No GUI password prompts for pamac CLI on Gnome after 2023-03-31 update

After that update I stopped getting GUI windows for password prompts. EDIT: So when I use something like pamac, I get prompted in the terminal.

From what I’ve gathered, the prompts are provided by /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1. I see that it’s part of the polkit-gnome package. I reinstalled it and polkit, but the authentication agent still doesn’t start.

I’ve tried running the agent from the terminal, but it errors out with: Cannot register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject.

I also have Plasma installed, so the system also has polkit-kde-authentication-agent-1, but that isn’t running.

I’ve tried copying /usr/share/applications/polkit-gnome-authentication-agent-1.desktop into /etc/xdg/autostart, but that didn’t help.

My system info (inxi -v7azy ):

System:
  Kernel: 6.1.23-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 12.2.1
    parameters: initrd=\479ea96c27094f398237217757225b95\6.1.23-1-MANJARO\intel-ucode.img
    initrd=\479ea96c27094f398237217757225b95\6.1.23-1-MANJARO\initrd
    root=/dev/mapper/crypt_priv_systems rw rootflags=subvol=@
    cryptdevice=UUID=1ee9550c-b336-4db6-8f47-94834809ec15:crypt_priv_systems
    apparmor=1 security=apparmor udev.log_priority=3
  Desktop: GNOME v: 43.4 tk: GTK v: 3.24.37 wm: gnome-shell dm: GDM v: 43.0
    Distro: Manjaro Linux base: Arch Linux
Machine:
  Type: Laptop System: Alienware product: Alienware 15 R3 v: 1.12.2
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: Alienware model: Alienware 15 R3 v: A00 serial: <superuser required>
    UEFI: Alienware v: 1.12.2 date: 06/07/2021
Battery:
  ID-1: BAT1 charge: 1.1 Wh (100.0%) condition: 1.1/99.0 Wh (1.2%) volts: 12.4
    min: 11.4 model: COMPAL PABAS0241231 type: Li-ion serial: <filter>
    status: full
Memory:
  RAM: total: 31.22 GiB used: 4.23 GiB (13.5%)
  RAM Report: permissions: Unable to run dmidecode. Root privileges required.
CPU:
  Info: model: Intel Core i7-7820HK bits: 64 type: MT MCP arch: Kaby Lake
    gen: core 7 level: v3 note: check built: 2018 process: Intel 14nm family: 6
    model-id: 0x9E (158) stepping: 9 microcode: 0xF0
  Topology: cpus: 1x cores: 4 tpc: 2 threads: 8 smt: enabled cache:
    L1: 256 KiB desc: d-4x32 KiB; i-4x32 KiB L2: 1024 KiB desc: 4x256 KiB
    L3: 8 MiB desc: 1x8 MiB
  Speed (MHz): avg: 2285 high: 3494 min/max: 800/3900 scaling:
    driver: intel_pstate governor: powersave cores: 1: 2592 2: 3494 3: 800 4: 947
    5: 3259 6: 800 7: 3493 8: 2900 bogomips: 46419
  Flags: 3dnowprefetch abm acpi adx aes aperfmperf apic arat
    arch_capabilities arch_perfmon art avx avx2 bmi1 bmi2 bts clflush
    clflushopt cmov constant_tsc cpuid cpuid_fault cx16 cx8 de ds_cpl dtes64
    dtherm dts epb ept ept_ad erms est f16c flexpriority flush_l1d fma fpu
    fsgsbase fxsr ht hwp hwp_act_window hwp_epp hwp_notify ibpb ibrs ida
    intel_pt invpcid invpcid_single lahf_lm lm mca mce md_clear mmx monitor
    movbe mpx msr mtrr nonstop_tsc nopl nx pae pat pbe pcid pclmulqdq pdcm
    pdpe1gb pebs pge pln pni popcnt pse pse36 pti pts rdrand rdseed rdtscp
    rep_good sdbg sep smap smep ss ssbd sse sse2 sse4_1 sse4_2 ssse3 stibp
    syscall tm tm2 tpr_shadow tsc tsc_adjust tsc_deadline_timer vme vmx vnmi
    vpid x2apic xgetbv1 xsave xsavec xsaveopt xsaves xtopology xtpr
