Monday, January 25, 2010

Update without root password?

In the old days of openSUSE 10.x I used sudo and its configuration to install updates and new software in GUI without the most-annoying (I know, secure) need to enter password of root. Since version 11, this is no longer possible.

Since I am too lazy to enter root password (I've already logged-in, it's me, right?), I spent quite some time figuring out how to solve it. And I finally did.

In KDE the kupdateapplet is used to check for updates. In default installation kupdate applet uses PackageKit backend. To make things more complicated, PackageKit uses another framework: PolicyKit. (From What's PackageKit?: "The primary design goal is to unify all the software graphical tools used in different distributions, and use some of the latest technology like PolicyKit to make the process suck less." - WTF?! I wanna sudo!).

How does it work? When the update applet issue update command to PackageKit, PackageKit asks PolicyKit for permission. PolicyKit checks it's configuration and either allows it, denies it, or ask for authentication (enter password). If you want to know how it works, read the PolicyKit and PackageKit documentation.

What we need to do is configure PolicyKit in a way that it gives permission to update action of PackageKit.

Default permissions are stored in file /etc/polkit-default-privs.standard (or /etc/polkit-default-privs.restrictive according to value of POLKIT_DEFAULT_PRIVS in /etc/sysconfig/security). The file have following syntax:

action_id permissions

or (one line)

action_id  perm_any_user:perm_user_not_on_the_active_console:perm_user_on_the_active_console

In first case, same permission are applied. In second case different permission are used for user on active console, etc.

Possible permissions are:

  • yes allowed
  • no denied
  • auth_admin need root password
  • auth_admin_keep same as above, but will not require password again for some time
  • auth_user need user password
  • auth_user_keep same as above, but will not require password again for some time

Action IDs and their descriptions can be found in files located in /usr/share/polkit-1/actions/. The one we're looking for is: org.freedesktop.packagekit.system-update.

In our case, we want that user on active console don't have to enter root password for installation of updates. So we add following rule to /etc/polkit-default-privs.local (do not modify polkit-default-privs.standard and polkit-default-privs.restrictive since they may be overwritten during some update!):

org.freedesktop.packagekit.system-update auth_admin:auth_admin:yes

And we need to install the privileges to the system (without following command, it won't work):


Yes! Now you should be able to update your system without the need to enter root password.

Same way can be used for package installation, removal, etc. You can also ask user to enter his password instead of root password. The only thing I miss is Vista-like way: make user explicitly click "I know what I'm doing" without the need to enter password. Why? Because this way some script can install a package on your system without you even knowing it (If you have passwordless installation allowed for user on active console and the user runs the script without knowing what it exactly does. But I didn't test it, maybe it doesn't work this way? Maybe there's some check?)

Special thanks to Ludwig Nussel for pointing me to /sbin/set_polkit_default_privs.

No comments:

Post a Comment