Debian Bug report logs - #536490
setup policykit when used with disabled root (sudo mode)

version graph

Package: policykit-1; Maintainer for policykit-1 is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>; Source for policykit-1 is src:policykit-1.

Reported by: Julien BEHEM <julien.behem@lanproject.net>

Date: Fri, 10 Jul 2009 10:54:02 UTC

Severity: important

Merged with 532499, 594832

Found in version policykit-1/0.96-2

Fixed in version policykit-1/0.96-4

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#536490; Package gnome-system-tools. (Fri, 10 Jul 2009 10:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien BEHEM <julien.behem@lanproject.net>:
New Bug report received and forwarded. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>. (Fri, 10 Jul 2009 10:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Julien BEHEM <julien.behem@lanproject.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 12:41:10 +0200
Package: gnome-system-tools
Version: 2.22.1-5
Severity: important

When launching any gnome-system-tools utility and clicking on the unlock button, it asks for root password but root account is disabled and system is using sudo (working well in console, sudo is well configured, and sudo-mode is set to true for gksu in gconf editor).
I saw an old bugreport of 2008 (number 412982) describing maybe the same problem and solved by upgrading to 2.16 or 2.17 version, but i'm using 2.22...

I also have the same problem with the gnome NetworkManager applet (v 0.7.1).
By the way, other admin tools like update-manager or gnome-app-install for example use sudo correctly.

Thanks for help


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (988, 'testing'), (986, 'testing'), (984, 'stable'), (982, 'stable'), (98, 'unstable'), (96, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gnome-system-tools depends on:
ii  gconf2                 2.26.2-1          GNOME configuration database syste
ii  libatk1.0-0            1.26.0-1          The ATK accessibility toolkit
ii  libc6                  2.9-12            GNU C Library: Shared libraries
ii  libcairo2              1.8.6-2+b1        The Cairo 2D vector graphics libra
ii  libdbus-1-3            1.2.14-3          simple interprocess messaging syst
ii  libdbus-glib-1-2       0.80-4            simple interprocess messaging syst
ii  libfontconfig1         2.6.0-3           generic font configuration library
ii  libfreetype6           2.3.9-4.1         FreeType 2 font engine, shared lib
ii  libgconf2-4            2.26.2-1          GNOME configuration database syste
ii  libglib2.0-0           2.20.1-2          The GLib library of C routines
ii  libgtk2.0-0            2.16.1-2          The GTK+ graphical user interface 
ii  libnautilus-extension1 2.26.3-1          libraries for nautilus components 
ii  liboobs-1-4            2.22.0-2          GObject based interface to system-
ii  libpango1.0-0          1.24.0-3+b1       Layout and rendering of internatio
ii  libpolkit-dbus2        0.9-4             library for accessing PolicyKit vi
ii  libpolkit2             0.9-4             library for accessing PolicyKit
ii  perl                   5.10.0-23         Larry Wall's Practical Extraction 
ii  policykit-gnome        0.9.2-2           GNOME dialogs for PolicyKit
ii  system-tools-backends  2.6.0-6.1         System Tools to manage computer co
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

Versions of packages gnome-system-tools recommends:
ii  gnome-control-center        1:2.24.0.1-5 utilities to configure the GNOME d

Versions of packages gnome-system-tools suggests:
ii  ntp                     1:4.2.4p6+dfsg-1 Network Time Protocol daemon and u
ii  samba-common            2:3.3.4-1        common files used by both the Samb
pn  wvdial                  <none>           (no description available)

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Jose Carlos Garcia Sogo <jsogo@debian.org>:
Bug#536490; Package gnome-system-tools. (Fri, 10 Jul 2009 11:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josselin Mouette <joss@debian.org>:
Extra info received and forwarded to list. Copy sent to Jose Carlos Garcia Sogo <jsogo@debian.org>. (Fri, 10 Jul 2009 11:15:03 GMT) Full text and rfc822 format available.

