When I tried to upgrade Cinnamon to Focal, I began to experience a lot of odd problems with VNC and GDM and the whole collection of machinery associated with getting a graphical environment particularly in a remote window. Cinnamon is physically downstairs in a rack in the basement, and my usual way of working is 80-90% ssh/command line and occasionally vinagre in an adjacent monitor with screens for a dozen or so places that I occasionally need to see graphically, including Cinnamon, but Vinagre usually stays pointed at Rosemary (also in the basement).
I’m sure there will eventually be some post about these problems, but one thing I did find a solution to and is documented here. For a long time I’ve been irritated by logging in graphically (gdm) – on either Rosemary or Cinnamon via Vinagre and being asked to provide my password in order to create a color profile. Not once, but usually several times. In essence, in order to log in I have to give my password 3 or 4 times in a row.
I because so irritated, I did a bit of research and found a solution. This is policykit. I don’t know a lot about policykit, other than having a vague idea what it is for. Here the problem seems to be that because I am on a remote rather than on the console, the question arises whether I should be entitled to do certain things. There are a set of rules in /usr/share/polkit-1/rules.d overridden by /etc/polkit-1/localauthority/* and some configuration in localauthority.conf.d that stipulate the rules about what you are allowed to do, based on things like whether you are root, whether you are on the console, etc.
So I learned that I could put a rule into /etc/polkit-1/localauthority/50-local.d/ which says I am allowed to do this. I created two files:
[Allow Colord all Users] Identity=unix-user:* Action=org.freedesktop.color-manager.create-device; \ org.freedesktop.color-manager.create-profile; \ org.freedesktop.color-manager.delete-device; \ org.freedesktop.color-manager.delete-profile; \ org.freedesktop.color-manager.modify-device; \ org.freedesktop.color-manager.modify-profile ResultAny=no ResultInactive=no ResultActive=yes
and 50-local.d/56-allow-packagekit.pkla, containing
[Allow Package Management all Users] Identity=unix-user:* Action=org.debian.apt.; \ io.snapcraft.; \ org.freedesktop.packagekit.; \ com.ubuntu.update-notifier. ResultAny=no ResultInactive=no ResultActive=yes
These allow any logged in user to do the two things indicated. I’m the only user.