Add a policykit policy that allows yast to run via pkexec

[sp1ritCS]

I'd like to graphically execute yast with pkexec. This is currently not possible, as pkexec does not pass environment vars to the privileged process (similar to sudo without -E).

It is possible to define a policy that would allow yast to be run graphically. In comparison with sudo -E the org.freedesktop.policykit.exec.allow_gui only passes $DISPLAY and $XAUTHORITY. This causes yast to not honor qt and icon themes. (I have no experience with polkit, so I don't know if this can be fixed)

I've created a working (with above mentioned issues) policy.

/usr/share/polkit-1/actions/org.freedesktop.policykit.YaST.policy:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
	<action id="org.freedesktop.policykit.pkexec.YaST">
		<description>Run YaST</description>
		<message>Authentication is required to run YaST</message>
		<icon_name>yast-control-center</icon_name>
		<defaults>
			<allow_any>auth_admin</allow_any>
			<allow_inactive>auth_admin</allow_inactive>
			<allow_active>auth_admin</allow_active>
		</defaults>
		<annotate key="org.freedesktop.policykit.exec.path">/sbin/yast2</annotate>
		<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
	</action>
</policyconfig>

I'd love to see this integrated (maybe even with the desktop entries, as xdg-su/gnomesu is incredibly slow)

[kobliha]

Hi @sp1ritCS, thanks for the proposal.

I'd like to read more about your use-case, please. I've been checking a bit on difference between pkexec and the way which we use currently and from what I've seen, they are basically comparable. If I read this issue correctly, I feel that you want this because "xdg-su/gnomesu is incredibly slow"? Is that the only reason or is there something else which I don't see?

Thanks in advance

[kobliha]

BTW, some of the links I used:

• https://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html
• https://unix.stackexchange.com/questions/203136/how-do-i-run-gui-applications-as-root-by-using-pkexec
• https://askubuntu.com/questions/78352/when-to-use-pkexec-vs-gksu-gksudo

[sp1ritCS]

Yes, it's supposed to do the same.

Is that the only reason or is there something else which I don't see?

Well, additinaly pkexec looks a lot better on gnome-shell than gnomesu. (afaik on plasma xdg-su looks the same as pk) and it works a lot better with fprintd.

[ancorgs]

I wonder if there is someone with a stronger security/polkit background in the openSUSE community that we could add to this discussion to tell us: (a) whether this approach is good in general, (b) whether the mentioned issues with icons and themes can be easily solved.

[ancorgs]

@msmeissn is my first option for security+(open)SUSE questions. Can you provide some guidance about this topic?

[msmeissn]

as i am on parental leave until May 10th, please refer to @jsegitz or @mgerstner

[jsegitz]

I added this as https://bugzilla.suse.com/show_bug.cgi?id=1183718 to our work queue. We'll also update here once we had a look

[mgerstner]

The policy is fine as long as it is fine to run graphical YaST as root. Since there exist other means to do this already security will not be worse than before.

Other packages use similar polkit policies and polkit is generally sane in this regard, the rest is up to the invoked application. Of course users need to be aware of the generally raised security attack surface when running graphical applications as root (especially in the X.org server, which is the target of this policy).

[MattSturgeon]

Running yast via polkit would greatly improve user experience personally.

I have polkit configured so that I enter the user's password (if the user is in group wheel).

// /etc/polkit-1/rules.d/40-default.rules
polkit.addAdminRule(function(action, subject) {
    return ["unix-group:wheel"];
});

This means that I do not need to share a root password between all admins. In fact, my preference is to disable the root password entirely (e.g. via sudo passwd -l root).

This doesn't play well with xdg-su, as most implementations ask for the root password rather than the user's. The only exception I'm aware of is kdesu, which can be configured to use sudo instead of su.

gksudo would do the same thing for my specific use case, however I understand the consensus is that polkit is a better and more modern option. I also understand that polkit works better with libfprint.

I'm able to launch yast with polkit, however I cannot get yast to launch the qt GUI when run via polkit, it always opens the ncurses interface.

[shundhammer]

https://bugzilla.suse.com/show_bug.cgi?id=1216178