From 3c99876c648c93e08cc9b9fe5646984bfcdd0775 Mon Sep 17 00:00:00 2001 From: DRC Date: Thu, 18 Jul 2024 14:25:46 -0400 Subject: [PATCH] Build: Prevent GNOME 3+ auth dlgs in TVNC sessions ... on platforms that use newer polkit versions that don't support PKLA files, including: - Ubuntu 23.10 and later if the polkitd-pkla package is not installed - RHEL 7 and Fedora 19 and later if the polkit-pkla-compat package is not installed (but only RHEL 8 seems to allow it to be uninstalled) - SUSE (in theory, but the dialogs were never observed in practice) --- ChangeLog.md | 9 +++++++++ release/makedpkg.in | 19 ++++++++++++++++++- release/rpm.spec.in | 20 +++++++++++++++++++- 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index c25a8e8d2..ff4605e68 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -20,6 +20,15 @@ indefinitely if a viewer's network connection drops while it is dragging the mouse. A new Xvnc command-line option (`-pointerlocktimeout`) can be used to specify the time limit. +4. The RPM and DEB packages generated by the TurboVNC build/packaging system +now include a polkit rules file that prevents various authentication dialogs +("Authentication is required to create a color managed device", "Authentication +is required to access the PC/SC daemon", "Authentication is required to refresh +the system repositories") from popping up when using the GNOME window manager +with the TurboVNC Server on Ubuntu 23.10 and later (if the `polkitd-pkla` +package is not installed) and on RHEL 7 and Fedora 19 and later (if the +`polkit-pkla-compat` package is not installed.) + 3.1.1 ===== diff --git a/release/makedpkg.in b/release/makedpkg.in index 08d2c2b5a..56447d05d 100755 --- a/release/makedpkg.in +++ b/release/makedpkg.in @@ -87,11 +87,28 @@ EOF if [ "$SYSCONFDIR" = "/etc" ]; then mkdir -p $TMPDIR/etc/polkit-1/localauthority/50-local.d cat > $TMPDIR/etc/polkit-1/localauthority/50-local.d/45-turbovnc-gnome3.pkla << EOF -[Eliminate GNOME 3 dialogs in TurboVNC] +[Eliminate GNOME 3+ dialogs in TurboVNC] Identity=unix-user:* Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile;org.debian.pcsc-lite.access_pcsc;org.freedesktop.packagekit.system-sources-refresh;org.freedesktop.packagekit.system-network-proxy-configure ResultAny=no EOF +mkdir -p $TMPDIR/etc/polkit-1/rules.d +cat > $TMPDIR/etc/polkit-1/rules.d/45-turbovnc-gnome3.rules << EOF +// Eliminate GNOME 3+ dialogs in TurboVNC +polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.color-manager.create-device" || + action.id == "org.freedesktop.color-manager.create-profile" || + action.id == "org.freedesktop.color-manager.delete-device" || + action.id == "org.freedesktop.color-manager.delete-profile" || + action.id == "org.freedesktop.color-manager.modify-device" || + action.id == "org.freedesktop.color-manager.modify-profile" || + action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.freedesktop.packagekit.system-sources-refresh" || + action.id == "org.freedesktop.packagekit.system-network-proxy-configure") && + !subject.local) + return polkit.Result.NO; +}); +EOF fi if [ "$BUILDVIEWER" = "1" -a ! "$DATADIR" = "/usr/share" ]; then diff --git a/release/rpm.spec.in b/release/rpm.spec.in index d5e1686ee..f3849cedb 100644 --- a/release/rpm.spec.in +++ b/release/rpm.spec.in @@ -174,11 +174,28 @@ EOF %if "%{sysconfdir}" == "%{_sysconfdir}" mkdir -p %{buildroot}/%{sysconfdir}/polkit-1/localauthority/50-local.d cat > %{buildroot}/%{sysconfdir}/polkit-1/localauthority/50-local.d/45-turbovnc-gnome3.pkla << EOF -[Eliminate GNOME 3 dialogs in TurboVNC] +[Eliminate GNOME 3+ dialogs in TurboVNC] Identity=unix-user:* Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile;org.debian.pcsc-lite.access_pcsc;org.freedesktop.packagekit.system-sources-refresh;org.freedesktop.packagekit.system-network-proxy-configure ResultAny=no EOF +mkdir -p %{buildroot}/%{sysconfdir}/polkit-1/rules.d +cat > %{buildroot}/%{sysconfdir}/polkit-1/rules.d/45-turbovnc-gnome3.rules << EOF +// Eliminate GNOME 3+ dialogs in TurboVNC +polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.color-manager.create-device" || + action.id == "org.freedesktop.color-manager.create-profile" || + action.id == "org.freedesktop.color-manager.delete-device" || + action.id == "org.freedesktop.color-manager.delete-profile" || + action.id == "org.freedesktop.color-manager.modify-device" || + action.id == "org.freedesktop.color-manager.modify-profile" || + action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.freedesktop.packagekit.system-sources-refresh" || + action.id == "org.freedesktop.packagekit.system-network-proxy-configure") && + !subject.local) + return polkit.Result.NO; +}); +EOF %endif %endif @@ -259,6 +276,7 @@ fi %attr(0750,root,polkitd) %dir %{sysconfdir}/polkit-1/localauthority %dir %{sysconfdir}/polkit-1/localauthority/50-local.d %config %{sysconfdir}/polkit-1/localauthority/50-local.d/45-turbovnc-gnome3.pkla + %config %{sysconfdir}/polkit-1/rules.d/45-turbovnc-gnome3.rules %endif %endif