Failure to launch authentication prompt on Ubuntu 24.04 LTS

[ToeKneeFan]

xrdp version

0.9.24

Detailed xrdp version, build options

xrdp 0.9.24
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2020 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --enable-ipv6
      --enable-jpeg
      --enable-fuse
      --enable-rfxcodec
      --enable-opus
      --enable-painter
      --enable-vsock
      --build=x86_64-linux-gnu
      --prefix=/usr
      --includedir=${prefix}/include
      --mandir=${prefix}/share/man
      --infodir=${prefix}/share/info
      --sysconfdir=/etc
      --localstatedir=/var
      --disable-silent-rules
      --libdir=${prefix}/lib/x86_64-linux-gnu
      --libexecdir=${prefix}/lib/x86_64-linux-gnu
      --disable-maintainer-mode
      --disable-dependency-tracking
      --with-socketdir=/run/xrdp/sockdir
      build_alias=x86_64-linux-gnu
      CFLAGS=-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/xrdp-Fn5kxo/xrdp-0.9.24=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/xrdp-Fn5kxo/xrdp-0.9.24=/usr/src/xrdp-0.9.24-4
      LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
      CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=3
      PKG_CONFIG_PATH=/build/xrdp-Fn5kxo/xrdp-0.9.24/pkgconfig

  Compiled with OpenSSL 3.0.13 30 Jan 2024

Operating system & version

Ubuntu 24.04.1 LTS

Installation method

dnf / apt / zypper / pkg / etc

Which backend do you use?

xorgxrdp

What desktop environment do you use?

GNOME

Environment xrdp running on

Physical machine with Intel HD Graphics 630

What's your client?

Microsoft Remote Desktop on Microsoft Windows 11

Area(s) with issue?

Authentication

Steps to reproduce

1. While logged in through xrdp, attempt to perform a GUI action that requires administrative/sudo privileges, such as adding a user.

✔️ Expected Behavior

We expect for an authentication prompt to appear and ask for a password.

❌ Actual Behavior

Nothing happens. Actions requiring sudo privileges are ignored.

Anything else?

OS release relationship This problem appears to be new to Ubuntu 24.04 LTS and was not present on the prior LTS version (22.04 LTS). That is, the expected authentication prompts appeared when GUI actions required it. It may not necessarily be related to xrdp; this could be a polkit or GNOME issue.

Previous reports This problem has been noted by a different user on StackOverflow. This was also noted on the c-nergy blog, which describes that expected polkit AUTH_ADMIN rules do not work:

Using the code above, you will be able to add users when remotely connect to your ubuntu machine. You would notice that no password prompt is required to perform this action. Normally, you could modify the exception rules and set multiple control level. The code below should prompt for password… However, this code does not seems to work !!! If time permits, we will investigate a little bit further

Unrelated issues/solutions My .xsessionrc file consists of the following:

export GNOME_SHELL_SESSION_MODE=ubuntu
export XDG_CURRENT_DESKTOP=ubuntu:GNOME
export XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/etc/xdg
export XAUTHORITY=/home/<redacted>/.Xauthority

That is, I have already configured xrdp to use the Ubuntu GNOME environment, rather than the default GNOME one. The problem reported on "Running GNOME on Ubuntu 24.04 LTS" is unrelated.

The solution proposed in "Why can't I perform some privileged GUI actions?" and @matt335672's pk-local is very helpful but is not applicable in this scenario, as pk-local adds polkit rules, including AUTH_ADMIN rules, but those rules cannot call the authentication prompt (as noted above).

This problem appears unrelated to #3053, which reports a different issue with Ubuntu 24.04 LTS. The error in this report is actually more similar to the problem described in #2926, which details a similar authentication-prompt issue on Xfce (may be the exact same problem, except on a different OS); that issue appears to have been closed prematurely due to nonresponse by the OP, so I am opening this one (especially as it is unclear if it is the same problem).

[ToeKneeFan]

It may also be noteworthy that GNOME Remote Desktop (the default RDP server in Ubuntu, the one that appears in Ubuntu settings) does not have this problem. By default, for GNOME Remote Desktop, authentication prompts appear when a superuser GUI action is performed (e.g., adding a new user).

Thus, although I mentioned that this could be a GNOME or polkit problem, it is mediated by an interaction with xrdp in a manner not replicated with GNOME Remote Desktop.

[matt335672]

Thanks for the high quality issue report @ToeKneeFan.

I'm a bit snowed under to look at this in a lot of detail currently, but I think what you're saying is, the link between the polkit daemon the polkit authentication agent for GNOME appears to be not working. Is that correct?

[matt335672]

Also, can you pick a scenario you'd like to look at and we'll step through it.

[matt335672]

FWIW, on my machine I get an authentication prompt in a GNOME xrdp session with this command as an unprivileged user:-

pkexec whoami

[ToeKneeFan]

Thanks for the high quality issue report @ToeKneeFan.

I'm a bit snowed under to look at this in a lot of detail currently, but I think what you're saying is, the link between the polkit daemon the polkit authentication agent for GNOME appears to be not working. Is that correct?

Thank you for your kind words, @matt335672! It appears to be an issue with the polkit daemon and polkit authentication agent, although it occurs when remotely accessing via xrdp and does not occur for GNOME Remote Desktop; perhaps it is due to a difference in the way xrdp-initiated GNOME sessions are treated.

I realize GNOME Remote Desktop is just accessing a more local session (is visible from the machine's local screen), so there are likely fundamental differences in the characteristics of the respective GNOME sessions.

[ToeKneeFan]

Also, can you pick a scenario you'd like to look at and we'll step through it.

1. Navigate to Settings.
2. Search for the "Users" setting.
3. Along the top of the window, there should be a prompt "Unlock to Add Users and Change Settings" with an "Unlock" button. Click on this button.
4. An authentication prompt should appear. It does not appear when accessing via xrdp.