Polkit policy file possibly copied to wrong location

[EnAppelsin]

Overview

The polkit policy file (share/linux/org.keepassxc.KeePassXC.policy.in) is copied to ${CMAKE_INSTALL_DATADIR}/polkit-1/actions
Which may not be a folder checked by polkit

Steps to Reproduce

1. Build keepassxc with the standard prefix of /usr/local
2. Try to use Polkit quick unlock or so on

Expected Behavior

Polkit policy is copied to /usr/share/polkit-1/actions

Actual Behavior

Polkit policy is copied to /usr/local/share/polkit-1/actions

Context

At least on Ubuntu it seems that only /usr/share/polkit-1/actions is checked by Polkit, so /usr/local/share/polkit-1/actions is ignored.
I do not know if this is consistent across every distro or if there's a way to ask polkit for the location

KeePassXC - 2.8.0-snapshot
Revision: 2421b70

Operating System: Linux
Desktop Env: KDE
Windowing System: X11

[droidmonkey]

Nothing like Linux distros to be totally out of standard

[michaelk83]

If you build to /usr/local, then copying to /usr/local/share is correct, AFAIK. If PolKit doesn't check there, that's on PolKit. /usr/share is for installing from a package manager. You can add a symlink there as a workaround.

[droidmonkey]

Hmmmm perhaps we are out of standard: https://wiki.archlinux.org/title/Polkit#Actions

[michaelk83]

All I can see from that link is that PolKit only looks in /usr/share, and ignores everything else. But that's not a standard, it's just how PolKit is implemented. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard says:

/usr/local | Tertiary hierarchy for local data, specific to this host. Typically has further subdirectories (e.g., bin, lib, share).

It doesn't make sense to me to put this in /usr/share if the rest of the application is placed in /usr/local. There may be a good reason for PolKit to ignore /usr/local/share, but if not, then this is a PolKit bug, IMO.

@HexF , your thoughts?

edit: From the actual FHS spec:

Any program or package which contains or requires data that doesn't need to be modified should store that data in /usr/share (or /usr/local/share, if installed locally).

(See also the spec page for /usr/local.)

[rgarcia89]

For me files are located under /usr/share/polkit-1/actions. I however, cannot find any keepass policy in there. I have used KeePassXC-2.8.0-snapshot-x86_64.AppImage for the test.

[droidmonkey]

AppImage does not install the policy files, you will need to install them yourself. KeePassXC in general cannot install those files since root is required.

[rgarcia89]

Understood. I have added org.keepassxc.KeePassXC.policy.in manually now.
I am getting the following log error now:

Mär 31 23:05:30 rgarcia-x1 gnome-shell[1688]: polkitAuthenticationAgent: Failed to show modal dialog. Dismissing authentication request for action-id org.keepassxc.KeePassXC.unlockDatabase cookie 3-da6e56600c433460150acba44f2f3c62-2-7171f414cb55630ac247da51bfd5259e
Mär 31 23:05:30 rgarcia-x1 polkitd[557]: Operator of unix-session:3 FAILED to authenticate to gain authorization for action org.keepassxc.KeePassXC.unlockDatabase for unix-process:3338644:30736123 [keepassxc] (owned by unix-user:rgarcia)

[droidmonkey]

You need to replace @APP_ICON_NAME@ in <icon_name>@APP_ICON_NAME@</icon_name> with the path of an icon, that is probably why the auth window will not show. I think you may be able to just erase that line as well. Also remove the .in suffix, but that doesn't really matter.

[rgarcia89]

I have replaced it with the icon /usr/share/keepassxc/icons/application/256x256/apps/keepassxc.png of v2.7.6-3 which I installed via pacman. Unfortunately it is still not working. I am getting the same issue in the app and again no logs anymore.

[HexF]

Polkit expects action files (like those we install with KeepassXC) at $datadir/polkit-1/actions
https://github.com/polkit-org/polkit/blob/3cc48477a2a0e2105b646cb67d8b7eb9bf0719c9/data/polkit-gobject-1.pc.in#L7
In this case, $datadir is in relation to where Polkit is installed, it is typically /usr/local/share.
We can make the fair assumption that both polkit and KeepassXC are going to be installed in the same datadir.
If for some reason this is not the case on a given distro, I believe it should be up to the distro packaging KeepassXC to move this file to the right place post-installation.

[michaelk83]

In other words, since /usr/local is specced as its own hierarchy, if someone manually installs or builds into /usr/local (which is the correct location when they're not using their package manager), then they're effectively acting as a nested sub-distro inside their main distro. So it's their responsibility to symlink from /usr/share.

That said, this could still be automated in the build script. When building to /usr/local, and under the assumption that most distros would install PolKit with its datadir at /usr/share, then if the action file does not already exist in /usr/share from a previous installation, create a symlink from there to /usr/local/share.

Finally, it is common practice in Linux for applications to search a cascading set of standard folders such as $HOME/.local/share, /usr/local/share, and /usr/share. $HOME/.local/share may not be relevant for PolKit, since PolKit is a system component, but it may still be reasonable for PolKit to look in both /usr/local/share, and /usr/share. This could be brought up with the PolKit team.

[EnAppelsin]

I'm not entirely sure PolKit is breaking the FHS, in the case I discovered this PolKit is a system app and so should be in /usr (and thus store its data in /usr/share). KeePassXC was built by me and this is a local app and should be in /usr/local, but the policy file isn't KepassXC data (for /usr/local/share) but PolKit data (for /usr/share).

That said it looks like someone has already proposed PolKit support a cascading set of folders: polkit-org/polkit#419

Creating a symlink automatically for self-builders, or allowing the location to be manually overridden as a CMake variable would be useful, I think.

[HexF]

I can definitely get behind a CMake variable, however in the end this is still an upstream polkit issue and anything we do is merely a workaround.

If I get the time I may take a crack at fixing this in upstream Polkit.
Such a fix should also allow AppImage, snap and the various other packaging formats to work properly.

[michaelk83]

the policy file isn't KepassXC data

It's provided by KeePassXC, for use with KeePassXC, and defines an action that is only relevant to KeePassXC. So I'd argue that it's KepassXC data. PolKit is the consumer. But anyway, that's just nitpicking on my part.

PS, I wouldn't say that PolKit is breaking the FHS, it's just not looking in all the relevant places that are defined by the FHS.