after upgrade to MX23: password policy has changed

[harley-peter]

After the upgrade system programms like gparted or synaptic nomore requires the root password but the normal user password. Actually for me it is no problem but it is not useful to execute system programms with user passwords.
Some other programms (p.e. xsane or gscan2pdf) which did not require passwords in MX21 now requires a user password from the activ user. Also this does not make sense.

How can I correct these things?

QSI:

Code: Select all

System:    Kernel: 6.1.0-10-amd64 [6.1.38-2] x86_64 bits: 64 compiler: gcc v: 12.2.0 
           parameters: BOOT_IMAGE=/boot/vmlinuz-6.1.0-10-amd64 root=UUID=<filter> ro quiet splash 
           Desktop: Xfce 4.18.1 tk: Gtk 3.24.36 info: xfce4-panel wm: xfwm 4.18.0 vt: 7 
           dm: LightDM 1.26.0 Distro: MX-23_x64 Libretto November 11  2020 
           base: Debian GNU/Linux 12 (bookworm) 
Machine:   Type: Laptop System: LENOVO product: 20FMS7800T v: ThinkPad T460 serial: <filter> 
           Chassis: type: 10 serial: <filter> 
           Mobo: LENOVO model: 20FMS7800T v: SDK0J40697 WIN serial: <filter> UEFI: LENOVO 
           v: R06ET47W (1.21 ) date: 11/30/2016 
Battery:   ID-1: BAT0 charge: 16.5 Wh (96.5%) condition: 17.1/23.5 Wh (72.7%) volts: 12.5 
           min: 11.4 model: LGC 45N1113 type: Li-ion serial: <filter> status: Not charging 
           ID-2: BAT1 charge: 55.8 Wh (90.0%) condition: 62.0/71.3 Wh (87.0%) volts: 12.3 
           min: 10.8 model: SANYO 45N1777 type: Li-ion serial: <filter> status: Charging 
CPU:       Info: Dual Core model: Intel Core i5-6300U bits: 64 type: MT MCP arch: Skylake 
           family: 6 model-id: 4E (78) stepping: 3 microcode: F0 cache: L2: 3 MiB 
           flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx bogomips: 19999 
           Speed: 500 MHz min/max: 400/3000 MHz Core speeds (MHz): 1: 500 2: 500 3: 500 4: 500 
           Vulnerabilities: Type: itlb_multihit status: KVM: VMX disabled 
           Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable 
           Type: mds mitigation: Clear CPU buffers; SMT vulnerable 
           Type: meltdown mitigation: PTI 
           Type: mmio_stale_data mitigation: Clear CPU buffers; SMT vulnerable 
           Type: retbleed mitigation: IBRS 
           Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl 
           Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization 
           Type: spectre_v2 mitigation: IBRS, IBPB: conditional, STIBP: conditional, RSB filling, 
           PBRSB-eIBRS: Not affected 
           Type: srbds mitigation: Microcode 
           Type: tsx_async_abort mitigation: TSX disabled 
Graphics:  Device-1: Intel Skylake GT2 [HD Graphics 520] vendor: Lenovo driver: i915 v: kernel 
           bus-ID: 00:02.0 chip-ID: 8086:1916 class-ID: 0300 
           Device-2: Bison ThinkPad P50 Integrated Camera type: USB driver: uvcvideo 
           bus-ID: 1-10:6 chip-ID: 5986:0706 class-ID: 0e02 
           Display: x11 server: X.Org 1.21.1.7 compositor: xfwm4 v: 4.18.0 driver: 
           loaded: modesetting unloaded: fbdev,vesa display-ID: :0.0 screens: 1 
           Screen-1: 0 s-res: 1600x900 s-dpi: 96 s-size: 423x238mm (16.7x9.4") 
           s-diag: 485mm (19.1") 
           Monitor-1: eDP-1 res: 1600x900 dpi: 132 size: 309x173mm (12.2x6.8") diag: 354mm (13.9") 
           OpenGL: renderer: Mesa Intel HD Graphics 520 (SKL GT2) v: 4.6 Mesa 22.3.6 
           direct render: Yes 
Audio:     Device-1: Intel Sunrise Point-LP HD Audio vendor: Lenovo driver: snd_hda_intel 
           v: kernel alternate: snd_soc_skl,snd_sof_pci_intel_skl bus-ID: 00:1f.3 
           chip-ID: 8086:9d70 class-ID: 0403 
           Sound Server-1: ALSA v: k6.1.0-10-amd64 running: yes 
           Sound Server-2: PulseAudio v: 16.1 running: yes 
Network:   Device-1: Intel Ethernet I219-LM vendor: Lenovo driver: e1000e v: kernel port: efa0 
           bus-ID: 00:1f.6 chip-ID: 8086:156f class-ID: 0200 
           IF: eth0 state: down mac: <filter> 
           Device-2: Intel Wireless 8260 driver: iwlwifi v: kernel modules: wl port: efa0 
           bus-ID: 04:00.0 chip-ID: 8086:24f3 class-ID: 0280 
           IF: wlan0 state: up mac: <filter> 
Bluetooth: Device-1: Intel Bluetooth wireless interface type: USB driver: btusb v: 0.8 
           bus-ID: 1-7:4 chip-ID: 8087:0a2b class-ID: e001 
           Report: hciconfig ID: hci0 rfk-id: 2 state: up address: <filter> bt-v: 2.1 lmp-v: 4.2 
           sub-v: 100 hci-v: 4.2 rev: 100 
           Info: acl-mtu: 1021:4 sco-mtu: 96:6 link-policy: rswitch sniff 
           link-mode: peripheral accept service-classes: rendering, capturing, audio, telephony 
Drives:    Local Storage: total: 238.47 GiB used: 89.23 GiB (37.4%) 
           SMART Message: Unable to run smartctl. Root privileges required. 
           ID-1: /dev/sda maj-min: 8:0 vendor: Samsung model: MZ7TY256HDHP-000L7 size: 238.47 GiB 
           block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter> 
           rev: 5L6Q scheme: GPT 
Partition: ID-1: / raw-size: 19.53 GiB size: 19.06 GiB (97.57%) used: 15.57 GiB (81.7%) fs: ext4 
           dev: /dev/sda2 maj-min: 8:2 
           ID-2: /boot/efi raw-size: 100 MiB size: 96 MiB (96.00%) used: 25.2 MiB (26.3%) fs: vfat 
           dev: /dev/sda1 maj-min: 8:1 
           ID-3: /home raw-size: 218.84 GiB size: 214.35 GiB (97.95%) used: 73.63 GiB (34.3%) 
           fs: ext4 dev: /dev/sda3 maj-min: 8:3 
Swap:      Alert: No swap data was found. 
Sensors:   System Temperatures: cpu: 37.0 C mobo: N/A 
           Fan Speeds (RPM): fan-1: 0 
Repos:     Packages: note: see --pkg apt: 2652 lib: 1333 flatpak: 0 
           No active apt repos in: /etc/apt/sources.list 
           Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list 
           1: deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free
           Active apt repos in: /etc/apt/sources.list.d/debian.list 
           1: deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
           2: deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
           Active apt repos in: /etc/apt/sources.list.d/mx.list 
           1: deb http://ftp.halifax.rwth-aachen.de/mxlinux/packages/mx/repo/ bookworm main non-free
           Active apt repos in: /etc/apt/sources.list.d/various.list 
           1: deb [arch=amd64] https://wire-app.wire.com/linux/debian/ stable main
           2: deb https://apt.enpass.io/ stable main
           3: deb [arch=amd64] http://deb.librewolf.net focal main
           Active apt repos in: /etc/apt/sources.list.d/vivaldi.list 
           1: deb [arch=amd64] http://repo.vivaldi.com/stable/deb/ stable main
Info:      Processes: 218 Uptime: 1h 21m wakeups: 2 Memory: 15.49 GiB used: 2.17 GiB (14.0%) 
           Init: SysVinit v: 3.06 runlevel: 5 default: 5 tool: systemctl Compilers: gcc: 12.2.0 
           alt: 10/12 Client: shell wrapper v: 5.2.15-release inxi: 3.3.06 
Boot Mode: UEFI

