Why to authenticate?
For starting gdm I am using this command
sudo systemctl start gdm.service
When I am executing this command directly on the shell, then I am presented with the
[sudo] password for username:
Thats completely understandable as I am using sudo command for the privillages, but when I omit the sudo
command then I get this
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to start 'gdm.service'.
Authenticating as: username
Password:
Actually I have created a script file with permission rwsr-xr-x and the owner of the file is root, and the script's content is:
sudo systemctl start gdm
And when I am executing this, then it should run as root, without asking for password, but it asks this.
[sudo] password for username:
I just want to be able to start gdm without entering the password
Solution 1:
Where is this comming from? Is it the gdm service asking for password or the systemd binary?
It's the systemctl binary. (Or, more precisely, the "start" request goes from systemctl to systemd to the PolicyKit service and then the authentication prompt loops back to "polkit-tty-agent" binary that systemctl spawns.)
If you've ever gotten a full-screen "admin password" prompt in GNOME (such as when you try to change network configuration or run pkexec
), this is the exact same thing.
Either way, it's not gdm, as gdm hasn't been started yet.
I am giving sudo permissions then why once again?
That's unclear. This prompt indeed should never be shown when systemctl is run by root, as the systemd code actually skips these checks for uid 0. (At least I think it does. I'll have to re-check.)
In general, PolicyKit is an alternative system whose purpose is to allow things like systemctl to be used without explicitly using sudo and becoming root. It's quite unusual for root to receive an authentication prompt from polkit.
Suggestions:
-
Run
journalctl -u polkit -n 100
and look for any messages that mention "gdm" or "manage-units". Do they say "owned by unix-user:root" or "unix-user:You"? -
Try to run
sudo pkexec
. This should immediately give a shell without any prompts (whereas running justpkexec
should still prompt for admin auth). The pkexec tool is like "su but with more polkit". -
Reinstall the "polkit" package, to make sure that the default policies in /usr/share/polkit-1 are reset (in case they have been corrupted). I'm not sure if this will work, as systemd itself is supposed to completely skip polkit checks for root (i.e. polkit policies should be irrelevant), but worth a try.
-
Check whether the
/run/systemd/private
socket exists. When systemctl is running as root, it will use this socket to make a direct connection to systemd (instead of going through D-Bus), and it should likewise completely bypass all polkit checks.sudo strace -e connect systemctl status foo
might be useful to check.