First let me describe my system. It's Mint 19.0 (Tara). Mint itself isn't the problem, but it's upgrade mechanism seem to have triggered the issue. It came after upgrading from Mint 18.3 to 19.0. I did post a question on Mint's forums, but then I did not know what was broken, and in the process of finding that out I kind of "overloaded" my issue report there. So I try to be concise here. PolicyKit has some problem authorizing priviledge escalation. I am the owner of the system, and previously there were only my account and a guest account. After upgrading, I could no longer launch Synaptic via the menu (which calls synaptic-pkexec) and all other programs that need priviledge escalation also won't start, leaving a fail message in auth.log. No dialog pops up asking for my password. Launching synaptic-pkexec from command line simply yields Error executing command as another user: Not authorized This incident has been reported. Quote from auth.log: Jul 15 12:07:42 MYMACHINE polkit-agent-helper-1: pam_unix(polkit-1:auth): conversation failed Jul 15 12:07:42 MYMACHINE polkitd(authority=local): Unregistered Authentication Agent for unix-session:c2 (system bus name :1.61, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) (disconnected from bus) Jul 15 12:07:42 MYMACHINE polkitd(authority=local): Operator of unix-session:c2 FAILED to authenticate to gain authorization for action com.ubuntu.pkexec.synaptic for unix-process:9863:4513929 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:MYUSERACCOUNT) Jul 15 12:07:42 MYMACHINE pkexec: MYUSERACCOUNT: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/MYHOMEDIR] [COMMAND=/usr/sbin/synaptic] Jul 15 12:07:42 MYMACHINE polkit-agent-helper-1: pam_unix(polkit-1:auth): auth could not identify password for [MYUSERACCOUNT] Jul 15 12:07:42 MYMACHINE polkitd(authority=local): Registered Authentication Agent for unix-session:c2 (system bus name :1.220 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) My guest account, however, can do everything. It is asked for the password, and then Synaptic, Upgrade Manager, just everything works as intended. Also, when I create new users (regardless whether they are created as admins or as users, and added to sudo group) they also can to everything. So I figure it is somehow connected to the user ID. Another observation: I know GUI programs shouldn't be launched via sudo. But when I issue sudo synaptic-pkexec - Synaptic starts... I have already checked that 1. PolKit Daemon is running via Autostart 2. PolKit Agent for Gnome is running via Autostart 3. file permissions for the user home directory are set correctly I also did

apt-get install --reinstall

on everything PolKit related. Everything else besides PolKit runs just fine... I can add inxi statement, if that helps.

By generic, I mean, mostly standard, i.e. not dependent on ufw or firewalld. What I am asking is if there is something akin to what you have on Windows, where if some game wishes to "Open to Lan" and current firewall doesn't allow it, you are prompted to allow those changes. In other words, is there some standard way a developer could make a GUI application for Linux which requests for a port to open for the remaining of the lifespan of the application? I am sure this is a problem that has been thought of before, but I can't find a solution that satisfy these requirements: - User is prompted for firewall change - Granted privilege is clearly scoped to said modification - Required trust in said application requesting privileges is minimized - Resting said modifications doesn't request privileges once again / Reset managed by system Even for a permanent change, I don't know of anything other than for the application to request full root privileges and then use iptables behind the scenes.

I have a problem with hibernating my computer. Everything was working before an update. The update installed Plasma 6.3.5. Hibernating from the start menu doesn't work either. After the update, the following command reports an error under normal user:

$ loginctl hibernate
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)

However, under root, the

$ loginctl hibernate

works as expected. A normal user is a member of these groups:

$ id
uid=1000(ibarina) gid=1000(ibarina) groups=1000(ibarina),6(disk),7(lp),10(wheel),18(audio),27(video),85(usb),100(users),106(lpadmin),250(portage),272(plugdev),377(pcap)

Moreover,

grep loginctl /var/log/everything/current

gives

Jul 17 17:22:49 [loginctl] Failed to hibernate system via elogind: Interactive authentication required.