Message #10 received at 536490@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: Julien BEHEM <julien.behem@lanproject.net>, 536490@bugs.debian.org
Cc: pkg-utopia-maintainers <pkg-utopia-maintainers@lists.alioth.debian.org>
Subject: Re: Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 13:11:30 +0200
[Message part 1 (text/plain, inline)]
reassign 536490 policykit
thanks

Le vendredi 10 juillet 2009 à 12:41 +0200, Julien BEHEM a écrit :
> When launching any gnome-system-tools utility and clicking on the
> unlock button, it asks for root password but root account is disabled
> and system is using sudo (working well in console, sudo is well
> configured, and sudo-mode is set to true for gksu in gconf editor).
> I saw an old bugreport of 2008 (number 412982) describing maybe the
> same problem and solved by upgrading to 2.16 or 2.17 version, but i'm
> using 2.22...

This is a current limitation of PolicyKit.

Cheers,
-- 
 .''`.      Josselin Mouette
: :' :
`. `'   “I recommend you to learn English in hope that you in
  `-     future understand things”  -- Jörg Schilling
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `gnome-system-tools' to `policykit'. Request was from Josselin Mouette <joss@debian.org> to control@bugs.debian.org. (Fri, 10 Jul 2009 11:15:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 12:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 12:45:04 GMT) Full text and rfc822 format available.

Message #17 received at 536490@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Josselin Mouette <joss@debian.org>
Cc: Julien BEHEM <julien.behem@lanproject.net>, 536490@bugs.debian.org, pkg-utopia-maintainers <pkg-utopia-maintainers@lists.alioth.debian.org>
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 14:35:27 +0200
[Message part 1 (text/plain, inline)]
severity 536490 wishlist
retitle 536490 enable sudo like behaviour when system uses disabled root account
thanks

Josselin Mouette wrote:
> reassign 536490 policykit
> thanks
> 
> Le vendredi 10 juillet 2009 à 12:41 +0200, Julien BEHEM a écrit :
>> When launching any gnome-system-tools utility and clicking on the
>> unlock button, it asks for root password but root account is disabled
>> and system is using sudo (working well in console, sudo is well
>> configured, and sudo-mode is set to true for gksu in gconf editor).
>> I saw an old bugreport of 2008 (number 412982) describing maybe the
>> same problem and solved by upgrading to 2.16 or 2.17 version, but i'm
>> using 2.22...
> 
> This is a current limitation of PolicyKit.
> 

That is not really a limitation, but a configuration issue. PK can be setup (as
e.g. Ubuntu does), to allow for a sudo like behaviour.
If you replace the exiting configuration in /etc/PolicyKit/PolicyKit.conf with
<config version="0.1">
    <match user="root">
        <return result="yes"/>
    </match>
    <define_admin_auth group="admin"/>
</config>
you should get the same behaviour on Debian (assuming Debian also uses the
"admin" group for this).

Given that the default on Debian is to not use sudo and have an enabled root
account, the current configuration is imho ok.
I was wondering if maybe the installer should create this configuration when the
sudo option is enabled during installation or if there is a way to detect this
within the policykit postinst/preinst and maybe mangle the file accordingly.

Cheers,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 12:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josselin Mouette <joss@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 12:51:03 GMT) Full text and rfc822 format available.

Message #22 received at 536490@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: Julien BEHEM <julien.behem@lanproject.net>, 536490@bugs.debian.org, pkg-utopia-maintainers <pkg-utopia-maintainers@lists.alioth.debian.org>, pkg-gnome-maintainers@lists.alioth.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 14:49:02 +0200
[Message part 1 (text/plain, inline)]
Le vendredi 10 juillet 2009 à 14:35 +0200, Michael Biebl a écrit :
> severity 536490 wishlist
> retitle 536490 enable sudo like behaviour when system uses disabled root account
> thanks
> 
> Josselin Mouette wrote:
> > reassign 536490 policykit
> > thanks
> > 
> > Le vendredi 10 juillet 2009 à 12:41 +0200, Julien BEHEM a écrit :
> >> When launching any gnome-system-tools utility and clicking on the
> >> unlock button, it asks for root password but root account is disabled
> >> and system is using sudo (working well in console, sudo is well
> >> configured, and sudo-mode is set to true for gksu in gconf editor).
> >> I saw an old bugreport of 2008 (number 412982) describing maybe the
> >> same problem and solved by upgrading to 2.16 or 2.17 version, but i'm
> >> using 2.22...
> > 
> > This is a current limitation of PolicyKit.
> > 
> 
> That is not really a limitation, but a configuration issue. PK can be setup (as
> e.g. Ubuntu does), to allow for a sudo like behaviour.
> If you replace the exiting configuration in /etc/PolicyKit/PolicyKit.conf with
> <config version="0.1">
>     <match user="root">
>         <return result="yes"/>
>     </match>
>     <define_admin_auth group="admin"/>
> </config>
> you should get the same behaviour on Debian (assuming Debian also uses the
> "admin" group for this).
> 
> Given that the default on Debian is to not use sudo and have an enabled root
> account, the current configuration is imho ok.
> I was wondering if maybe the installer should create this configuration when the
> sudo option is enabled during installation or if there is a way to detect this
> within the policykit postinst/preinst and maybe mangle the file accordingly.