  Vulnerabilities:
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT
    vulnerable
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data mitigation: Clear CPU buffers; SMT vulnerable
  Type: retbleed mitigation: IBRS
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: IBRS, IBPB: conditional, STIBP: conditional,
    RSB filling, PBRSB-eIBRS: Not affected
  Type: srbds mitigation: Microcode
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: Intel HD Graphics 630 vendor: Dell driver: i915 v: kernel
    arch: Gen-9.5 process: Intel 14nm built: 2016-20 ports: active: none
    empty: DP-1, DP-2, HDMI-A-1, HDMI-A-2, HDMI-A-3 bus-ID: 00:02.0
    chip-ID: 8086:591b class-ID: 0380
  Device-2: NVIDIA GP104BM [GeForce GTX 1070 Mobile] vendor: Dell
    driver: nouveau v: kernel non-free: 530.xx+ status: current (as of 2023-03)
    arch: Pascal code: GP10x process: TSMC 16nm built: 2016-21 pcie: gen: 1
    speed: 2.5 GT/s lanes: 8 link-max: gen: 3 speed: 8 GT/s lanes: 16 ports:
    active: HDMI-A-4 off: eDP-1 empty: DP-3 bus-ID: 01:00.0 chip-ID: 10de:1be1
    class-ID: 0300 temp: 51.0 C
  Device-3: Logitech C920 HD Pro Webcam type: USB
    driver: snd-usb-audio,uvcvideo bus-ID: 1-2.4.2:9 chip-ID: 046d:0892
    class-ID: 0102 serial: <filter>
  Device-4: Realtek Integrated Webcam HD type: USB driver: uvcvideo
    bus-ID: 1-7:7 chip-ID: 0bda:58c2 class-ID: 0e02 serial: <filter>
  Device-5: DisplayLink USB3.0 Dual Video Dock type: USB
    driver: cdc_ncm,snd-usb-audio bus-ID: 2-4.1:3 chip-ID: 17e9:4307
    class-ID: 0a00 serial: <filter>
  Display: x11 server: X.org v: 1.21.1.8 with: Xwayland v: 23.1.1
    compositor: gnome-shell driver: X: loaded: modesetting alternate: fbdev,vesa
    dri: nouveau,iris gpu: nouveau display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1920x1200 s-size: <missing: xdpyinfo>
  Monitor-1: HDMI-A-4 mapped: HDMI-4 pos: primary model: Idek Iiyama X2485
    serial: <filter> built: 2012 res: 1920x1200 hz: 60 dpi: 94 gamma: 1.2
    size: 518x324mm (20.39x12.76") diag: 611mm (24.1") ratio: 16:10 modes:
    max: 1920x1200 min: 720x400
  Monitor-2: eDP-1 note: disabled model: AU Optronics 0x51ed serial: <filter>
    built: 2016 res: 1920x1200 dpi: 142 gamma: 1.2 size: 344x193mm (13.54x7.6")
    diag: 394mm (15.5") ratio: 16:9 modes: max: 1920x1080 min: 640x350
  API: OpenGL v: 4.3 Mesa 23.0.2 renderer: NV134 direct-render: Yes
Audio:
  Device-1: Intel CM238 HD Audio vendor: Dell driver: snd_hda_intel v: kernel
    bus-ID: 1-2.4.2:9 chip-ID: 046d:0892 bus-ID: 00:1f.3 class-ID: 0102
    chip-ID: 8086:a171 serial: <filter> class-ID: 0403
  Device-2: NVIDIA GP104 High Definition Audio vendor: Dell
    driver: snd_hda_intel v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 8
    link-max: gen: 3 speed: 8 GT/s lanes: 16 bus-ID: 01:00.1 chip-ID: 10de:10f0
    class-ID: 0403
  Device-3: Logitech C920 HD Pro Webcam type: USB
    driver: snd-usb-audio,uvcvideo
  Device-4: DisplayLink USB3.0 Dual Video Dock type: USB
    driver: cdc_ncm,snd-usb-audio bus-ID: 2-4.1:3 chip-ID: 17e9:4307
    class-ID: 0a00 serial: <filter>
  API: ALSA v: k6.1.23-1-MANJARO status: kernel-api with: aoss
    type: oss-emulator tools: alsamixer,amixer
  Server-1: sndiod v: N/A status: off tools: aucat,midicat,sndioctl
  Server-2: JACK v: 1.9.22 status: off tools: N/A
  Server-3: PipeWire v: 0.3.68 status: off with: pipewire-media-session
