Ubuntu 18.04 tigervnc: Authentication is required to create a color profile

Question

Trying to connect to tigervnc server running on Ubuntu 18.04 (using TigerVNC viewer windows client). After the initial authentication, I get an additional authentication prompt that reads "Authentication is required to create a color pr...". This happens only for the first login following a tigervnc server restart. Is there anyway I can bypass this?

score 6 · Answer 1 · answered Jul 02 '18 at 03:03

6

I fixed this by creating this file and setting perms to 644, and owner root:root:

Filename: /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf

Contents:

polkit.addRule(function(action, subject) {
  if ((action.id == "org.freedesktop.color-manager.create-device"  ||
       action.id == "org.freedesktop.color-manager.create-profile" ||
       action.id == "org.freedesktop.color-manager.delete-device"  ||
       action.id == "org.freedesktop.color-manager.delete-profile" ||
       action.id == "org.freedesktop.color-manager.modify-device"  ||
       action.id == "org.freedesktop.color-manager.modify-profile"
      ) && (
       subject.isInGroup("{nogroup}")
      )
     )
  {
    return polkit.Result.YES;
  }
});

answered Jul 02 '18 at 03:03

wryan

189

2

Can you explain how you came up with that, why it works, or where you got the info from? – Dogweather Sep 11 '18 at 22:01
A really good write-up on this can be found here: https://c-nergy.be/blog/?p=12073 – ulidtko Apr 23 '20 at 17:18
Besides: ... && subject.isInGroup("{nogroup}") makes no sense. Just delete or comment-out the check. This is JavaScript. – ulidtko Apr 23 '20 at 17:20

score 2 · Answer 2 · answered Apr 23 '20 at 18:56

Let me just extract the concrete fix for 18.04 only from the sequel to this excellent blog post. The latter drills down to the root cause of this issue; the former fixes it properly — while avoiding a crash caused by the return polkit.Result.YES; solution already posted here and elsewhere.

cat << EOF | sudo tee /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla
[Allow Colord all Users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
ResultAny=no
ResultInactive=no
ResultActive=yes
EOF

This is relevant only for PolKit < 0.106 (pkaction --version).

For PolKit 0.106+ (Ubuntu 18.10+) this authorization is granted differently, via the javascript .conf file:

cat << EOF | sudo tee /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf
polkit.addRule(function(action, subject) {
  if ((action.id == "org.freedesktop.color-manager.create-device"  ||
       action.id == "org.freedesktop.color-manager.create-profile" ||
       action.id == "org.freedesktop.color-manager.delete-device"  ||
       action.id == "org.freedesktop.color-manager.delete-profile" ||
       action.id == "org.freedesktop.color-manager.modify-device"  ||
       action.id == "org.freedesktop.color-manager.modify-profile"
       //-- no group restriction; allow any user to manipulate color profiles!
       //-- uncomment and substitude adm with the group you need, if needed.
       // ) && (
       //  subject.isInGroup("{adm}")
     ))
  {
    return polkit.Result.YES;
  }
});
EOF

Ubuntu 18.04 tigervnc: Authentication is required to create a color profile

2 Answers2

Linked