There is already a hack in the initial configuration of sudo to
configure the gksu defaults differently in this case. It is probably
possible to do similar things for policykit.

However maybe this is also the right time to improve the situation:
      * either by providing a central way to change the configurations
        based on this option (and maybe some other similar installation
        options);
      * or by choosing to support only one of the two setups.

Cheers,
-- 
 .''`.      Josselin Mouette
: :' :
`. `'   “I recommend you to learn English in hope that you in
  `-     future understand things”  -- Jörg Schilling
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 12:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josselin Mouette <joss@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 12:57:02 GMT) Full text and rfc822 format available.

Message #27 received at 536490@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: 536490@bugs.debian.org, Julien BEHEM <julien.behem@lanproject.net>, pkg-utopia-maintainers <pkg-utopia-maintainers@lists.alioth.debian.org>, pkg-gnome-maintainers@lists.alioth.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 14:55:55 +0200
[Message part 1 (text/plain, inline)]
Le vendredi 10 juillet 2009 à 14:49 +0200, Josselin Mouette a écrit :
> > e.g. Ubuntu does), to allow for a sudo like behaviour.
> > If you replace the exiting configuration in /etc/PolicyKit/PolicyKit.conf with
> > <config version="0.1">
> >     <match user="root">
> >         <return result="yes"/>
> >     </match>
> >     <define_admin_auth group="admin"/>
> > </config>
> > you should get the same behaviour on Debian (assuming Debian also uses the
> > "admin" group for this).

> There is already a hack in the initial configuration of sudo to
> configure the gksu defaults differently in this case. It is probably
> possible to do similar things for policykit.

Thinking about it more, it might be even more trivial:
      * include this snippet unconditionally
      * if the installation selects sudo mode, add the user to the admin
        group
And voilà.

Cheers,
-- 
 .''`.      Josselin Mouette
: :' :
`. `'   “I recommend you to learn English in hope that you in
  `-     future understand things”  -- Jörg Schilling
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 16:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to julien.behem@lanproject.net:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 16:51:07 GMT) Full text and rfc822 format available.

Message #32 received at 536490@bugs.debian.org (full text, mbox):

From: Julien BEHEM <julien.behem@lanproject.net>
To: Michael Biebl <biebl@debian.org>
Cc: Josselin Mouette <joss@debian.org>, 536490@bugs.debian.org, pkg-utopia-maintainers <pkg-utopia-maintainers@lists.alioth.debian.org>
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 18:48:18 +0200
[Message part 1 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 17:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 17:15:05 GMT) Full text and rfc822 format available.