    status: active tools: pw-cli
  Server-4: PulseAudio v: 16.1 status: active tools: pacat,pactl
Network:
  Device-1: Qualcomm Atheros Killer E2500 Gigabit Ethernet vendor: Dell
    driver: alx v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 1 port: d000
    bus-ID: 3d:00.0 chip-ID: 1969:e0b1 class-ID: 0200
  IF: enp61s0 state: down mac: <filter>
  Device-2: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter
    vendor: Rivet Networks driver: ath10k_pci v: kernel pcie: gen: 1
    speed: 2.5 GT/s lanes: 1 bus-ID: 3e:00.0 chip-ID: 168c:003e class-ID: 0280
    temp: 54.0 C
  IF: wlp62s0 state: up mac: <filter>
  IP v4: <filter> type: dynamic noprefixroute scope: global
    broadcast: <filter>
  IP v6: <filter> type: noprefixroute scope: link
  IF-ID-1: br-560b51d36758 state: down mac: <filter>
  IP v4: <filter> scope: global broadcast: <filter>
  IF-ID-2: docker0 state: down mac: <filter>
  IP v4: <filter> scope: global broadcast: <filter>
  IF-ID-3: enp0s20f0u4u1i5 state: down mac: <filter>
  WAN IP: <filter>
Bluetooth:
  Device-1: Qualcomm Atheros QCA61x4 Bluetooth 4.0 type: USB driver: btusb
    v: 0.8 bus-ID: 1-5:5 chip-ID: 0cf3:e300 class-ID: e001
  Report: rfkill ID: hci0 rfk-id: 0 state: up address: see --recommends
Logical:
  Message: No logical block device data found.
  Device-1: crypt_data maj-min: 254:1 type: LUKS dm: dm-1 size: 1.82 TiB
  Components:
  p-1: sda maj-min: 8:0 size: 1.82 TiB
  Device-2: crypt_priv_systems maj-min: 254:0 type: LUKS dm: dm-0
    size: 687.37 GiB
  Components:
  p-1: nvme0n1p1 maj-min: 259:6 size: 687.37 GiB
RAID:
  Message: No RAID data found.
Drives:
  Local Storage: total: 3.19 TiB used: 1.24 TiB (38.8%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:5 vendor: SanDisk
    model: SSDPR-PX500-01T-80-G2 size: 931.51 GiB block-size: physical: 512 B
    logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter>
    rev: EDFMC0.0 temp: 40.9 C scheme: GPT
  ID-2: /dev/nvme1n1 maj-min: 259:0 vendor: SanDisk model: A400 NVMe 512GB
    size: 476.94 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
    lanes: 4 type: SSD serial: <filter> rev: A3582012 temp: 56.9 C scheme: GPT
  ID-3: /dev/sda maj-min: 8:0 vendor: Seagate model: ST2000LM015-2E8174
    size: 1.82 TiB block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s
    type: HDD rpm: 5400 serial: <filter> rev: 0001
  Message: No optical or floppy data found.
Partition:
  ID-1: / raw-size: 687.37 GiB size: 687.37 GiB (100.00%)
    used: 65.41 GiB (9.5%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: crypt_priv_systems label: N/A uuid: N/A
  ID-2: /data raw-size: 1.82 TiB size: 1.79 TiB (98.37%)
    used: 1.18 TiB (65.8%) fs: ext4 dev: /dev/dm-1 maj-min: 254:1
    mapped: crypt_data label: N/A uuid: N/A
  ID-3: /efi raw-size: 500 MiB size: 496 MiB (99.20%) used: 233.9 MiB (47.1%)
    fs: vfat dev: /dev/nvme1n1p1 maj-min: 259:1 label: ESP uuid: 1A2A-E598
  ID-4: /home raw-size: 687.37 GiB size: 687.37 GiB (100.00%)
    used: 65.41 GiB (9.5%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: crypt_priv_systems label: N/A uuid: N/A
  ID-5: /var/cache raw-size: 687.37 GiB size: 687.37 GiB (100.00%)
    used: 65.41 GiB (9.5%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: crypt_priv_systems label: N/A uuid: N/A
  ID-6: /var/log raw-size: 687.37 GiB size: 687.37 GiB (100.00%)
