On Mon, 30 Dec 2019 at 15:39:26 -0800, Joshua wrote: > pkexec can't handle sessions created by Xrdp. It clearly wants something from > the session manager > that the session manager cannot provide.
Are you able to run something like 'pkexec id' from a ssh login to the same system, and escalate privileges to root that way? If that works, and the same command in a shell on an Xrdp connection doesn't, then that isolates the problem to be something specific to Xrdp. What polkit requires is that the privileged process into which you log in (for example sshd or gdm or login) registers with systemd-logind (or elogind, if you're using that) via a PAM stack that runs pam_systemd (or pam_elogind), before forking a child process that drops privileges to run as you. For example, for sshd this is normally done by /etc/pam.d/sshd containing "@include common-session", and /etc/pam.d/common-session containing "session optional pam_systemd.so". I don't know how Xrdp works, so I don't know which process ought to be responsible for this. If you use systemd, systemd-cgls will show you how the OS thinks the various processes and cgroups fit together. On a typical desktop/laptop system with gdm/xdm/sddm/whatever or with getty/login on the console, or on a server with ssh logins, it will go something like this: -.slice ├─user.slice │ └─user-1000.slice (or whatever your numeric uid is) │ ├─[email protected] │ │ └─... per-user services shared by all login sessions, like gpg-agent ... │ ├─session-c1.scope │ │ └─... the processes associated with a getty/login session on tty6 ... │ ├─session-1.scope │ │ └─... the processes associated with a ssh login session ... │ └─session-2.scope │ └─... the processes associated with a gdm login session ... ├─init.scope │ └─1 /sbin/init splash └─system.slice ├─... OS services like polkit.service itself ... If the shell from which you run pkexec appears below user-1000.slice, then polkitd should be able to recognise it as part of the session (and if it can't, we would need more debug information from polkitd and/or pkexec to figure out why not). If it appears below system.slice, then something that Xrdp is doing is incompatible with polkitd's (and systemd-logind's, and many other services') model of what is part of a session and what isn't. loginctl(1) might also provide useful information (for either systemd-logind or elogind). > This is a server. On a server-class, mostly-text-mode system it would be more typical to use sudo, or configure public key authentication to be able to ssh in as root without a password. (By default, Debian's sshd configuration will allow root logins using a key listed in /root/.ssh/authorized_keys, but will not allow root logins using password authentication, because password authentication is much more susceptible to attacks.) smcv