Message #37 received at 536490@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: julien.behem@lanproject.net, 536490@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 19:09:26 +0200
[Message part 1 (text/plain, inline)]
Julien BEHEM wrote:
> Michael Biebl a écrit :
>> severity 536490 wishlist
>> retitle 536490 enable sudo like behaviour when system uses disabled root account
>> thanks
>>
>> Josselin Mouette wrote:
>>   
>>> reassign 536490 policykit
>>> thanks
>>>
>>> Le vendredi 10 juillet 2009 à 12:41 +0200, Julien BEHEM a écrit :
>>>     
>>>> When launching any gnome-system-tools utility and clicking on the
>>>> unlock button, it asks for root password but root account is disabled
>>>> and system is using sudo (working well in console, sudo is well
>>>> configured, and sudo-mode is set to true for gksu in gconf editor).
>>>> I saw an old bugreport of 2008 (number 412982) describing maybe the
>>>> same problem and solved by upgrading to 2.16 or 2.17 version, but i'm
>>>> using 2.22...
>>>>       
>>> This is a current limitation of PolicyKit.
>>>
>>>     
>>
>> That is not really a limitation, but a configuration issue. PK can be setup (as
>> e.g. Ubuntu does), to allow for a sudo like behaviour.
>> If you replace the exiting configuration in /etc/PolicyKit/PolicyKit.conf with
>> <config version="0.1">
>>     <match user="root">
>>         <return result="yes"/>
>>     </match>
>>     <define_admin_auth group="admin"/>
>> </config>
>> you should get the same behaviour on Debian (assuming Debian also uses the
>> "admin" group for this).
>>   
> This does not work.
> When I click on the Unlock button in any admin tool, instead of getting the 
> prompt for root password, I get an error after few seconds of timeout : 
> Authentication impossible (or something translated like that).
> 

Are you member of the "admin" group?

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 17:18:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to julien.behem@lanproject.net:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 17:18:06 GMT) Full text and rfc822 format available.

Message #42 received at 536490@bugs.debian.org (full text, mbox):

From: Julien BEHEM <julien.behem@lanproject.net>
To: Michael Biebl <biebl@debian.org>
Cc: 536490@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 19:12:44 +0200
[Message part 1 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 17:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 17:21:05 GMT) Full text and rfc822 format available.

Message #47 received at 536490@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: julien.behem@lanproject.net
Cc: 536490@bugs.debian.org, Josselin Mouette <joss@debian.org>
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 19:16:32 +0200
[Message part 1 (text/plain, inline)]
Julien BEHEM wrote:
> Michael Biebl a écrit :
>> Julien BEHEM wrote:
>>   
>>> Michael Biebl a écrit :
>>>     
>>>> severity 536490 wishlist
>>>> retitle 536490 enable sudo like behaviour when system uses disabled root account
>>>> thanks
>>>>
>>>> Josselin Mouette wrote:
>>>>   
>>>>       
>>>>> reassign 536490 policykit
>>>>> thanks
>>>>>
>>>>> Le vendredi 10 juillet 2009 à 12:41 +0200, Julien BEHEM a écrit :
>>>>>     
>>>>>         
>>>>>> When launching any gnome-system-tools utility and clicking on the
>>>>>> unlock button, it asks for root password but root account is disabled
>>>>>> and system is using sudo (working well in console, sudo is well
>>>>>> configured, and sudo-mode is set to true for gksu in gconf editor).
>>>>>> I saw an old bugreport of 2008 (number 412982) describing maybe the
>>>>>> same problem and solved by upgrading to 2.16 or 2.17 version, but i'm
>>>>>> using 2.22...
>>>>>>       
>>>>>>           
>>>>> This is a current limitation of PolicyKit.
>>>>>
>>>>>     
>>>>>         
>>>> That is not really a limitation, but a configuration issue. PK can be setup (as
>>>> e.g. Ubuntu does), to allow for a sudo like behaviour.
>>>> If you replace the exiting configuration in /etc/PolicyKit/PolicyKit.conf with
>>>> <config version="0.1">
>>>>     <match user="root">
>>>>         <return result="yes"/>
>>>>     </match>
>>>>     <define_admin_auth group="admin"/>
>>>> </config>
>>>> you should get the same behaviour on Debian (assuming Debian also uses the
>>>> "admin" group for this).
>>>>   
>>>>       
>>> This does not work.
>>> When I click on the Unlock button in any admin tool, instead of getting the 
>>> prompt for root password, I get an error after few seconds of timeout : 
>>> Authentication impossible (or something translated like that).
>>>
>>>     
>>
>> Are you member of the "admin" group?
>>
>>   
> Hmm there is no admin group defined in /etc/groups, but there is a group named 
> adm (which I am a member of). Should I create an admin group, or modify the 
> PolicyKit.conf with "adm" instead of "admin" ?

Either should work (given the admin group you create has root rights).

Joss, do you know what d-i resp. sudo does, when you install a root-disabled system?

