xRDP – Fixing Issue “You do not have permission” when installing Software from Software Center

 

 

 

Hello World, 

Since the release of Ubuntu 19.04, we have been notified by readers and some customers that it was not possible to perform software installation from the software center when remotely connected to Ubuntu through xRDP software solution.    This was quite intriguing as the issue didn’t seem to exists in previous versions (or existed but mainly when working on Beta version !!). We have decided to spent some time on this issue and try to solve it….  

After some investigation, we have actually found the issue.  While trying to fix another problem (with our famous installation script), we have introduced the software installation error. This post will explain how to fix it (and the fix is actually quite easy…)

Problem Description

Let’s imagine that xRDP package has been installed on an Ubuntu machine. After successful installation, a user performs a remote connection and access the Ubuntu desktop remotely. While working on the remote session, the logged-on user needs to perform a software installation. The user starts software center, select an application to install and then an error message stating that the user has no permission to perform this action is displayed.  You can actually get one of the following errors displayed 

Error message 1 – Unable to download software. you do not have permissions to install software 

Issues_softwareInstall

Click on picture for better resolution 

Error message 2 – Unable to install <%software_Name%>. Authentication was required

Issues_softwareInstall2

Click on picture for better resolution 

 

To workaround this problem,  you can always perform the software installation through command line.   You have basically two options   

option 1 - install from command line
sudo apt-get install <software_Name>

option 2 - Start Software center from command line with elevated privileges
sudo software-center  

Using these workarounds, a user (with the necessary permissions) would then be able to perform the software installation.    This is indeed just a workaround and we wanted to provide a real solution.  So, after investigation, we found out that the polkit rules we have been using to get rid of the new Authentication popup box was actually causing the issue…..

The Root cause of the problem 

As just mentioned, the root cause is an error in the polkit rule exception file that we have been using in order to get rid of the new Authentication popup box.  This behavior didn’t seem to be present in previous version of Ubuntu (more specifically Ubuntu 18.04 and previous versions). The problem started to occur with the release of Ubuntu 19.04. Obviously, this permission issue must be related to the Polkit technology.   So, after checking again the polkit rule file (*.pkla) created to tackle the authentication popup, we realized that the file was too restrictive and was indeed the cause of the issue….

In one of the previous post (see at http://c-nergy.be/blog/?p=13641), we have created the following polkit exception file (/etc/polkit-1/localauthority/50-local-d/45-allow-colord.pkla) which has the following content. 

[Allow Colord all Users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
ResultAny=no
ResultInactive=no
ResultActive=yes

[Allow Package Management all Users]
Identity=unix-user:*
Action=org.debian.apt.*;io.snapcraft.*;org.freedesktop.packagekit.*;com.ubuntu.update-notifier.*
ResultAny=no
ResultInactive=no
ResultActive=yes

This *.pkla file is basically solving the authentication issue popup but introduce the software installation error seen in the remote session. The text in orange is basically the part that cause the software installation issue.   

The Solution

So, to fix the issue, we need to update the *.pkla file that was initially created to solve the authentication popup issue.  Instead of having a single *.pkla file, we have decided to create two files: 

  • one for the managed color authentication popup (i.e. 45-allow-colord.pkla) 
  • one for the system refresh authentication popup (i.e. 46-allow-update-repo.pkla)

The *.pkla file needs to be saved under the following location ( you need admin rights in order to create and save files in this location !!) 

/etc/polkit-1/localauthority/50-local.d/

The file named 45-allow-colord.pkla should contain the following information 

[Allow Colord all Users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
ResultAny=no
ResultInactive=no
ResultActive=yes

The file named 46-allow-update-repo.pkla should contain the following information 

[Allow Package Management all Users]
Identity=unix-user:*
Action=org.freedesktop.packagekit.system-sources-refresh
ResultAny=yes
ResultInactive=yes
ResultActive=yes

When these two files have been created, you will basically fix any known Authentication popup issues and users will be able to perform software installation from software center when remotely connected to Ubuntu. 

As you can see, the file named 46-allow-update-repo.pkla has been “simplified”.  The file now only tackle the system-source-refresh rule (which was causing the new authentication popup in Ubuntu 19.04 and later).   To find which rule to use, we had to look at the polkit actions files located under /usr/share/polkit-1/actions 

Issues_softwareInstall3

Click on picture for better Resolution

We have been looking after a file controlling the packagekit feature and we have been able to identify precisely the file that would control the system refresh policy (i.e. org.freedesktop.packagekit.policy).  Opening the file and looking for the exact error message shown when new authentication popup is displayed  allowed us to identify exactly which polkit rule to modify and thus create our polkit exception file (*.pkla file) 

Issues_softwareInstall4

Click on picture for better Resolution

 

Final Notes 

Voila ! This is it ! 

By trying to solve the authentication error popup (authentication is required to refresh system repositories), we have introduced another issue. It took us some time to realize that our *.pkla file was causing the issue…

The good news is that the new and latest version of the xRDP installation script has already been modified and should not generate such annoyance anymore. The release Candidate Final script has been already published and you can give it a try.  We are already working in further improving the consolidated xrdp installation script and make it even more user friendly.   Time for us to go back to work 

Till next time

See ya

 

Leave a Reply