4

I run Debian Wheezy with a simple window manager (Blackbox). If I remember correctly, in Ubuntu some applications like Synaptic and Update Manager ask for sudo password only when/if needed. How do I configure the system so I can launch for instance Update Manager as normal user and only provide sudo password when the system is to be updated?

The window manager is started from ~/.xinitrc with 

exec ck-launch-session dbus-launch blackbox

I have tried adding the file /var/lib/polkit-1/localauthority/50-local.d/test.pkla with the content below (and restarting X) but it makes no difference; update-manager still asks for root password when launched.

$ sudo cat /var/lib/polkit-1/localauthority/50-local.d/test.pkla
[test]
Identity=unix-group:sudo
Action=org.debian.apt.update-cache
ResultActive=yes

As requested by Graeme the content of directory /usr/share/polkit-1/actions/ is

com.hp.hplip.policy
com.ubuntu.pkexec.synaptic.policy
com.ubuntu.softwareproperties.policy
org.debian.apt.policy
org.freedesktop.color.policy
org.freedesktop.consolekit.policy
org.freedesktop.policykit.policy
org.freedesktop.udisks.policy
org.opensuse.cupspkhelper.mechanism.policy

Below follows the content of the directory /etc/polkit-1/localauthority.conf.d:

$ ls /etc/polkit-1/localauthority.conf.d/
50-localauthority.conf  51-debian-sudo.conf

$ cat /etc/polkit-1/localauthority.conf.d/50-localauthority.conf 
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#

[Configuration]
AdminIdentities=unix-user:0

$ cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf 
[Configuration]
AdminIdentities=unix-group:sudo

Here is the content of the sudoers file:

$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
August Karlstrom
  • 1,736
  • 2
  • 27
  • 39
  • `sudo` is the default mechanism for privilege elevation in all Debian based OS's... Debian/Ubuntu/Mint etc. As such your normal user is already a member of the `wheel/sudoers` group, so what exactly are you asking? – eyoung100 Dec 30 '14 at 16:14
  • Sure, I can launch e.g. Update Manager with `gksudo` but then I need to provide my password even though I don't necessarily want to modify the system (for instance when there are no updates available). I want to be asked for password when I click on the update button. – August Karlstrom Dec 30 '14 at 16:20
  • 1
    That's done through [Polkit](http://en.wikipedia.org/wiki/Polkit), I believe. So you probably just need to install it, and make sure its started at boot/via dbus activation/etc. – derobert Dec 30 '14 at 16:28
  • What happens if you try to launch Update Manager as normal user now? – Graeme Dec 30 '14 at 16:29
  • That's not how `sudo/kdesudo/gksudo` work. Update Manager/Synaptic and other applications require privilege elevation, therefore the elevation must take place before the application starts not after. Polkit rides on top of sudo, but cannot alter behavior of sudo. See [How does sudo work](http://unix.stackexchange.com/questions/80344/how-do-the-internals-of-sudo-work) and [How is sudo intended to be used](http://unix.stackexchange.com/questions/11285/how-is-sudo-intended-to-be-used) – eyoung100 Dec 30 '14 at 16:32
  • @eyoung100, do they? I use `aptitude`, if you start it as a normal user you get a `Become root` option. It appears the OP wants the same thing in Update Manager. – Graeme Dec 30 '14 at 16:37
  • @Graeme If Update Manager is launched as normal user it asks for the *root* password (with the options to save it in the session or in the key ring). – August Karlstrom Dec 30 '14 at 16:43
  • @Graeme Since Synaptic/Update Manager etc are GUI Frontends to Aptitude and the like, they require sudo or a variant. There is no way to "late bind" as the OP is asking, because the elevation takes place as soon as the process triggers, and the GUI is a wrapper. – eyoung100 Dec 30 '14 at 16:44
  • @Graeme Yes, I want the same "late authentication" in Update Manager as in aptitude. – August Karlstrom Dec 30 '14 at 16:45
  • @AugustKarlstrom Saving it in the Keyring, would prevent it from ever being asked but is highly discouraged... – eyoung100 Dec 30 '14 at 16:46
  • Can you add the output of `ls /usr/share/polkit-1/actions/`? – Graeme Dec 30 '14 at 16:52
  • Er, I was expecting to see something relating to update manager. Try `grep -r update-manager /usr/share/polkit-1/actions` an post the output (if any). – Graeme Dec 30 '14 at 17:14
  • @eyoung100 I think you don't know how PolKit works (or for that matter haven't seen Update Manager in action). Graeme, these are actions, and you're unlikely to find mentions of update manager here. – muru Dec 30 '14 at 17:22
  • @muru not true, i use XUbuntu on my laptop... – eyoung100 Dec 30 '14 at 17:43
  • @muru, see `man pkexec` for what I was thinking. – Graeme Dec 30 '14 at 17:51
  • @August what happens if you run update-manager from the command line, does it still ask for the password? – Graeme Dec 30 '14 at 17:52
  • @Graeme `pkexec` is for running the application entirely as another user, which, if the program itself supports Polkit, isn't needed it. For example, that's why GParted and synaptic are run with `pkexec`, but configuration of Network Manager, or running Update Manager, don't need it. – muru Dec 30 '14 at 17:55
  • @muru, think I need to read up on Polkit then... – Graeme Dec 30 '14 at 17:56
  • Can you post the content of `/etc/sudoers`? – eyoung100 Jan 01 '15 at 17:56
  • @eyoung100 OK, I have added it now. – August Karlstrom Jan 01 '15 at 18:50
  • Are there any files in `/etc/sudoers.d/`? – eyoung100 Jan 01 '15 at 18:55
  • @eyoung100 There is only a `README` file in `/etc/sudoers.d/`. – August Karlstrom Jan 01 '15 at 20:15