Michael



-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Fri, 10 Jul 2009 21:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josselin Mouette <joss@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 10 Jul 2009 21:54:02 GMT) Full text and rfc822 format available.

Message #52 received at 536490@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: julien.behem@lanproject.net, 536490@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Fri, 10 Jul 2009 23:51:13 +0200
[Message part 1 (text/plain, inline)]
Le vendredi 10 juillet 2009 à 19:16 +0200, Michael Biebl a écrit :
> Joss, do you know what d-i resp. sudo does, when you install a root-disabled system?

It’s in user-setup:

http://svn.debian.org/wsvn/d-i/trunk/packages/user-setup/user-setup-apply

Cheers,
-- 
 .''`.      Josselin Mouette
: :' :
`. `'   “I recommend you to learn English in hope that you in
  `-     future understand things”  -- Jörg Schilling
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Sun, 12 Jul 2009 17:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to julien.behem@lanproject.net:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 12 Jul 2009 17:09:05 GMT) Full text and rfc822 format available.

Message #57 received at 536490@bugs.debian.org (full text, mbox):

From: Julien BEHEM <julien.behem@lanproject.net>
To: Michael Biebl <biebl@debian.org>
Cc: 536490@bugs.debian.org, Josselin Mouette <joss@debian.org>
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: Bug#536490: gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)
Date: Sun, 12 Jul 2009 19:07:50 +0200
[Message part 1 (text/html, inline)]

Forcibly Merged 532499 536490. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Sun, 12 Jul 2009 23:03:06 GMT) Full text and rfc822 format available.

Changed Bug title to `setup policykit when used with disabled root (sudo mode)' from `gnome-system-tools: Asks for root password instead of user password via sudo (root disabled)'. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Sun, 12 Jul 2009 23:03:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Sun, 18 Oct 2009 15:06:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Geek87 <geek87@gmx.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 18 Oct 2009 15:06:07 GMT) Full text and rfc822 format available.

Message #66 received at 536490@bugs.debian.org (full text, mbox):

From: Geek87 <geek87@gmx.com>
To: 536490@bugs.debian.org
Date: Sun, 18 Oct 2009 16:46:15 +0200
Hi!

I'm using an up to date Sid install and PolicyKit sudo configuration
works everywhere but in gnome-system-tools where it asks me for the root
password. What do you think I have to change?

Thanks in advance.




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Thu, 26 Nov 2009 15:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yann SOUBEYRAND <yann.soubeyrand@gmx.fr>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Thu, 26 Nov 2009 15:27:03 GMT) Full text and rfc822 format available.

Message #71 received at 536490@bugs.debian.org (full text, mbox):

From: Yann SOUBEYRAND <yann.soubeyrand@gmx.fr>
To: 536490@bugs.debian.org
Subject: New fix
Date: Thu, 26 Nov 2009 16:21:27 +0100
Hi!

It seems that the configuration file changed and its format too. You now
have to
modify /etc/polkit-1/localauthority.conf.d/50-localauthority.conf this
way:

[Configuration]
AdminIdentities=unix-user:0;unix-group:sudo

It's told not to modify the file because it will be overwritten on
update. That's why I think this file should be delivered with this
configuration because it won't change anything on systems with root
account and it will allow rootless systems to work properly.

Bye!




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Thu, 26 Nov 2009 15:42:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Thu, 26 Nov 2009 15:42:08 GMT) Full text and rfc822 format available.

Message #76 received at 536490@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Yann SOUBEYRAND <yann.soubeyrand@gmx.fr>, 536490@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: New fix
Date: Thu, 26 Nov 2009 16:37:00 +0100
[Message part 1 (text/plain, inline)]
Yann SOUBEYRAND wrote:
> Hi!
> 
> It seems that the configuration file changed and its format too. You now
> have to
> modify /etc/polkit-1/localauthority.conf.d/50-localauthority.conf this
> way:
> 
> [Configuration]
> AdminIdentities=unix-user:0;unix-group:sudo
> 
> It's told not to modify the file because it will be overwritten on
> update. That's why I think this file should be delivered with this
> configuration because it won't change anything on systems with root
> account and it will allow rootless systems to work properly.

