System Administration & Network Administration
centos vnc sysadmin xrdp rocky-linux
Updated Tue, 18 Oct 2022 13:15:13 GMT

CentOS: Admin user on xrdp session can't do admin

I'm running a Rocky Linux 8.4 workstation with GNOME and MATE desktops, but I've seen the same problem on CentOS 7.9...

When I log into the machine on the local display, I can do things like administer users and set the system time using the Control Centre app (this on MATE, the tools are buried in the menu on GNOME). When I click on the tool I'll get a popup asking for my password, or there will be an "unlock" button to click before I get authenticated. This all works because my user is a member of the "wheel" administrative group.

However, when the same user logs in to the same desktop environment over xrdp, the ability to administer the system has gone. In some cases the "unlock" button is greyed out, in others when I click on the tool app icon I get a message "Error executing command as another user: Not authorized" in my .xsession-errors file.

As I understand it, the problem is down to polkit treating local and remote sessions differently, and basically blocking administrative actions from remote sessions such as xrdp, vnc etc. This is a pain, because the main reason for setting up the xrdp service was so that I could administer the machine remotely! I can work around this to some extent using sudo from a terminal, but really I want it to Just Work.

So my question is - how do I configure polkit to treat a remote session for my admin user identically to a local session? (Always assuming that polkit is the source of my problem!)


Having framed yesterday's frustrations more succinctly, I used a well-known search engine to look for "linux polkit local and remote sessions" and got this as the top result - Enabling system management privileges for non-local users - How the heck does polkit work, anyways? The answer (slightly modified from the linked question) is to create a file /etc/polkit-1/localauthority/50-local.d/10-remote-admin-allow.pkla containing

[Allow Remote Admin]

and run systemctl restart polkit (which is vital but was missed in the other question). You can also put this file under /var/lib/polkit-1, but according to pklocalauthority.8 the former is intended for local configuration while the latter is for 3rd party packages.