cannot use pkexec

This could be done in parallel. But I don’t have much hope given the non-activity of that bug report and little polkit package version number bumps throughout Debian releases. It’s probably “patches welcome”. Also this doesn’t solve this issue in Whonix 15 since polkit changes would have to wait until Debian bullseye based Whonix for the fixed polkit version to trickle down.

Wasn’t sure about it. Just wanted to make sure non-root users cannot influence this behavior.

Agreed. So for Whonix 15 either pkexec to lxqt-sudo redirection or disabling proc-hidepid by default. Which one would you suggest?

hidepid is a really useful feature and as Whonix is a security focused distro, I think it should stay enabled by default with the redirect at the cost of minor breakage.

• In Whonix testers repository this is fixed:
• In Whonix 15.0.0.6.5-developers-only and above this is fixed.
  (15.0.0.6.5-developers-only has some unrelated imperfections. Won’t be released. Higher Whonix release tag and testers-only release coming soon.)

The pkexec wrapper in upgraded security-misc package is functional.

Fixed meaning: I successfully used: gdebi, synaptic, gparted.

Fixed:

• GDebi Package Installer doesn't work in Whonix 15. Is there a fix? - #8 by Patrick
• cannot use gparted

Now also fixed in testers-only build: Whonix VirtualBox 15.0.0.6.6 - Testers Wanted!

Anything that remained unfixed here?

Yes. Thunar mounting (or auto mounting) of external drives (e.g. a vbox VDI). I can continue to test for you on a Developer OVA. Its current status is it still doesn’t work without giving UDisks2 an explicit policykit exception which is obviously dangerous and not ideal.

Did you try disabling hidepid yet as per this forum post cannot use pkexec - #32 by Patrick_mobile yet?

(I am not suggesting this as the final solution but that would help to identify the cause so a proper fix can be developed.)

pkexec wrapper might be called without us having a chance to know that. Therefore I’ve now added logging when pkexec wrapper is called to systemd journal. (Calls to sudo are similarly logged by Debian default.)

https://github.com/Whonix/security-misc/commit/082f04f2d4101828455a4a9b2852376a72ced6ce

Identifying xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup - #2 by Patrick was simple but other stuff might otherwise be hard to debug.

https://github.com/Whonix/security-misc/commit/082f04f2d4101828455a4a9b2852376a72ced6ce

another issue:

another pkexec related fix (which hopefully won’t lead to more pkexec related regressions):

Due to above change, we at least can now see in journal when pkexec wrapper gets run and what the output of any applications is in case these are failing.

There could be quite a few broken things due to hidepid / pkexec wrapper.

Files containing string path.

#!/bin/bash

for x in $(find /usr/share/polkit-1/actions/ -type f) ; do
    echo "$(dpkg -S $x)" 
done

file owned by package name: file full path

dpkg: /usr/share/polkit-1/actions/org.dpkg.pkexec.update-alternatives.policy
libkf5sysguard-data: /usr/share/polkit-1/actions/org.kde.ksysguard.processlisthelper.policy
xserver-xorg-video-intel: /usr/share/polkit-1/actions/org.x.xf86-video-intel.backlight-helper.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.resolve1.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.locale1.policy
lightdm: /usr/share/polkit-1/actions/org.freedesktop.DisplayManager.AccountsService.policy
gdebi: /usr/share/polkit-1/actions/com.ubuntu.pkexec.gdebi-gtk.policy
rtkit: /usr/share/polkit-1/actions/org.freedesktop.RealtimeKit1.policy
xfce4-power-manager: /usr/share/polkit-1/actions/org.xfce.power.policy
ktexteditor-data: /usr/share/polkit-1/actions/org.kde.ktexteditor.katetextbuffer.policy
udisks2: /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
policykit-1: /usr/share/polkit-1/actions/org.freedesktop.policykit.policy
network-manager: /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
thunar: /usr/share/polkit-1/actions/org.xfce.thunar.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.timedate1.policy
xfce4-session: /usr/share/polkit-1/actions/org.xfce.session.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
modemmanager: /usr/share/polkit-1/actions/org.freedesktop.ModemManager1.policy
synaptic: /usr/share/polkit-1/actions/com.ubuntu.pkexec.synaptic.policy
cups-pk-helper: /usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.login1.policy
packagekit: /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
liblxqt0: /usr/share/polkit-1/actions/org.lxqt.backlight.pkexec.policy

Paths point at these applications:

• update-alternatives
• /usr/lib/xserver-xorg-video-intel/xf86-video-intel-backlight-helper
• gdebi-gtk
• xfpm-power-backlight-helper [fixed in git master]
• xfce4-pm-helper [fixed in git master]
• pklalockdown
• thunar
• /usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper
• /lib/systemd/systemd-reply-password
• synaptic
• pk-device-rebind
• lxqt-backlight_backend

Files not containing string path.