[baldyeti]

The default actually changed with MX21 already, but you can set it back to requiring "root" authentication - see MX Tweak, "Other" tab, password for admin tasks.

[asqwerth]

....Some other programms (p.e. xsane or gscan2pdf) which did not require passwords in MX21 now requires a user password from the activ user. Also this does not make sense.

....

That is one of the problems of in-place upgrades - it will update the packages already on your system but any non-dependency new packages that are necessary don't get pulled in.

This bug was detected during the mx23 testing phase. @dolphin_oracle said he had to add an additional package to resolve this issue. I am tagging him because I can't recall what the package was called.

[harley-peter]

@baldyeti:
O. k. but in this case also the user programms like xsane requires the root password.
Is there a possiblity to configure the password management in general? It does not make sense that normal user applications require passwords.

[dolphin_oracle]

you may need to clean up some files under

/etc/poklit-1/localauthority.conf.d/

including removing /etc/poklit-1/localauthority.conf.d/55-tweak-override.conf if it exists (although it should be ignored if it is). the way and where policykit stores rules files did change. between debian's defaults and anything left over, there may be some conflict.

A default mx23 install has nothing in /etc/poklit-1/localauthority.conf.d/

[harley-peter]

In the directory /etc/poklit-1/localauthority.conf.d there is nothing

[BitterTruth]

Is it just xsane and g2scanpdf? If so check what groups you are a member of.

Meaybe you need to be a member of the scanner group or something:

Code: Select all

groups

Check under MX User Manager ========>Group Membership ==============> Your_user

scanner should be ticked

[asqwerth]

In the directory /etc/poklit-1/localauthority.conf.d there is nothing

@harley-peter @dolphin_oracle

I just checked the User Installed Packages list in my laptop install of the alpha2.

The package that wasn't present in alpha2 that dolphin told me he had to add was:

avahi-sysvinit-compat

After manually installing that package, simple-scan no longer asked me for a password.

Please check if your migrated system has this package.

[harley-peter]

@BitterTruth:
i enabled the user for the group saned but without success.

@asqwerth:
I installed the package and it seem to work with xsane. I will test it for other applications.
Remains the little problem of root or user password.

[harley-peter]

O. k., with the installation of avahi-sysvinit-compat the normal apps non require a password but the behaviour with the system apps like Gparted or MX Boot Repair or Zulucrypt is strange. After the upgrade all these apps non longer require the root password but the user password from the user who is already logged in.