Installed versions: sys-auth/polkit-126-r1 sys-auth/elogind-255.5-r2

I created a minimal install on my Raspbian Raspberry Pi running Debian Jessie. Among other things, I removed libx11-.* and dependencies, which included removal of policykit-1. I'm trying to reinstall policykit-1, but hit the following errors. $ sudo apt-get install policykit-1 ... The following packages will be REMOVED: sysvinit-core ... dpkg: sysvinit-core: dependency problems, but removing anyway as you requested: sysvinit depends on sysvinit-core | upstart | systemd-sysv; however: Package sysvinit-core is to be removed. Package upstart is not installed. Package systemd-sysv is not installed. After this, booting now hangs, and I have to restore the SD card to an image before this install command. (N.B. booting worked fine before the creation of the minimal install, and after the removal of libx11-.* and dependencies.) How can I reinstall policykit-1? ------- ## Edit This worked for a little while, but no longer. There is a long thread here discussing how policykit-1 can break your system in Debian. I didn't read it all, but this (closed) bug report suggests that systemd-shim might be helpful. Running the following command allowed me to reboot the computer, although I'm unsure as to how functional policykit-1 is. sudo apt-get install systemd-shim policykit-1 However, a recent update to Debian Jessie prevents this from working. policykit-1 was uninstalled after sudo apt-get dist-upgrade, and running this command still asks you to uninstall sysvinit-core.

I'd like to start a systemd service using DBus in one of my apps which is run as non-root user myuser. For that I need to set up a PolicyKit where I'm using polkit 0.105 and added the following .pkla file to /etc/polkit-1/localauthority/50-local.d

[Test polkit]
Identity=unix-user:myuser
Action=org.freedesktop.systemd1.manage-unit-files;org.freedesktop.systemd1.manage-units
ResultActive=yes
ResultInactive=yes

Hoewever, that somehow didn't help it as I'm still getting the error Permission denied from DBus when it's runned as myuser where it works when started by root. As I understood polkit so far that's actually the way to set it up. What wonders me as well is that when executing pkaction it just returns nothing. Does polkit need some further setup? I just installed it via apt-get on an ubunutu 19.04 box.

In the old days of CentOS 5, I had an application that ran as another user.  I created a .desktop file which ran a command that looked like this: gksu -u anotheruser someapplication When the user clicked the icon, a popup asked for the password of "anotheruser".  When the password was correct, "someapplication" started. Now in the modern days of CentOS 7, I can't find a replacement for this behaviour.  I tried beesu: beesu -l -P someapplication anotheruser but it is asking me for the root password instead of "anotheruser" password. I also tried pkexec: pkexec --user anotheruser someapplication with the same result. Both methods also have problems finding the correct display variable: Failed to parse arguments: Cannot open display: Any help will be appreciated.

I have an Alpine-Linux based system (PostmarketOS) running with the LXQT DE. Ever since I set up the system, out of the box it came with a bunch of problems with user authentication. I have various problems, including: - Whenever I plug in a USB thumb drive, I get a message saying "Error: not authorized to perform operation." - If I try to run any downloaded program such as Gparted which requires authentication, I don't get a popup message prompting for my password, and instead get the message "Error executing command as another user: No authentication agent found." - If I try to edit the user settings with any built-in tools such as the LXQT Configuration Center, I get the same error. After investigating this for a while, I noticed that it seems like the authentication agent is already running. It's set to autostart and I can see it running in the system monitor: If I try to run pkttyagent -p $(echo $$) | lxqt-sudo gparted then I get the popup to finally appear: Therefore, I have reason to believe that the required programs are on my system since I see them running and I'm able to run them manually with the command line. However, I am unable to figure out why the sudo GUI frontend never pops up automatically when an application is requesting superuser permissions, and why I can't perform basic actions such as using my USB thumb drive or change system settings. I set the root user password and logged in to the root user account, and don't face any of these issues there. So there is something wrong with the setup for the authentication agent or polkit in general and I'm not sure what to do. Help would be greatly appreciated. Thank you for your time.

