Not authorized to mount drives when connected to Ubuntu via RDP. Why?
I have a machine running Ubuntu 12.04 and since getting my new machine I have been connecting to it via RDP, which works fine but I keep getting unexpected prompts to enter my password or even out right ‘not authorized’ messages. I kept meaning to fix this but there always seemed to be more important things to do (“Look, new XKCD comics.”). The final straw that prompted me to action was not being able to mount drives in the GUI. Having to issue SUDO MOUNT commands got old real quick.
Lots of Goggling later the answer was due to Polkit settings. It seems that there are three types of connections: Active, Inactive and Any. Active and Inactive are local console connections, while RDP is considered Any. The problem is that Any connections have significantly reduced privileges compared to Active connections.
The answer was described here (When machine is headless, user is no longer privileged) and I used the script by enzotib to fix the Polkit settings so that Any had the same privileges as Active.
(answer reproduced below)
I think this is the correct PolicyKit behavior.
The policy for Active, Inactive and Any other user are different, so when you are connected through NX you are not Active (clients in active sessions on local consoles), nor Inactive (clients in inactive sessions on local consoles), but you result as Any user.
You can see the default policy for the Action under policy control for the different type of users with the command
pkaction --verbose
As you can see, the user of type Any is limited with comparison to Active users.
To remedy, you can modify the default policy. In the following a suggest an awk script to create a policy kit file to put in the right location. This is the script:
#!/usr/bin/awk -f
/^[^ ]/ {
action = substr($0, 1, length($0) - 1)
}
/^ / {
if ($1 == "description:") {
$1 = ""
description = substr($0, 2)
if (description == "")
description = action
} else if ($1 == "implicit") {
if ($2 == "any:")
any = $3
else if ($2 == "inactive:")
inactive = $3
else if ($2 == "active:") {
active = $3
print ""
print "[" description "]"
print "Identity=unix-group:admin"
print "Action=" action
print "ResultActive=" active
print "ResultInactive=" active
print "ResultAny=" active
}
}
}
Suppose you call it create-policy. Make it executable, the execute the script with
pkaction --verbose | ./create-policy > local.pkla
then move the resulting file:
sudo mv local.pkla /var/lib/polkit-1/localauthority/50-local.d/
You now should have the same right as you were a local session user.