Or simply create a new file, let's say 51-sudo.conf, which contains
[Configuration]
AdminIdentities=unix-group:sudo

Such a file could e.g. be shipped by sudo

Cheers,
Michael

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit. (Thu, 05 Aug 2010 20:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rafael Belmonte <eaglescreen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Thu, 05 Aug 2010 20:09:08 GMT) Full text and rfc822 format available.

Message #81 received at 536490@bugs.debian.org (full text, mbox):

From: Rafael Belmonte <eaglescreen@gmail.com>
To: debian-boot@lists.debian.org, Frans Pop <fjp@debian.org>, Otavio Salvador <otavio@debian.org>, 536490@bugs.debian.org
Subject: Bug #536490 and duplicates may be debian-installer related.
Date: Thu, 5 Aug 2010 22:06:04 +0200
[Message part 1 (text/plain, inline)]
Hello, please take a look at the Bug #536490 because this could be related
to debian-installer.
The debian-installer may be who should preconfigure policykit to can work in
sudo mode.
Thanks.
[Message part 2 (text/html, inline)]

Bug reassigned from package 'policykit' to 'policykit-1'. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Thu, 05 Aug 2010 21:42:06 GMT) Full text and rfc822 format available.

Forcibly Merged 532499 536490 594832. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Mon, 30 Aug 2010 08:06:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit-1. (Fri, 17 Sep 2010 22:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 17 Sep 2010 22:36:03 GMT) Full text and rfc822 format available.

Message #90 received at 536490@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Josselin Mouette <joss@debian.org>, 536490@bugs.debian.org, Josh Triplett <josh@joshtriplett.org>
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: Bug#536490: New fix
Date: Sat, 18 Sep 2010 00:33:31 +0200
[Message part 1 (text/plain, inline)]
Have been discussing this further with Joss. The way to go, as it currently
looks like, is to let policykit-1 ship a file like
# cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
[Configuration]
AdminIdentities=unix-group:sudo

And the installer, when in sudo mode, simply adds the user to group sudo.

Adding the IRC discussion for reference:

> [23:41:25] <Np237> mbiebl, any news from the idea of having policykit privileges for people from the "sudo" group ?
> [23:41:49] <Np237> (for the record I finally reported the bug against user-setup)
> [23:42:38] <mbiebl> no news besides what we discussed a while back
> [23:42:50] <mbiebl> I don't remember the details anymore unfortunately
> [23:42:52] <Np237> Could you implement that in PK in parallel?
> [23:43:02] <mbiebl> did we copy that to a bug report
> [23:43:13] <Np237> Not that I remember
> [23:43:29] <Np237> The idea was to add a policy file to make users from that group have auth_admin replaced by auth_self
> [23:43:34] <mbiebl> if sudo is to meant to be the "admin" group or equivalent to the admin group in Ubuntu
> [23:43:47] <Np237> Yeah, it’s named “sudo” in Debian
> [23:44:09] <mbiebl> then I'd basically just need to copy what pitti already added to the packed
> [23:44:20] <mbiebl> but installs conditionally for ubuntu only
> [23:44:25] <Np237> I only saw patches to policykit, not for policykit-1
> [23:44:44] <Np237> ah ok it’s already in the source
> [23:45:46] <mbiebl> http://git.debian.org/?p=pkg-utopia/policykit.git;a=blob;f=debian/rules;h=4f8abb74b056bcdbd2b4decc610f09d17038e514;hb=HEAD
> [23:45:53] <Np237> you just need to replace unix-group:admin by unix-group:sudo then
> [23:46:16] <mbiebl> that's the whole pk customization that is done for pk afair
> [23:46:27] <mbiebl> done for ubuntu, i mean
> [23:46:45] <Np237> ISTR live-helper has something similar
> [23:47:39] <mbiebl> we should really track this issue(s) in a bug report via user tags or a wiki
> [23:48:27] <Np237> A usertag for two bugs?
> [23:48:52] <mbiebl> if it's really only two packages, then no
> [23:49:07] <Np237> Well only user-setup and policykit-1 require changes, AFAIK
> [23:50:09] <mbiebl> user-setup will simply add the user to group sudo when installed in sudo modus
> [23:50:16] <mbiebl> i guess that is the bug you filed?
> [23:50:34] <Np237> Yes
> [23:50:46] <Np237> This would already work for sudo
> [23:50:58] <Np237> (and is much better than adding the user by hand to sudoers)
> [00:08:31] <mbiebl> let's see: added myself to sudo group and created the aforementioned conf file: works, I'm prompted for my password
> [00:08:57] <mbiebl> now, will need to check, if I remove myself from sudo group again, if it prompts me for the root password
> [00:12:18] <mbiebl> ok, works too
> [00:12:30] <Np237> \o/
> [00:12:38] <mbiebl> now, what if I add a second user, add this one to sudo
> [00:15:15] <mbiebl> ok, it will then prompt me, for the password of the second user
> [00:15:20] <mbiebl> and not the root pw anymore
> [00:15:39] <mbiebl> not ideal but I guess not a showstopper either
> [00:16:53] <mbiebl> Np237: do you have the # for the user-setup bug?
> [00:17:25] <Np237> mbiebl, #597239
> [00:20:00] <Np237> kov, I have also not given hope in pestering you enough so that you upload gksu-polkit :)
> [00:20:14] <mbiebl> Now, I just need to decide if it's better to just ship that file in policykit-1 or sudo
> [00:20:29] <Np237> I think in policykit-1
> [00:20:47] <Np237> If the group doesn’t exist for one reason or another, it’s just harmless
> [00:21:19] <mbiebl> ok, I'd need to test that, but i guess pk will correctly fallback to prompt-for-root