#!/bin/bash

for x in $(find /usr/share/polkit-1/actions/ -type f) ; do
    if grep "path" "$x" -q ; then
        continue
    fi
    echo "$(dpkg -S $x)"
done

file owned by package name: file full path

systemd: /usr/share/polkit-1/actions/org.freedesktop.resolve1.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.locale1.policy
lightdm: /usr/share/polkit-1/actions/org.freedesktop.DisplayManager.AccountsService.policy
rtkit: /usr/share/polkit-1/actions/org.freedesktop.RealtimeKit1.policy
ktexteditor-data: /usr/share/polkit-1/actions/org.kde.ktexteditor.katetextbuffer.policy
udisks2: /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
network-manager: /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.timedate1.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
modemmanager: /usr/share/polkit-1/actions/org.freedesktop.ModemManager1.policy
cups-pk-helper: /usr/share/polkit-1/actions/org.opensuse.cupspkhelper.mechanism.policy
systemd: /usr/share/polkit-1/actions/org.freedesktop.login1.policy

Seems quite difficult to create a wrapper. policykit-1 / pkexec is used a lot and quite complex package. Provides a lot binaries.

apt-file list policykit-1

policykit-1: /etc/pam.d/polkit-1
policykit-1: /etc/polkit-1/localauthority.conf.d/50-localauthority.conf
policykit-1: /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
policykit-1: /etc/polkit-1/nullbackend.conf.d/50-nullbackend.conf
policykit-1: /lib/systemd/system/polkit.service
policykit-1: /usr/bin/pkaction
policykit-1: /usr/bin/pkcheck
policykit-1: /usr/bin/pkexec
policykit-1: /usr/bin/pkttyagent
policykit-1: /usr/lib/policykit-1/polkit-agent-helper-1
policykit-1: /usr/lib/policykit-1/polkitd
policykit-1: /usr/lib/x86_64-linux-gnu/polkit-1/extensions/libnullbackend.so
policykit-1: /usr/share/dbus-1/system-services/org.freedesktop.PolicyKit1.service
policykit-1: /usr/share/dbus-1/system.d/org.freedesktop.PolicyKit1.conf

/usr/share/polkit-1/actions/org.xfce.thunar.policy

How would I test functionality Run Thunar as root? That’s functionality I haven’t discovered yet.

I.e. policykit policy files that don’t contain a /path/to/binary. I’ve read “policykit helps to run an application as non-root while allowing the application to run only these parts as root which require that”.

How would I test the functionality of ktexteditor-data: /usr/share/polkit-1/actions/org.kde.ktexteditor.katetextbuffer.policy?

I am considering to revert hidepid. Any alternative? @madaidan

• Can you make policykit compatible with hidepid upstream?
• Can you make above functionality work and improve pkexec wrapper?
• Any other solution reaching the same goal (similar hidepid) that does not break pkexec? Perhaps using namespaces or something?

@Patrick, upgrading to the point release 15.0.0.8.9 in-place, this bug is back again (even in my existing upgraded in-place system in which I had already applied my own manual fix).

I cannot install DEB files with GDebi, cannot launch Synaptic, and ZuluCrypt error at launch.

Investigating my own (re)solution right now and will report back.

Update: This bug is now worse than it was before, and I cannot find a fix. This is all tested on multiple fresh 15.0.0.8.9 OVAs out of the box.

My previous fix of changing ‘auth_admin’ (or ‘no’) to ‘yes’ in various policykit files in /usr/share/polkit-1/actions/ no longer works. (What is overriding that?)

If I apply this fix from Patrick: cannot use pkexec - #21 by Patrick

• Synaptic works.
• ZuluCrypt works.
• But Gdebi NOT fixed. (This is the one a lot of people are used to.) Bad errors.

Not to mention other packages like KDE Partition Manager. Now I can’t use that application either.

Without that fix btw there should now be debug output in journal log.

Most likely the package that owns that files which comes from packages.debian.org since Whonix doesn’t ship any files there.

in git master:

working:

• synaptic
• gdebi
• gparted

You could get this from github pkexec.security-misc.

Probably easier to copy from github raw.

https://raw.githubusercontent.com/Whonix/security-misc/master/usr/bin/pkexec.security-misc

lxsudo mousepad /usr/bin/pkexec.security-misc

ZuluCrypt gui: not tested to encrypt devices but I guess it will still work.

Please let me know what remains broken.

@Patrick that amended code fixed it! GDbei back to normal again. Thank you. (I assume that fix will make its way into the next point release, or however it works.)

I never actually use ZuluCrypt itself.

I didn’t see Thunar external hard drive mounting affected by the recent point release, so with that fix above, at least from my end this issue isn’t present anywhere.

As always, I’ll keep observing and reporting.

Yes.

bookworm port: