[sf-lug] sudo abuse, suspend/shutdown, and polkit

Akkana Peck akkana at shallowsky.com
Tue Feb 19 10:36:12 PST 2019 

Rick Moen writes:
> Quoting Akkana Peck (akkana at shallowsky.com):
> 
> > Any suggestions on how to proceed with debugging this polkit stuff?
> 
> The following won't help you with the problem cited -- but it's a point
> of view.  Please ignore if you _just_ want to debug PolKit problems.
[ ... ]
> I consider all of that 'stack' to be trouble, and am trying to have as
> little to do with them as possible.  PolKit in particular has been

I was almost hoping to hear that. My first impulse was "What is this
polkit thing and why is it installed on my system anyway, and can I
remove it?" It turned out apt-get purge
libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-gobject-1-0
had quite a small list of dependencies, mostly related to flatpak.
Flatpak never worked for me anyway, so no loss.

After apt-get purge, though, systemctl suspend fails in a similar
but different way, and now poweroff and reboot fail the same way:

$ systemctl suspend
Failed to set wall message, ignoring: The name org.freedesktop.PolicyKit1 was not provided by any .service files
Failed to suspend system via logind: The name org.freedesktop.PolicyKit1 was not provided by any .service files
Failed to start suspend.target: The name org.freedesktop.PolicyKit1 was not provided by any .service files
See system logs and 'systemctl status suspend.target' for details.

$ systemctl status suspend.target
● suspend.target
   Loaded: masked (Reason: Unit suspend.target is masked.)
   Active: inactive (dead)

So I'm still hitting that "masked" error, and still don't know what
it means or how to get around it. Evidently there's a piece of
polkit still remaining in the systemd files that's adding this
wall/org.freedesktop.PolicyKit1 dependency, but I can't figure out where.

The man pages for systemd-suspend.service says nothing about wall.
It makes reference to "/etc/systemd/sleep.conf or a sleep.conf.d
file", but locate sleep.conf finds nothing but man pages, and and
man systemd-sleep.conf doesn't say anything about wall.
Similarly for logind.conf (since it's mentioned in the error).

Neither /lib/systemd/system/systemd-suspend.service nor
/lib/systemd/system/suspend.target make any reference to 
PolicyKit1. nor does any other file under /etc/systemd or
/lib/systemd, except the binary file /lib/systemd/systemd-networkd
which apparently has "org.freedesktop.PolicyKit1" compiled in.

Grepping for wall found files
/lib/systemd/system/systemd-ask-password-wall.service
and /lib/systemd/system/systemd-ask-password-wall.path; they both
reference man systemd-ask-password-console.service, which says
it "informs all logged in users for system passwords via wall(1). It
is intended to be used after boot to ensure that users are properly
notified." This makes no sense to me but doesn't seem related to
suspend, poweroff and reboot failing with PolicyKit1 errors.

Of course the easy answer is "Oh, well, systemd sucks and still
isn't ready for prime time, and you can't use it for this. Maybe
they'll fix it in a few years; meanwhile go back to using
sudo pm-suspend etc." And it may be that systemd's suspend
and shutdown services require polkit to work:
man systemd-logind.service suggests they may be joined at the hip.

        ...Akkana

More information about the sf-lug mailing list