[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

cannot use pkexec

and suffer a big security decrease…

As pointed out in use sudoedit in Whonix documentation

https://help.ubuntu.com/community/RootSudo says

even pkexec is being deprecated by the mainline Ubuntu developers

Probably won’t be long before Debian deprecates it too.

As use sudoedit in Whonix documentation says, I’ve read conflicting information about the fate of pkexec. Citation required.

1 Like

Thanks @Patrick.

In this situation, I’d ideally hope a solution was found to achieve both needs here. But I wouldn’t want that to delay fixing what I see as a more urgent problem (for basic pkexec to work again, a famous and fundamental part of current Debian). That bug should be rolled back first, then an ‘ideal’ fix researched after that.

Also, you can’t ask users who report bugs to always provide the solutions for them. We all have our place, and reporters can be very helpful. :slight_smile:

1 Like
dpkg -S `which pkexec`

policykit-1: /usr/bin/pkexec

Quote https://wiki.debian.org/PolicyKit

While PolicyKit has been replaced by polkit (which rewrote system component, breaking backwards compatibility) in many distributions, Debian continues to use PolicyKit from wheezy through to buster.

Quote

Since version 0.105, released in April 2012,[2][3] the name of the project was changed[ by whom? ] from PolicyKit to polkit to emphasize that the system component was rewritten[4] and that the API had changed, breaking backward compatibility.[5][ dubiousdiscuss ]

Fedora became the first distribution to include PolicyKit, and it has since been used in other distributions, including Ubuntu since version 8.04 and openSUSE since version 10.3. Some distributions, like Fedora,[6] have already switched to the rewritten polkit.

Quote https://tracker.debian.org/pkg/policykit-1

This is also interesting because at the moment packages by Whonix use lxsudo. Maybe bullseye based Whonix should be ported to use polkit.

1 Like

@Patrick Thanks for starting to look into it.

I have found another major feature of XFCE that is also broken due due to the current whonix mod:

When you attach a VDI in VirtualBox to your Whonix-Workstation (as a way to easily expand your storage), you can no longer mount it via GUI in Thunar.

A hard disk item in Thunar appears under Devices (e.g. ‘200 GB Volume’), and when clicking on it, a GUI password prompt should appear to mount it, but nothing does in the current Whonix 15 OVA.

You have to turn off password security in the Thunar and/or UDisks2 policykit files in order to get it to work.

Could try this workaround. It replaces pkexec with lxsudo. That might fix all applications.

sudo cp /usr/bin/pkexec /usr/bin/pkexec.backup
sudo rm /usr/bin/pkexec
sudo ln -s /usr/bin/lxsudo /usr/bin/pkexec
1 Like

thunar-volman is disabled by default anyway.

thunar volman discussion also here:

possibly related:

1 Like

That doesn’t fix it. On a fresh Whonix-XFCE-15.0.0.4.9.ova, after doing those 3 commands:

Launching ZuluCrypt still doesn’t work, produces a pop-up:

lxqt-sudo: no backend chosen!

I click OK and then the same ZuluCrypt polkit error as before pops up.

Tried Synaptic as another test: same lxqt-sudo: no backend chosen! error.

Try delete the symlink and use pkexec being a wrapper script calling lxsudo instead.

1 Like

That might not have worked since lxsudo itself is just a symlink to lxqt-sudo.

Instructions:

sudo unlink /usr/bin/pkexec
sudo rm /usr/bin/pkexec
sudoedit /usr/bin/pkexec

contents of wrapper /usr/bin/pkexec:

#!/bin/bash
/usr/bin/lxqt-sudo "$@"

Save.

Make executable.

sudo chmod +x /usr/bin/pkexec

Try.

1 Like

@Patrick OK I have tried the above.

It does make ZuluCryppt, Synaptic, and KDE Partition Manager (after you add pkexec to the .desktop Exec= command line) work.

However, mounting a vbox-added virtual hard drive in Thunar still doesn’t work. (only my very insecure .policy hack makes it work.)

So those commands aren’t a full fix - yet.

Happy to keep trying more instructions you provide.

Correcting my previous post.

Wrong:

Edited, fixed:

I guess you had that right already?

I am surprised. No, I didn’t suppose editing .desktop Exec= files would be required. It looked plausible to me that replacing pkexec with lxqt-sudo should fix all applications which use Exec= pkexec (already default, no user modification) something or within their wrapper script.

1 Like

@Patrick No, my .desktop mod only has to apply to KDE Partition Manager. (I’ve needed to do it ever since moving to XFCE from KDE Whonix. To me it is superior to / easier to use than GParted, even though it comes from KDE.) I just mentioned that detail to be more complete. Also, for what it’s worth, your previous instructions were incompatible with my own fix for Thunar disk mounting (UDisks2 .policy file).

I’ll have to try your corrected instructions another time soon, will report back.

I am also experiencing issues starting Zulucrypt (the only application so far for me) with the error relating to pkexec. I applied the (edited) fix posted above, and the application starts, but exits with “unknown error status 255” when I try to mount a volume (in a file) previously created and opened using Zulucrypt in Whonix before the problem manifested. It might not be related (though it is curious timing if not), but wanted to convey my experience. Thanks for working on a solution.

1 Like

@Patrick thanks for the updated instructions.

Results:

  • ZuluCrypt launches, and I think @amoretpax’s problem is probably unrelated to this pkexec problem.

  • Synaptic fully works! Can install packages via it.

  • KDE Partition Manager fully works (with my mod to add pkexec in the .desktop)!

  • Mounting an external drive (vbox VDI) in Thunar: This still doesn’t work. Click on the drive in Thunar devices list, nothing happens.

So this still isn’t a Whonix-wide fix to the current broken pkexec.

1 Like

Are you sure you enabled thunar-volman? It’s disabled by default.

2 Likes

Which change specifically by security-misc breaks pkexec? I need to find out to be able to report a bug against pkexec.

1 Like

I don’t think it’s because of security-misc but anon-base-files as it locks the root account.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]