I'm encountering a problem with KDE Plasma on Debian 12 on a VM, when using xRDP to access my desktop remotely. The issue revolves around Polkit authentication, where the GUI prompt for administrative actions is not behaving as expected. Affected System Details: - Debian 12 VM with KDE Plasma created with QEMU/KVM - xRDP version: 0.9.21.1

plasmashell --version
	plasmashell 5.27.5
apt list --installed | grep policy
	policykit-1/stable,now 122-3 amd64 [installed,automatic]
	libpolkit-qt5-1-1/stable,now 0.114.0-2 amd64 [installed,automatic]
apt list --installed | grep polkit
	libpolkit-agent-1-0/stable,now 122-3 amd64 [installed,automatic]
	libpolkit-gobject-1-0/stable,now 122-3 amd64 [installed,automatic]
	libpolkit-qt5-1-1/stable,now 0.114.0-2 amd64 [installed,automatic]
	polkit-kde-agent-1/stable,now 4:5.27.5-2 amd64 [installed,automatic]
	polkitd-pkla/stable,now 122-3 amd64 [installed,automatic]
	polkitd/stable,now 122-3 amd64 [installed,automatic]

` Problem Description: When I'm connected through xRDP and try to perform tasks using GUI System Settings that require elevated privileges (like changing settings in the System Settings, or disabling the KDE Wallet subsystem), I'm not getting the usual Polkit GUI prompt to enter my password. As a result, I can't apply any changes. Observations: 1.) This issue is specific to my xRDP sessions. When logged in via the Display of Virtmanager using SPICE or via NoMachine, the Polkit prompts appear and function correctly. 2.) The problem persists across different administrative tasks that normally require authentication. 3.) When I am logged in the polkit-kde-authentication-agent-1 gets started for the user that is logged in:

root@debian12-test:~# pgrep -af polkit-kde-authentication-agent-1
5355 /usr/lib/x86_64-linux-gnu/libexec/polkit-kde-authentication-agent-1
root@debian12-test:~# ps -o user= -p 5355
user

4.) When I watch the journalctl -f -u polkit - When I login with NoMachine where Polkit works: `Dec 01 09:20:13 debian12-test polkitd: Registered Authentication Agent for unix-session:22 (system bus name :1.299 [/usr/lib/x86_64-linux-gnu/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) ` - When I login with xRDP where Polkit is broken: ` Dec 01 09:26:36 debian12-test polkitd: Registered Authentication Agent for unix-session:c12 (system bus name :1.376 [/usr/lib/x86_64-linux-gnu/libexec/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) ` - I do not get any error message with journalctl -f -u polkit Troubleshooting Done: - I've confirmed that polkit is installed and running. systemctl status polkit.service ● polkit.service - Authorization Manager Loaded: loaded (/lib/systemd/system/polkit.service; static) Active: active (running) Questions: 1. Are there specific configurations or known issues with Polkit and xRDP in KDE Plasma on Debian 12 that might be causing this? 2. Any suggestions on how to ensure the Polkit authentication agent starts correctly in xRDP sessions or how to debug this further? Any insights or suggestions would be greatly appreciated. I'm happy to provide additional details if needed. Thank you in advance!

I wrote a dbus service and have it listening on the system bus, under the bus name "org.jfhbrook.plusdeck" and the path "/". That seems to be working fine. I have a corresponding dbus client that I'd like to use to interact with that system bus service, either if I'm the root user (called with sudo) or if I'm in a particular group (in this case, the "plusdeck" group). I currently have this policy file, based on [the dbus-daemon docs](https://dbus.freedesktop.org/doc/dbus-daemon.1.html) and cribbing from whatever examples I could find:

This works when I use sudo. However, when I use the same client with my user, which is a member of the plusdeck group, I get an error:

ERROR:plusdeck.dbus.client:org.freedesktop.DBus.Error.AccessDenied: Access to org.jfhbrook.plusdeck.Eject() not permitted.

