I'm running a Rocky Linux 8.4 workstation with GNOME and MATE desktops, but I've seen the same problem on CentOS 7.9...
When I log into the machine on the local display, I can do things like administer users and set the system time using the Control Centre app (this on MATE, the tools are buried in the menu on GNOME). When I click on the tool I'll get a popup asking for my password, or there will be an "unlock" button to click before I get authenticated. This all works because my user is a member of the "wheel" administrative group.
However, when the same user logs in to the same desktop environment over
xrdp, the ability to administer the system has gone. In some cases the "unlock" button is greyed out, in others when I click on the tool app icon I get a message "Error executing command as another user: Not authorized" in my
As I understand it, the problem is down to
polkit treating local and remote sessions differently, and basically blocking administrative actions from remote sessions such as xrdp, vnc etc. This is a pain, because the main reason for setting up the xrdp service was so that I could administer the machine remotely! I can work around this to some extent using
sudo from a terminal, but really I want it to Just Work.
So my question is - how do I configure
polkit to treat a remote session for my admin user identically to a local session? (Always assuming that polkit is the source of my problem!)
Having framed yesterday's frustrations more succinctly, I used a well-known search engine to look for "linux polkit local and remote sessions" and got this as the top result - Enabling system management privileges for non-local users - How the heck does
polkit work, anyways? The answer (slightly modified from the linked question) is to create a file
[Allow Remote Admin] Identity=unix-group:wheel Action=* ResultAny=auth_admin_keep ResultInactive=auth_admin_keep ResultActive=auth_admin_keep
systemctl restart polkit (which is vital but was missed in the other question). You can also put this file under
/var/lib/polkit-1, but according to pklocalauthority.8 the former is intended for local configuration while the latter is for 3rd party packages.
External links referenced by this document: