系统策略阻止对网络连接的控制

系统策略阻止对网络连接的控制

当我们使用 X2Go 客户端登录 KDE seesion 时,用户会看到一个对话框,要求输入 sudo 密码。我不希望用户有 sudo 密码,并且我想阻止出现该对话框。用户不应该为此烦恼。

对话框标题是:Authentication Required PolicyKit1 KDE Agent

消息是:

**System policy prevents control of network connections**  
An application is attempting to perform an action that requires privileges. Authentication is required to perform this action.  
Password:

Action: Allow control of network connections  
ID: org.freedesktop.NetworkManager.network-control  
Vendor: NetworkManager  
polkit.subject-pid: 20440  
polkit.caller-pid: 708  

- process 708 is /usr/bin/NetworkManager --no-daemon
- process 20440 is kded5 [kdeinit5]

pkaction version 0.116  (that's the policykit version)

相关策略已定义,因此不应请求/要求身份验证:

<action id="org.freedesktop.NetworkManager.network-control">
<_description>Allow control of network connections</_description>
<_message>System policy prevents control of network connections</_message>
<defaults>
  <allow_inactive>yes</allow_inactive>
  <allow_active>yes</allow_active>
</defaults>
</action>

相关日志行是:

Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: "Password: "
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Request:  "Password: "
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: REQUEST
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Trying again

Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Action description has been found
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Message of action:  "System policy prevents control of network connections"
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Initiating authentication
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: polkit_qt_listener_initiate_authentication callback for  0x55df1e7190a0
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: GSimpleAsyncResult: 
Aug 07 21:50:54 desktop polkit-kde-authentication-agent-1[26611]: Listener adapter polkit_qt_listener_initiate_authentication

Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: Authentication agent result: true
Aug 07 21:50:43 desktop polkitd[838]: Registered Authentication Agent for unix-session:19 (system bus name :1.5274 [/usr/lib/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: Listener online
Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: Adding new listener  PolkitQt1::Agent::Listener
Aug 07 21:50:43 desktop polkit-kde-authentication-agent-1[26611]: New PolkitAgentListener

Aug 07 21:50:42 desktop ksmserver[26587]: org.kde.kf5.ksmserver: Starting autostart service  "/etc/xdg/autostart/polkit-kde-authentication-agent-1.desktop" ("/usr/lib/polkit-kde-authentication-agent-1")

到目前为止我尝试过创建这个 polkit 规则:

/etc/polkit-1/rules.d/00-networkmanager.rules

polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system")
{
        polkit.log("NetworkManager.settings.modify.system: rule called");
    return polkit.Result.YES;
}
});

polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.network-control")
{
        polkit.log("NetworkManager.network-control: rule called");
    return polkit.Result.YES;
}
});

该规则由 root 拥有并具有第644章权限。

答案1

尝试使用pkla(政策工具包地方政府) 文件:

$ sudo ls -la /etc/polkit-1/localauthority/50-local.d
total 16
drwxr-xr-x 2 root root 4096 Dec 28 20:08 .
drwx------ 7 root root 4096 Aug  1  2017 ..
-rw-r--r-- 1 root root  573 Dec 27 01:16 45-allow-colord.pkla
-rw-r--r-- 1 root root  206 Dec 28 20:08 50-allow-network-manager.pkla

$ sudo cat /etc/polkit-1/localauthority/50-local.d/50-allow-network-manager.pkla
[Network Manager all Users]
Identity=unix-user:*
Action=org.freedesktop.NetworkManager.settings.modify.system;org.freedesktop.NetworkManager.network-control
ResultAny=no
ResultInactive=no
ResultActive=yes

答案2

警告:此答案会禁用几乎所有 polkit 的安全保护。

试试这个:在 /etc/polkit-1/localauthority/50-local.d 文件夹中创建一个名为 universal.pkla 的文件,其中包含以下内容:

    [Allow access to anything for remote users]
    Identity=unix-user:*
    Action=*
    ResultAny=yes
    ResultInactive=yes
    ResultActive=yes

然后使用“sudo systemctl restart polkit.service”重新启动 polkit 或重新启动。从那以后我就没有看到任何 polkit 身份验证提示了。

答案3

我使用 debian 12 (KDE) 和 xrdp / vnc ,今天遇到了同样的问题。

虽然这是一个老问题,但没有一个答案对我有用。

事实上我曾经使用pkla文件方式修复过颜色管理器问题。但我不知道为什么这一次对我不起作用。

以下是我阅读后解决此问题的方法man polkit

我没有使用文件,而是pkla创建了一个规则文件,以在用户位于“sudo”组时允许“org.freedesktop.NetworkManager.network-control”操作。

只需在下面创建此配置:

/etc/polkit-1/rules.d/50-allow-network-manager.rules
---
polkit.addRule(function(action, subject) {
   if (action.id == "org.freedesktop.NetworkManager.network-control" &&
       subject.isInGroup("sudo")) {
       return polkit.Result.YES;
   }
});

然后重新启动系统。


2023年12月26日更新:

您需要安装polkitd-pkla软件包才能使 pklocalauthority 在 debian 上运行:

sudo apt install polkitd-pkla

所以这个 pkla 做了同样的事情:

[Allow Network Manager]
Identity=unix-group:sudo;
Action=org.freedesktop.NetworkManager.network-control
ResultAny=no
ResultInactive=no
ResultActive=yes

相关内容