Note that this is a different error than I'd get if I didn't have access to the bus - that would be ERROR:plusdeck.dbus.client:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message. It seems I'm authorized to send messages, but not to call that method. I've tried combinations of everything I can think of, including setting send_member="*" in the allow tag, as well as ``. I'm at my wit's end. Any help or guidance would be appreciated. For what it's worth, I'm using Fedora 41. I mention this because I'm aware that my issue could be outside this configuration, for instance with SELinux. Though, I believe seeing nothing in /var/log/audit/audit.log rules that out.

I am using the Secureblue Linux distro and I don't like the fact that when I run a script that eventually invokes run0, and leave it running and do something else while I'm waiting, I eventually get a popup all of a sudden prompting me to enter my password, and I don't know what it's about! It feels like it would be much more secure to have the auth prompt as a CLI authentication utility, in the terminal window that the script is running in, so I can tell what I am being expected to approve. However, I tried installing tmux and then running pkttyagent in one tmux pane and the script in another, but the GUI authentication dialog box still popped up, just like before, and pkttyagent didn't do anything. Even when I made them use a fresh, separate dbus session bus using dbus-run-session tmux, it failed the same way.

If I am root in can run the command mount -o remount,ro /data. However I can not do it in my user session without using sudo. I tried to modify my fstab : LABEL=DATA   /data        ext4  auto,rw,users  0  1 I added a polkit rule: polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.udisks2.filesystem-mount" || action.id == "org.freedesktop.udisks2.filesystem-unmount" || action.id == "org.freedesktop.udisks2.filesystem-mount-system-internal") && subject.isInGroup("me")) { return polkit.Result.YES; } }); But I did not manage to make it works. Always with the same error : mount /data : must be superuser to use mount

Observe this situation lxcunpriv@nas:~$ id uid=1001(lxcunpriv) gid=1001(lxcunpriv) gruppi=1001(lxcunpriv) lxcunpriv@nas:~$ virsh -c qemu:///system list ==== AUTHENTICATING FOR org.libvirt.unix.manage ==== System policy prevents management of local virtualized systems Authenticating as: myuser Password: If "lxcunpriv" know the password of "myuser" can stop the vm, or list, or access to it via console. My question is, is possible to force authentication for libvirt group? Must work as this member of "libvirt" group = can access to vm non-member of "libvirt" group = cannot access to vm even they know the other user password. Is possible?

I am really struggling to get the session polkit to work. I am not really familiar with how it works, but I have been using gnome before switching to dwm and in gnome it worked perfectly, so I wanted to replicate that. First of all: As I understood it, the polkit is responsible for giving momentary privilege escalation to the user, by prompting him for the root password. Is this correct? How can I replicate that behavior without a DE but with a WM like dwm?

I'm having trouble writing a rule that would allow all (or some subset of users) to access a yubikey (a usb security device). The device appears as /dev/hidraw2, and the normal user is on an ACL (access control list) that grants permission to use it. However, if a second user is also logged in, they're not on the device's ACL. The system is running openrc and not systemd, so elogind is control the ACLs. (elogind is a daemon for openrc that emulated some of the systemd functionality that openrc doesn't have out of the box). When I manually add a secondary user to the ACL for this device with setfacl, this works. But, it's not persistent, and when the device is removed and re-inserted, setfacl has to be called again. As far as I can tell, elogind uses polkit to determine which user gets put on an ACL. But, I've not been able to write a polkit rule that would allow all users (or some limited subset of all users) to use the device. Here's an example of a rule that I tried:

.addRule(function(action, subject) {
    if ( subject.isInGroup("plugdev")) {
            return polkit.Result.YES;
        }
    }
});

That example is far to permissive, since it should allow anyone in plugdev to access any device (I think). But even that doesn't allow secondary users to access the device. I've looked at a ton of polkit example rules, and I'm kind of stumped. Any ideas?

