Am Dienstag, 18. Juli 2023, 05:36:56 CEST schrieb Max Nikulin:
> On 15/07/2023 00:04, Petric Frank wrote:
> > After some debugging i found a working solution. Allocated file in/etc/
> > polkit-1/rules.d/99-networkmanager.rules containing:
> >
> > --------------- cut ------------------
> > polkit.addRule(function(action, subject) {
> >
> > if (action.id == "org.freedesktop.NetworkManager.network-control") {
> >
> > if (subject.isInGroup("netdev")) {
> >
> > return polkit.Result.YES;
> >
> > }
> >
> > }
> >
> > });
> > --------------- cut ------------------
> >
> > Hope that helps others.
>
> https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.
> en.html#changes-to-polkit-configuration "5.1.13. Changes to polkit
> configuration":
>
> For consistency with upstream and other distributions, the polkit
> (formerly PolicyKit) service, which allows unprivileged programs to
> access privileged system services, has changed the syntax and location
> for local policy rules. You should now write local rules for customizing
> the security policy in JavaScript, and place them at
> /etc/polkit-1/rules.d/*.rules. Example rules using the new format can be
> found in /usr/share/doc/polkitd/examples/, and polkit(8) has further
> information.
>
> Previously, rules could be written in pkla format, and placed in
> subdirectories of /etc/polkit-1/localauthority or
> /var/lib/polkit-1/localauthority. However, .pkla files should now be
> considered deprecated, and will only continue to work if the
> polkitd-pkla package is installed. This package will usually be
> installed automatically when you upgrade to bookworm, but it is likely
> not to be included in future Debian releases, so any local policy
> overrides will need to be migrated to the JavaScript format.
Thanks for the link. It was a little problematic for me to find the correct
rules using the big "trash dump" like google and others. Finally i got it and
posted it here to help others with the same problem.
There are other services (device mount, etc.) affected by the "password
request" dialogs which also have to be covered this way when connecting via
xrdp. Maybe also driven by group membership.