1 Answers1

0

You're probably not listed as a PolKit admin user. On Ubuntu, for example, you'll find:

$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

And the user created on install is a member of sudo, so they automatically become admin.

To add yourself as an admin, create a .conf file in /etc/polkit-1/localauthority.conf.d/ (for example, 99-local-admin.conf) containing (august being your username):

[Configuration]
AdminIdentities=unix-user:august
muru
  • 69,900
  • 13
  • 192
  • 292
  • 1
    This doesn't answer his question, He wants the Sudo Authentication Window to Appear when the Update Button in Update Manager is clicked, not when Update Manager starts, which implies update manager would need to be started w/o gksudo. I belieive he can already gksudo, therefore polkit is not needed. – eyoung100 Dec 30 '14 at 17:46
  • @eyoung100 you're missing the point. Update Manager does not *need* sudo, it can work well enough with Polkit, and with Polkit, delayed privilege escalation is possible. Therefore "polkit is not needed" is going backwards. – muru Dec 30 '14 at 17:53
  • Is this Identical, if so, I'll retract my downvote: [Update Manager doesn't ask for a password](http://askubuntu.com/questions/86773/update-manager-doesnt-ask-for-a-password) – eyoung100 Dec 30 '14 at 18:00
  • @eyoung100 it is related, but not identical. That shows how Update Manager use polkit. In this instance, see [this comment](http://unix.stackexchange.com/questions/176630/late-authentication?noredirect=1#comment292011_176630), where you will see that when Update Manager needs privilege, it asks for the only user who can (`root`), because OP isn't an admin, which is why I tell him to add himself as an admin. – muru Dec 30 '14 at 18:07
  • Ill still retract my downvote, as enabling root on Debian is not normally done, IIRC. Grr my vote is locked... – eyoung100 Dec 30 '14 at 18:10
  • Thanks for the answer but there is no `admin` group in Debian. – August Karlstrom Dec 30 '14 at 20:26
  • I have added the content of `localauthority.conf.d` to the original post. – August Karlstrom Dec 30 '14 at 20:35
  • @AugustKarlstrom Ubuntu doesn't have one either - the main user is added to `sudo` (I suspect the `admin` group is mentioned purely for backwards compatibility). Are you a member of the `sudo` group? – muru Dec 30 '14 at 20:39
  • @muru Yes, I'm in the `sudo` group. – August Karlstrom Dec 30 '14 at 20:53
  • @AugustKarlstrom If you do `pkexec true`, does it allow you to authenticate with your account? – muru Dec 30 '14 at 20:54
  • @muru Yes, `pkexec true` works (ends with "authentication complete"). – August Karlstrom Dec 30 '14 at 21:03
  • Yet when you have to authenticate for Update Manager, it only lists root as the option? – muru Dec 30 '14 at 21:04
  • @muru Yes, when I run `update-manager` I can only authenticate with the `root` password (as opposed to the sudo password). – August Karlstrom Dec 30 '14 at 21:06
  • @muru I also tried adding the `99-local-admin.conf` as you describe. After restarting X and launching `update-manager` (as normal user) it still asks me for the *root* password before it starts. – August Karlstrom Jan 03 '15 at 15:13