I currently have a Qt5 desktop-app on Debian kiosk (polkit 105) that I deliver as a user-interface. Occasionally, an admin may walk by and need to run a privileged task, and so I use:

execve(
   "/usr/bin/pkexec", 
   [ "/usr/bin/slm-clean" ],
   ...
);

That invokes gnome-polkit-agent which authenticates the user according to the following policy found in /usr/share/polkit-1/actions/org.slm.policy :

Clear SLM
    Authentication is required to clear the SLM. This may destroy any SLM processes that are currently running.
    
      auth_admin
      auth_admin
      auth_admin
    
    /usr/bin/slm-clean

I'd like to consider moving this away from a desktop-app and towards a web-app on a headless server. I've written an HTTP server which can serve static files, and implement dynamic API routes. I can easily intercept the POST /api/slm-clean route, and call execve, but what do I do about the polkit-agent? The user isn't in a gnome-session, and the textual fallback wont be of any help here either. Here are a couple of ideas: 1. Link to [libpolkit-agent-1.0](https://www.freedesktop.org/software/polkit/docs/0.105/ref-authentication-agent-api.html) and register my backend as a polkit agent, then handle any authentication requests by comparing some token found in the POST body. 2. Abandon polkit entirely and give the script a setuid bit (chmod u+s /usr/bin/slm-clean), then move any authentication/messaging to the web-server. 3. Authenticate users through PAM, and then instead of pkexec, I can run /usr/bin/slm-clean with the UID of the authenticated user. I really don't know what I'd be doing here. I know red-hat's [cockpit](https://cockpit-project.org/) must have solved this somehow as it serves a systemd front-end over a web-server and must do authentications. I can also confirm that cockpit doesn't intercept or interfere with gnome-polkit-agent if I run it on the same machine as a gnome-session.

I should be able to restrict the parameters when running an application without asking for password (debian 12, systemd 256, polkit 122-3). For example:

app foo
app foo ...

should work, but

app bar
app bar ...

should be blocked. This would be my approach, but it did not work:

polkit.addRule(function(action, subject) {
    var program = action.lookup("program");
    var args = action.lookup("command_line");

    if (action.id == "org.freedesktop.policykit.exec" &&
        subject.isInGroup("some ldap group") &&
        program == "/usr/bin/app" &&
        args == "foo") {
                return polkit.Result.YES;
        }
});

Does anyone have an idea?

I'm setting up the guest user account for the PCs of a computer lab, which run Ubuntu 24.04. I'd like the guest account to be able to connect only to our Wi-Fi network, forbidding access to other nearby networks, phone hotspots, etc. How can I do it?

I tried rebooting my CentOS 7 server but it gives ridiculous error messages. As root (of course): # systemctl reboot Authorization not available. Check if polkit service is running or see debug message for more information. Failed to start reboot.target: Connection timed out See system logs and 'systemctl status reboot.target' for details. Exit 1 Does polkit need to check whether root has the right to reboot the machine??? If so, why? # systemctl status reboot.target ● reboot.target - Reboot Loaded: loaded (/usr/lib/systemd/system/reboot.target; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:systemd.special(7) Exit 3 Do I need to enable the reboot target? Why would this be disabled by default? Perhaps this will work? # systemctl start reboot.target Authorization not available. Check if polkit service is running or see debug message for more information. Failed to start reboot.target: Connection timed out See system logs and 'systemctl status reboot.target' for details. Exit 1 OK, force it, then: # systemctl --force reboot Authorization not available. Check if polkit service is running or see debug message for more information. Failed to execute operation: Connection timed out Exit 1 And the server is still up.

