4

I run Debian Wheezy with a simple window manager (Blackbox). If I remember correctly, in Ubuntu some applications like Synaptic and Update Manager ask for sudo password only when/if needed. How do I configure the system so I can launch for instance Update Manager as normal user and only provide sudo password when the system is to be updated?

The window manager is started from ~/.xinitrc with 

exec ck-launch-session dbus-launch blackbox

I have tried adding the file /var/lib/polkit-1/localauthority/50-local.d/test.pkla with the content below (and restarting X) but it makes no difference; update-manager still asks for root password when launched.

$ sudo cat /var/lib/polkit-1/localauthority/50-local.d/test.pkla
[test]
Identity=unix-group:sudo
Action=org.debian.apt.update-cache
ResultActive=yes

As requested by Graeme the content of directory /usr/share/polkit-1/actions/ is

com.hp.hplip.policy
com.ubuntu.pkexec.synaptic.policy
com.ubuntu.softwareproperties.policy
org.debian.apt.policy
org.freedesktop.color.policy
org.freedesktop.consolekit.policy
org.freedesktop.policykit.policy
org.freedesktop.udisks.policy
org.opensuse.cupspkhelper.mechanism.policy

Below follows the content of the directory /etc/polkit-1/localauthority.conf.d:

$ ls /etc/polkit-1/localauthority.conf.d/
50-localauthority.conf  51-debian-sudo.conf

$ cat /etc/polkit-1/localauthority.conf.d/50-localauthority.conf 
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#

[Configuration]
AdminIdentities=unix-user:0

$ cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf 
[Configuration]
AdminIdentities=unix-group:sudo

Here is the content of the sudoers file:

$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
August Karlstrom
  • 1,806
  • sudo is the default mechanism for privilege elevation in all Debian based OS's... Debian/Ubuntu/Mint etc. As such your normal user is already a member of the wheel/sudoers group, so what exactly are you asking? – eyoung100 Dec 30 '14 at 16:14
  • Sure, I can launch e.g. Update Manager with gksudo but then I need to provide my password even though I don't necessarily want to modify the system (for instance when there are no updates available). I want to be asked for password when I click on the update button. – August Karlstrom Dec 30 '14 at 16:20
  • 1
    That's done through Polkit, I believe. So you probably just need to install it, and make sure its started at boot/via dbus activation/etc. – derobert Dec 30 '14 at 16:28
  • What happens if you try to launch Update Manager as normal user now? – Graeme Dec 30 '14 at 16:29
  • That's not how sudo/kdesudo/gksudo work. Update Manager/Synaptic and other applications require privilege elevation, therefore the elevation must take place before the application starts not after. Polkit rides on top of sudo, but cannot alter behavior of sudo. See How does sudo work and How is sudo intended to be used – eyoung100 Dec 30 '14 at 16:32
  • @eyoung100, do they? I use aptitude, if you start it as a normal user you get a Become root option. It appears the OP wants the same thing in Update Manager. – Graeme Dec 30 '14 at 16:37
  • @Graeme If Update Manager is launched as normal user it asks for the root password (with the options to save it in the session or in the key ring). – August Karlstrom Dec 30 '14 at 16:43
  • @Graeme Since Synaptic/Update Manager etc are GUI Frontends to Aptitude and the like, they require sudo or a variant. There is no way to "late bind" as the OP is asking, because the elevation takes place as soon as the process triggers, and the GUI is a wrapper. – eyoung100 Dec 30 '14 at 16:44
  • @Graeme Yes, I want the same "late authentication" in Update Manager as in aptitude. – August Karlstrom Dec 30 '14 at 16:45
  • @AugustKarlstrom Saving it in the Keyring, would prevent it from ever being asked but is highly discouraged... – eyoung100 Dec 30 '14 at 16:46
  • Can you add the output of ls /usr/share/polkit-1/actions/? – Graeme Dec 30 '14 at 16:52
  • Er, I was expecting to see something relating to update manager. Try grep -r update-manager /usr/share/polkit-1/actions an post the output (if any). – Graeme Dec 30 '14 at 17:14
  • @eyoung100 I think you don't know how PolKit works (or for that matter haven't seen Update Manager in action). Graeme, these are actions, and you're unlikely to find mentions of update manager here. – muru Dec 30 '14 at 17:22
  • @muru not true, i use XUbuntu on my laptop... – eyoung100 Dec 30 '14 at 17:43
  • @muru, see man pkexec for what I was thinking. – Graeme Dec 30 '14 at 17:51
  • @August what happens if you run update-manager from the command line, does it still ask for the password? – Graeme Dec 30 '14 at 17:52
  • @Graeme pkexec is for running the application entirely as another user, which, if the program itself supports Polkit, isn't needed it. For example, that's why GParted and synaptic are run with pkexec, but configuration of Network Manager, or running Update Manager, don't need it. – muru Dec 30 '14 at 17:55
  • @muru, think I need to read up on Polkit then... – Graeme Dec 30 '14 at 17:56
  • Can you post the content of /etc/sudoers? – eyoung100 Jan 01 '15 at 17:56
  • @eyoung100 OK, I have added it now. – August Karlstrom Jan 01 '15 at 18:50
  • Are there any files in /etc/sudoers.d/? – eyoung100 Jan 01 '15 at 18:55
  • @eyoung100 There is only a README file in /etc/sudoers.d/. – August Karlstrom Jan 01 '15 at 20:15

