xRDP – System Policy prevents changes when trying to add user in Remote Session

Hello World, 

This post should have been published long time ago but we never had the opportunity. So, time to tackle this and publish the requested post….

Some users have been asked why it’s not possible to add users within remote session using the GUI interface.  The reason behind this behavior is well known now and it’s called PolkitPolkit is an application authorization framework that capture actions performed by a user and check if the use has been authorized to perform such action or not. Polkit reads some policy files that will specify if the user requested by the user is authorized, not authorized or need authentication

Polkit provides a way to implement granular authorization to users based on the action requested but authorized actions can be different if you are locally logged on compared to user logged on remotely.  By default, Polkit will block the possibility to add users to your Ubuntu system via the GUI Interface.  

However, Polkit is flexible enough in order to create some custom rules and control what can be performed locally or remotely.   In this post, we will see how we can allow user creation via GUI interface while remotely connected to your Ubuntu machine. 

We already spoken extensively about Polkit technology and how to create exceptions.  You can find more information about polkit, pkla and xrdp by reading these previous posts 

Let’s do this….. 

Overview 

Disclaimer

This guide and associated instructions are provided AS IS.  Use it at your own risk !!! 

Problem description

In our scenario, we are using an computer running Ubuntu 21.10.  We have installed the xRDP software package using our famous xrdp-installer script (see xRDP – Easy install xRDP on Ubuntu 18.04,20.04,21.04,21.10 (Script Version 1.3)).  Using xRDP software, we are able to perform a remote connection to our Ubuntu 20.04.  So far, everything works as expected.  

It’s time for us to add a user on the system.  To perform this action, we open the System settings and locate users section.  As shown in the screenshot, you would need administrative rights to be able to add users into the system.  So far, the behavior between local and remote session are identical

01.UserMgmt_xrdp

Click on picture for better resolution

In the remote session, if you click on the unlock button, nothing will happens.  No authentication prompt will be displayed.  Nothing will show up.  The only hint that can help you understand that polkit is blocking the functionality is when you hover on the “unlock” button and you can see the information “System Policy Prevent Changes” 

03.UserMgmt_xrdp

Click on picture for better resolution

To enable this function, we need to tell Polkit that this action can be performed while remotely logged on…. keep reading  🙂 

Solution : Create your custom rules

Create your custom pkla file

To allow addition of users on your system via remote session,  we will need to create a text file under /etc/polkit-1/localauthority/50-local.d/.  You need administrative privileges in order to write in this location ! 

02.UserMgmt_xrdp

Click on picture for better resolution

 The file will be called  47-user-admin.pkla and should contains the following information 

[user admin]
Identity=unix-user:*
Action=org.gnome.controlcenter.user-accounts.administration
ResultAny=auth_admin_keep
ResultInactive=no
ResultActive=no

Save the file.   You are ready to try your configuration….. 

Testing your new rule 

Again, you have to perform a remote connection to your Ubuntu machine.  You will open again the System Settings, find the Users section.  Since the custom pkla rule has been implemented, if you hover on the Unlock button, you will notice that the message has changed.  It shows now “Dialog is locked. Click to make changes”

04.UserMgmt_xrdp

Click on picture for better resolution

If you click on the Unlock button, you will see that an authentication dialog box is displayed. 

05.UserMgmt_xrdp

Click on picture for better resolution

Provide the password for an admin account and you will see that you should be able to add new users from the GUI. The Add user button is available and you can proceed with your user creation process 

06.UserMgmt_xrdp

Click on picture for better resolution

Another option : the command line 

As a side note,  note that’s always possible to create user account remotely or locally using the command line tool “adduser”.   If you use the command line approach, there is no need to create a custom rule file and no need to modify the polkit configuration….

To create user via command line, you simply need to issue the following command in a Terminal session 

sudo adduser <%UserName%>

07.UserMgmt_xrdp

Click on picture for better resolution

You will be prompted for a password.  Provide the password and answer the question asked by the utility and you will see that your account will be created accordingly

08.UserMgmt_xrdp

Click on picture for better resolution

Final Notes

This is it for this post ! 

As you can see, it’s relatively easy to configure your system to allow users to create user account through the Graphical Interface when remotely connected using xRDP software. At first, this can look strange that a user has not the same authorization rules while logged on locally or logged remotely.   But when you understand what’s causing the behavior (i.e. Polkit technology),  you can configure your system accordingly and create some exceptions to allow actions when remotely connected.  

We have finally published this long awaited post….Time to move the next one… Possibly we could add this code into our famous xrdp-installer script…. 

Till next time 

See ya  

Leave a Reply