### Problem On Debian 12 I use IdleAction=poweroff and IdleActionSec=… in logind.conf. This works as intended, the machine powers itself off when it's been idle for long enough. I want to be able to use systemd-inhibit --what=idle as a regular user. I have found claims that it should be possible (example ). Indeed, in one of my Debian 12 systems it is possible, let's call this Debian *Successful*; but there are other Debian 12 systems where I get Access denied, let's call these *Failing*. The machine where I really need this functionality is in the *Failing* group. It's not a temporary quirk (because of "needing to reboot" or something). I have just rebooted the *Successful* machine and one *Failing*, the behavior persists. **Why the difference? What can I do to make a *Failing* system behave like the *Successful* one?** I'm not really interested in workarounds like sudo or some custom wrapper. I'd like systemd-inhibit --what=idle to "just work", like it does on the *Successful* system. I'd like to adjust its behavior as much "by the systemd/polkit book" as possible. --- ### Current behavior This is how it works on the *Successful* system. This is what I want:

$ SYSTEMD_LOG_LEVEL=7 systemd-inhibit --what=idle true
Bus n/a: changing state UNSET → OPENING
sd-bus: starting bus by connecting to /run/dbus/system_bus_socket...
Bus n/a: changing state OPENING → AUTHENTICATING
Bus n/a: changing state AUTHENTICATING → HELLO
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.75 path=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a
Bus n/a: changing state HELLO → RUNNING
Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=Inhibit cookie=2 reply_cookie=0 signature=ssss error-name=n/a error-message=n/a
Got message type=method_return sender=:1.7 destination=:1.75 path=n/a interface=n/a member=n/a cookie=149 reply_cookie=2 signature=h error-name=n/a error-message=n/a
Successfully forked off '(inhibit)' as PID 3384.
Skipping PR_SET_MM, as we don't have privileges.
true succeeded.
Bus n/a: changing state RUNNING → CLOSED
$ echo $?
0
$

This is how it fails on the *Failing* systems:

$ SYSTEMD_LOG_LEVEL=7 systemd-inhibit true
Bus n/a: changing state UNSET → OPENING
sd-bus: starting bus by connecting to /run/dbus/system_bus_socket...
Bus n/a: changing state OPENING → AUTHENTICATING
Bus n/a: changing state AUTHENTICATING → HELLO
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.44 path=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a
Bus n/a: changing state HELLO → RUNNING
Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=Inhibit cookie=2 reply_cookie=0 signature=ssss error-name=n/a error-message=n/a
Got message type=error sender=:1.1 destination=:1.44 path=n/a interface=n/a member=n/a cookie=464 reply_cookie=2 signature=s error-name=org.freedesktop.DBus.Error.AccessDenied error-message=Permission denied
Failed to inhibit: Access denied
Bus n/a: changing state RUNNING → CLOSED
$ echo $?
1
$

true is just an example. Ultimately I want to invoke some long-running command for which inhibiting makes perfect sense. --- ### Details - *Successful* and *Failing* are Debian 12. - The kernel on *Successful* and on each *Failing* is 6.1.0-17-amd64. - The output of id:

@Successful $ id
  uid=1000(kamil) gid=1000(kamil) groups=1000(kamil),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),111(bluetooth),113(lpadmin),117(scanner),124(pcspkr)

@Failing1 $ id
  uid=1000(kamil) gid=1000(kamil) groups=1000(kamil),4(adm),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)

- On each system /usr/bin/systemd-inhibit gives the same md5sum, I conclude the files are identical between *Successful* and *Failing*; they have not been tampered with. ls -l /usr/bin/systemd-inhibit prints: -rwxr-xr-x 1 root root 22928 11-10 01:25 /usr/bin/systemd-inhibit - On each system /usr/share/dbus-1/system.d/org.freedesktop.login1.conf gives the same md5sum, I conclude the files are identical between *Successful* and *Failing*; they have not been tampered with. The relevant(?) parts:

[...]
                
  [...]

- On each system /usr/share/polkit-1/actions/org.freedesktop.login1.policy gives the same md5sum, I conclude the files are identical between *Successful* and *Failing*; they have not been tampered with. The relevant(?) parts:

[...]
        
                Allow applications to inhibit automatic system suspend
                Authentication is required for an application to inhibit automatic system suspend.
                
                        yes
                        yes
                        yes
                
        
  [...]