    used: 65.41 GiB (9.5%) fs: btrfs dev: /dev/dm-0 maj-min: 254:0
    mapped: crypt_priv_systems label: N/A uuid: N/A
Swap:
  Alert: No swap data was found.
Unmounted:
  ID-1: /dev/nvme0n1p2 maj-min: 259:7 size: 244.14 GiB fs: <superuser required>
    label: N/A uuid: N/A
  ID-2: /dev/nvme1n1p2 maj-min: 259:2 size: 128 MiB fs: <superuser required>
    label: N/A uuid: N/A
  ID-3: /dev/nvme1n1p3 maj-min: 259:3 size: 475.5 GiB fs: ntfs label: OS
    uuid: C6BC6DCBBC6DB699
  ID-4: /dev/nvme1n1p4 maj-min: 259:4 size: 841.4 MiB fs: ntfs label: N/A
    uuid: DE86706F86704A53
USB:
  Hub-1: 1-0:1 info: Hi-speed hub with single TT ports: 16 rev: 2.0
    speed: 480 Mb/s chip-ID: 1d6b:0002 class-ID: 0900
  Hub-2: 1-2:2 info: VIA Labs Hub ports: 4 rev: 2.1 speed: 480 Mb/s
    chip-ID: 2109:2811 class-ID: 0900
  Device-1: 1-2.3:4 info: Yubicom Yubikey 4/5 OTP+U2F+CCID
    type: Keyboard,HID,Smart Card driver: hid-generic,usbhid interfaces: 3
    rev: 2.0 speed: 12 Mb/s power: 30mA chip-ID: 1050:0407 class-ID: 0b00
  Hub-3: 1-2.4:6 info: Terminus Hub ports: 4 rev: 2.0 speed: 480 Mb/s
    power: 100mA chip-ID: 1a40:0101 class-ID: 0900
  Device-1: 1-2.4.1:8 info: Evoluent VerticalMouse 4 type: Mouse
    driver: hid-generic,usbhid interfaces: 1 rev: 2.0 speed: 1.5 Mb/s
    power: 100mA chip-ID: 1a7c:0191 class-ID: 0301
  Device-2: 1-2.4.2:9 info: Logitech C920 HD Pro Webcam type: Video,Audio
    driver: snd-usb-audio,uvcvideo interfaces: 4 rev: 2.0 speed: 480 Mb/s
    power: 500mA chip-ID: 046d:0892 class-ID: 0102 serial: <filter>
  Device-3: 1-2.4.3:10 info: Wacom CTL-672 [One by (M)] type: Mouse,HID
    driver: usbhid,wacom interfaces: 2 rev: 2.0 speed: 12 Mb/s power: 498mA
    chip-ID: 056a:037b class-ID: 0300 serial: <filter>
  Device-4: 1-2.4.4:11 info: Microsoft Natural Ergonomic Keyboard 4000 V1.0
    type: Keyboard,HID driver: microsoft,usbhid interfaces: 2 rev: 2.0
    speed: 1.5 Mb/s power: 100mA chip-ID: 045e:00db class-ID: 0300
  Device-5: 1-4:3 info: Alienware AW1517 type: HID driver: hid-generic,usbhid
    interfaces: 1 rev: 0.0 speed: 12 Mb/s chip-ID: 187c:0530 class-ID: 0300
    serial: <filter>
  Device-6: 1-5:5 info: Qualcomm Atheros QCA61x4 Bluetooth 4.0
    type: Bluetooth driver: btusb interfaces: 2 rev: 2.0 speed: 12 Mb/s
    power: 100mA chip-ID: 0cf3:e300 class-ID: e001
  Device-7: 1-7:7 info: Realtek Integrated Webcam HD type: Video
    driver: uvcvideo interfaces: 2 rev: 2.0 speed: 480 Mb/s power: 500mA
    chip-ID: 0bda:58c2 class-ID: 0e02 serial: <filter>
  Hub-4: 2-0:1 info: Super-speed hub ports: 10 rev: 3.0 speed: 5 Gb/s
    chip-ID: 1d6b:0003 class-ID: 0900
  Hub-5: 2-4:2 info: VIA Labs Hub ports: 4 rev: 3.0 speed: 5 Gb/s
    chip-ID: 2109:8110 class-ID: 0900
  Device-1: 2-4.1:3 info: DisplayLink USB3.0 Dual Video Dock
    type: Audio,Communication,CDC-Data driver: cdc_ncm,snd-usb-audio
    interfaces: 7 rev: 3.2 speed: 5 Gb/s power: 8mA chip-ID: 17e9:4307
    class-ID: 0a00 serial: <filter>
Sensors:
  System Temperatures: cpu: 54.0 C pch: 52.5 C mobo: N/A gpu: nouveau
    temp: 51.0 C
  Fan Speeds (RPM): N/A
Info:
  Processes: 330 Uptime: 9m wakeups: 1 Init: systemd v: 252 default: graphical
  tool: systemctl Compilers: gcc: 12.2.1 clang: 15.0.7 Packages: pm: pacman
  pkgs: 2196 libs: 506 tools: gnome-software,pamac pm: flatpak pkgs: 0
  Shell: Zsh v: 5.9 running-in: tmux: inxi: 3.3.26

