey my experience. Thanks for working on a solution.