I guess this yes is responsible for the alleged ability of a regular user to use systemd-inhibit --what=idle. Still on *Failing* systems it seems to be ignored. - The *Successful* Debian uses its hardware directly. One *Failing* Debian is installed on HP ProLiant DL380 G5; other *Failing* Debians are virtual machines in VMware ESXi 7. - I use ssh to connect to the *Successful* system and to each *Failing* one. The *Successful* system provides a GUI but it's "just in case"; currently sddm only sits there and I don't log in this way. - The output of pstree -lu:

@Successful $ pstree -lu
  systemd-+-ModemManager---2*[{ModemManager}]
          |-NetworkManager---2*[{NetworkManager}]
          |-accounts-daemon---2*[{accounts-daemon}]
          |-atop
          |-atopacctd
          |-avahi-daemon(avahi)---avahi-daemon
          |-blkmapd
          |-bluetoothd
          |-cron
          |-cups-browsed---2*[{cups-browsed}]
          |-cupsd
          |-dbus-daemon(messagebus)
          |-dhcpd
          |-exim4(Debian-exim)
          |-hostapd
          |-nfsdcld
          |-openvpn
          |-polkitd(polkitd)---2*[{polkitd}]
          |-rpc.idmapd
          |-rpc.mountd
          |-rpc.statd(statd)
          |-rpcbind(_rpc)
          |-rtkit-daemon(rtkit)---2*[{rtkit-daemon}]
          |-sddm-+-Xorg---10*[{Xorg}]
          |      |-sddm-helper---sddm-greeter(sddm)---11*[{sddm-greeter}]
          |      `-{sddm}
          |-smartd
          |-sshd-+-sshd---sshd(bisztynek)
          |      `-sshd---sshd(kamil)---bash---tmux: client
          |-systemd(sddm)-+-(sd-pam)
          |               |-dbus-daemon
          |               `-pulseaudio-+-gsettings-helpe---3*[{gsettings-helpe}]
          |                            `-2*[{pulseaudio}]
          |-systemd(kamil)-+-(sd-pam)
          |                |-dbus-daemon
          |                `-pulseaudio-+-gsettings-helpe---3*[{gsettings-helpe}]
          |                             `-{pulseaudio}
          |-systemd(bisztynek)-+-(sd-pam)
          |                    |-dbus-daemon
          |                    `-pulseaudio-+-gsettings-helpe---3*[{gsettings-helpe}]
          |                                 `-{pulseaudio}
          |-systemd-journal
          |-systemd-logind
          |-systemd-timesyn(systemd-timesync)---{systemd-timesyn}
          |-systemd-udevd
          |-tmux: server(kamil)---bash---pstree
          |-transmission-da(debian-transmission)---3*[{transmission-da}]
          |-udisksd---4*[{udisksd}]
          |-upowerd---2*[{upowerd}]
          `-wpa_supplicant

@Failing1 $ pstree -lu
  systemd-+-VGAuthService
          |-agetty
          |-cron
          |-dbus-daemon(messagebus)
          |-dhclient
          |-nmbd
          |-rsyslogd---3*[{rsyslogd}]
          |-smbd-+-cleanupd
          |      |-smbd
          |      `-smbd-notifyd
          |-sshd---sshd---sshd(kamil)---bash---tmux: client
          |-systemd(kamil)---(sd-pam)
          |-systemd-journal
          |-systemd-logind
          |-systemd-timesyn(systemd-timesync)---{systemd-timesyn}
          |-systemd-udevd
          |-tmux: server(kamil)-+-2*[bash---nano]
          |                     `-bash---pstree
          `-vmtoolsd---2*[{vmtoolsd}]

Other systems from the *Failing* group may run slightly different sets of tasks, they are all similarly minimalistic though. --- ### Observation One big difference between the *Successful* Debian and each *Failing* one is the GUI. There are Xorg, sddm and related processes on *Successful*. But as I said, I don't log in to the GUI at all. I don't know if it has anything do do with the problem. Maybe it's just a red herring.

Are serial consoles considered local by polkit? Could that be configured e.g. via /etc/securetty?