Also CCing Josh here, as he filed #566586 which is similar to this bug report
and should probably merged.

Josh, please speak up if the aforementioned proposal does not suit your needs
and we have to to keep track of that in a separate bug report.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit-1. (Sat, 18 Sep 2010 00:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 18 Sep 2010 00:33:03 GMT) Full text and rfc822 format available.

Message #95 received at 536490@bugs.debian.org (full text, mbox):

From: Josh Triplett <josh@joshtriplett.org>
To: Michael Biebl <biebl@debian.org>
Cc: Josselin Mouette <joss@debian.org>, 536490@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#536490: Bug#536490: New fix
Date: Sat, 18 Sep 2010 02:28:22 +0200
On Sat, Sep 18, 2010 at 12:33:31AM +0200, Michael Biebl wrote:
> Have been discussing this further with Joss. The way to go, as it currently
> looks like, is to let policykit-1 ship a file like
> # cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
> [Configuration]
> AdminIdentities=unix-group:sudo
> 
> And the installer, when in sudo mode, simply adds the user to group sudo.
> 
> Adding the IRC discussion for reference:
> 
> > [23:41:25] <Np237> mbiebl, any news from the idea of having policykit privileges for people from the "sudo" group ?
> > [23:41:49] <Np237> (for the record I finally reported the bug against user-setup)
> > [23:42:38] <mbiebl> no news besides what we discussed a while back
> > [23:42:50] <mbiebl> I don't remember the details anymore unfortunately
> > [23:42:52] <Np237> Could you implement that in PK in parallel?
> > [23:43:02] <mbiebl> did we copy that to a bug report
> > [23:43:13] <Np237> Not that I remember
> > [23:43:29] <Np237> The idea was to add a policy file to make users from that group have auth_admin replaced by auth_self
> > [23:43:34] <mbiebl> if sudo is to meant to be the "admin" group or equivalent to the admin group in Ubuntu
> > [23:43:47] <Np237> Yeah, it’s named “sudo” in Debian
> > [23:44:09] <mbiebl> then I'd basically just need to copy what pitti already added to the packed
> > [23:44:20] <mbiebl> but installs conditionally for ubuntu only
> > [23:44:25] <Np237> I only saw patches to policykit, not for policykit-1
> > [23:44:44] <Np237> ah ok it’s already in the source
> > [23:45:46] <mbiebl> http://git.debian.org/?p=pkg-utopia/policykit.git;a=blob;f=debian/rules;h=4f8abb74b056bcdbd2b4decc610f09d17038e514;hb=HEAD
> > [23:45:53] <Np237> you just need to replace unix-group:admin by unix-group:sudo then
> > [23:46:16] <mbiebl> that's the whole pk customization that is done for pk afair
> > [23:46:27] <mbiebl> done for ubuntu, i mean
> > [23:46:45] <Np237> ISTR live-helper has something similar
> > [23:47:39] <mbiebl> we should really track this issue(s) in a bug report via user tags or a wiki
> > [23:48:27] <Np237> A usertag for two bugs?
> > [23:48:52] <mbiebl> if it's really only two packages, then no
> > [23:49:07] <Np237> Well only user-setup and policykit-1 require changes, AFAIK
> > [23:50:09] <mbiebl> user-setup will simply add the user to group sudo when installed in sudo modus
> > [23:50:16] <mbiebl> i guess that is the bug you filed?
> > [23:50:34] <Np237> Yes
> > [23:50:46] <Np237> This would already work for sudo
> > [23:50:58] <Np237> (and is much better than adding the user by hand to sudoers)
