Running Kubuntu under Hyper-V with xRDP

I’m playing with the latest version of Kubuntu (21.10 as of writing) in a Hyper-V VM to see what the current state of Linux on the Desktop is, and to work out if I want to switch back to running Linux as my main OS (it was my main OS in college, in the early era of system integrators that sold Linux PCs (a Pentium 233 as I recall, but maybe a bit less than that)). Installing under Hyper-V is easy in Windows 10:

  • Create a Gen2 Hyper-V VM
  • Disable Secure Boot
  • Boot from ISO image
  • Install
  • Don’t tick the “login automatically” option
  • Reboot
  • Access from Hyper-V console

The disabling secure boot is the important one – it’s not needed for testing, though there are ways to make it work (the machine won’t boot from the ISO with secure boot enabled).

As a basic Linux install, it’s fine, however there are a few mild annoyances:

  • Mouse is laggy
  • Screen resolution changes required incantations
  • No audio

The solution is to get xRDP installed, and turn on the Hyper-V enhanced mode. The instructions on AskUbuntu (archive) work for 21.10, and they solve the laggy mouse and screen resolution issues. Sound is solved by doing custom builds of a PulseAudio driver to enable xrdp-sink and xrdp-source. However, switching to xRDP changes how the operating system security sees you – if you connect without xRDP, then you’re a local user on the graphical console (the hyperv-fb framebuffer), but if you connect over xRDP, you’re now a remote user, and the polkit daemon will generate all sorts of auth problems for you.

For example, after logging in via the enhanced RDP session, I’d hit an auth dialog related to the network – never happens on the un-enhanced login (where you’re not using xRDP). I’d also get random auth popups for things like refreshing the system repositories; basically, any policy that said “the console-local user, if they’re in this group, can take this action without auth” would trigger because I wasn’t a console-local user.

A KDE polkit1 agent dialog requesting a password for network connection control.
PolicyKit1 action org.freedesktop.NetworkManager.network-control

I bashed at this for a few hours, as searches online weren’t finding anything useful (and I don’t really expect search engines to find this post either – it’s mostly for my own memory), and I eventually worked it out. My user is already a member of the sudo group (default Kubuntu setup), so a custom polkit policy is what’s needed. A new file in /etc/polkit-1/localauthority/50-rules.d/ sets up a policy override for everything under org.freedesktop, for users who are members of the sudo group, and declares that it doesn’t care how they’re on the system, the policy is to allow the action.

[Allow all FreeDesktop]
Identity=unix-group:sudo
Action=org.freedesktop.*
ResultAny=yes
ResultInactive=no
ResultActive=yes

One reboot later to make sure the system state is reset, and I don’t get an authentication dialog on login for the network connection, and the Discover tool isn’t generating prompts either.

/var/log/auth.log shows a change in the polkit messaging too. Previously, there would be entries along the lines of successfully authenticating a ONE-SHOT authorization for action org.freedesktop.packagekit.package-install and now it just says that my uid tried to obtain auth and then obtained auth; no password prompts.

Is this secure? No, not really. However, it’s a testing VM so I don’t mind very much. It’s pretty much the same as putting my username in the sudoers file with NOPASSWD grants.