You didnt disclose that you made any modifications yourself, but this does sound a bit like something like this: https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt

Hi! I think it’s not that. I didn’t tweak polkit at all. Also, I should’ve mentioned in the original post that I get CLI prompts for the passwords now.

I think my problem is caused by polkit-gnome-authentication-agent-1 not running, but I don’t know what’s the “proper” way to get it to start on boot.

We can look at it

systemctl status polkit-gnome-authentication-agent-1

If it isnt running then

systemctl enable polkit-gnome-authentication-agent-1 --now

It seems the latest update of pamac did that.I can type pamac upgrade then add the password in the terminal now.It’s working as it should so I can’t see a problem with it.I’m using Plasma on unstable.

Seems like latest pamac has integrated the optional terminal password input as default, lovely.

But it should only happen if you use pamac from terminal. If you use graphical frontend, then you should get the graphical password prompt.

For me pamac-manager correctly prompts for password via GUI.

Ok, it looks like I’m missing the systemd unit for polkit-gnome-authentication-agent-1 . Can you tell me the package that owns the systemd unit file for you?

polkit-gnome contains the binary and the .desktop file, but not the systemd stuff.

I’m not using the graphical front-end. Also, I used to get the graphical password prompt when running pamac from the terminal. That was nice, because I didn’t need to babysit my scripts that were running pamac.

while being OT i think your reply brings perfectly to mind the classic xkcd comic xkcd: Workflow

if it really hurts you, maybe take it up with pamac developers, it could be possible to make pamac emit bell notice when asking for password, which could bring you the “notice” of the graphical password input popping up you relied on.

polkit-gnome, (which) provides /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1
If you are missing it then your package is broken. Reinstall it I guess.

I have /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1, but I’m interested in the systemd unit file. Unless you’re saying that for you the systemd unit is in the polkit-gnome package?

If you’d check systemctl status polkit-gnome-authentication-agent-1, the second line of the output will contain the location of that file.
It will look like this: Loaded: loaded (<systemd unit file path>; static).
If you’d then check pacman -Qo <systemd unit file path>, what package does that return?

No I wouldnt, as I dont use gnome.

What I showed is taken directly from the arch wiki.

It is also backed up by all other documentation and my own looking at

pacman -Fl polkit-gnome

Which provides the desktop file
/usr/share/applications/polkit-gnome-authentication-agent-1.desktop
And the service file
/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1

If you dont have that file, it isnt a service, or your unit points somwhere else then something is more askew. Why dont you share that extra information with us?

What I showed is taken directly from the arch wiki.

Oh…

I have polkit-gnome installed, and it provides both polkit-gnome-authentication-agent-1.desktop and /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1 (but it isn’t a systemd service file, it’s a binary).

I think chasing a polkit-gnome-authentication-agent-1 systemd unit isn’t the right way of solving my problem, as I see that my system is capable of providing me with GUI password prompts (e.g. when I try to use the GUI for package management). So that “subsystem” is working and most probably doesn’t need an additional binary running in the background.

So the reason I stopped getting GUI prompts for pamac on the CLI is probably some change in polkit’s settings. I’d just like to know if that change was something intended by the maintainers, or was an accident with the update (like gdm being marked for autoremoval)

as i said, pamac had for some time optional terminal password input, now it has become default.

Previously it was controlled by setting PAMAC_CLI_AUTH=1 but it does not work to set it to 0 to have GUI password prompt.

This pamac-cli feature was described in the Notable Package Updates section of the 2023-02-12 update announcement.

1 Like

@varikonniemi Interesting that PAMAC_CLI_AUTH=0 doesn’t seem to affect pamac and it now always asks on the terminal… I’ll poke around more.

@Takakage Oh… Thanks. It was an even earlier update than the one I was looking at. Well, I’m now subscribing to the RSS feed with all the updates, so I shouldn’t miss stuff like this.

There has been raised concerns that pamac should follow the authorization scheme matching how it was launched.

GUI → GUI authorization
CLI → CLI authorization

I am fairly certain this is the way it is now.
And personally I think this is the correct way of handling the authorization scheme.

1 Like

indeed, but as we saw butla had developed their own workflow™ so maybe PAMAC_CLI_AUTH=0 should still be supported?

If this is the way pamac’s development is going, then I won’t cry :slight_smile: If PAMAC_CLI_AUTH=0 won’t work and the devs want to get rid of it entirely, then so be it.

I was just hoping I could get my previous workflow back for the time being. Eventually, I’ll set myself with an automated “pamac runner” user that won’t need authentication at all (just one sudo to switch to that user).

I guess this topic can be closed. Thanks for taking the time, people :bowing_man:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.