1 Answers1

0

You're probably not listed as a PolKit admin user. On Ubuntu, for example, you'll find:

$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

And the user created on install is a member of sudo, so they automatically become admin.

To add yourself as an admin, create a .conf file in /etc/polkit-1/localauthority.conf.d/ (for example, 99-local-admin.conf) containing (august being your username):

[Configuration]
AdminIdentities=unix-user:august
muru
  • 72,889
  • 1
    This doesn't answer his question, He wants the Sudo Authentication Window to Appear when the Update Button in Update Manager is clicked, not when Update Manager starts, which implies update manager would need to be started w/o gksudo. I belieive he can already gksudo, therefore polkit is not needed. – eyoung100 Dec 30 '14 at 17:46
  • @eyoung100 you're missing the point. Update Manager does not need sudo, it can work well enough with Polkit, and with Polkit, delayed privilege escalation is possible. Therefore "polkit is not needed" is going backwards. – muru Dec 30 '14 at 17:53
  • Is this Identical, if so, I'll retract my downvote: Update Manager doesn't ask for a password – eyoung100 Dec 30 '14 at 18:00
  • @eyoung100 it is related, but not identical. That shows how Update Manager use polkit. In this instance, see this comment, where you will see that when Update Manager needs privilege, it asks for the only user who can (root), because OP isn't an admin, which is why I tell him to add himself as an admin. – muru Dec 30 '14 at 18:07
  • Ill still retract my downvote, as enabling root on Debian is not normally done, IIRC. Grr my vote is locked... – eyoung100 Dec 30 '14 at 18:10
  • Thanks for the answer but there is no admin group in Debian. – August Karlstrom Dec 30 '14 at 20:26
  • I have added the content of localauthority.conf.d to the original post. – August Karlstrom Dec 30 '14 at 20:35
  • @AugustKarlstrom Ubuntu doesn't have one either - the main user is added to sudo (I suspect the admin group is mentioned purely for backwards compatibility). Are you a member of the sudo group? – muru Dec 30 '14 at 20:39
  • @muru Yes, I'm in the sudo group. – August Karlstrom Dec 30 '14 at 20:53
  • @AugustKarlstrom If you do pkexec true, does it allow you to authenticate with your account? – muru Dec 30 '14 at 20:54
  • @muru Yes, pkexec true works (ends with "authentication complete"). – August Karlstrom Dec 30 '14 at 21:03
  • Yet when you have to authenticate for Update Manager, it only lists root as the option? – muru Dec 30 '14 at 21:04
  • @muru Yes, when I run update-manager I can only authenticate with the root password (as opposed to the sudo password). – August Karlstrom Dec 30 '14 at 21:06
  • @muru I also tried adding the 99-local-admin.conf as you describe. After restarting X and launching update-manager (as normal user) it still asks me for the root password before it starts. – August Karlstrom Jan 03 '15 at 15:13