> > [00:08:31] <mbiebl> let's see: added myself to sudo group and created the aforementioned conf file: works, I'm prompted for my password
> > [00:08:57] <mbiebl> now, will need to check, if I remove myself from sudo group again, if it prompts me for the root password
> > [00:12:18] <mbiebl> ok, works too
> > [00:12:30] <Np237> \o/
> > [00:12:38] <mbiebl> now, what if I add a second user, add this one to sudo
> > [00:15:15] <mbiebl> ok, it will then prompt me, for the password of the second user
> > [00:15:20] <mbiebl> and not the root pw anymore
> > [00:15:39] <mbiebl> not ideal but I guess not a showstopper either
> > [00:16:53] <mbiebl> Np237: do you have the # for the user-setup bug?
> > [00:17:25] <Np237> mbiebl, #597239
> > [00:20:00] <Np237> kov, I have also not given hope in pestering you enough so that you upload gksu-polkit :)
> > [00:20:14] <mbiebl> Now, I just need to decide if it's better to just ship that file in policykit-1 or sudo
> > [00:20:29] <Np237> I think in policykit-1
> > [00:20:47] <Np237> If the group doesn’t exist for one reason or another, it’s just harmless
> > [00:21:19] <mbiebl> ok, I'd need to test that, but i guess pk will correctly fallback to prompt-for-root
> 
> Also CCing Josh here, as he filed #566586 which is similar to this bug report
> and should probably merged.
> 
> Josh, please speak up if the aforementioned proposal does not suit your needs
> and we have to to keep track of that in a separate bug report.

The proposed change certainly seems to make sense for group sudo, since
by current default that group has sudo permission with their own
password.

For the purposes of bug 566586, though, I'd like to have a group which
doesn't need to enter a password at all, rather than one which needs to
enter their own password. 

I use the following configuration:

~$ cat /etc/polkit-1/localauthority/50-local.d/01-josh.pkla
[Admin]
Identity=unix-user:josh
Action=*
ResultActive=yes

This configuration makes PolicyKit automatically accept any request from
me if on the console.

The equivalent with unix-group:somegroup would simplify this to just
"adduser josh somegroup".

- Josh Triplett




Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#536490; Package policykit-1. (Sat, 18 Sep 2010 22:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Otavio Salvador <otavio@ossystems.com.br>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sat, 18 Sep 2010 22:36:03 GMT) Full text and rfc822 format available.

Message #100 received at 536490@bugs.debian.org (full text, mbox):

From: Otavio Salvador <otavio@ossystems.com.br>
To: Rafael Belmonte <eaglescreen@gmail.com>
Cc: debian-boot@lists.debian.org, 536490@bugs.debian.org
Subject: Re: Bug #536490 and duplicates may be debian-installer related.
Date: Sat, 18 Sep 2010 19:33:36 -0300
On Thu, Aug 5, 2010 at 5:06 PM, Rafael Belmonte <eaglescreen@gmail.com> wrote:
> Hello, please take a look at the Bug #536490 because this could be related
> to debian-installer.
> The debian-installer may be who should preconfigure policykit to can work in

Yes; you are right.

Soon installer will be adding the user in sudo group.

-- 
Otavio Salvador                  O.S. Systems
E-mail: otavio@ossystems.com.br  http://www.ossystems.com.br
Mobile: +55 53 9981-7854         http://projetos.ossystems.com.br




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 29 Dec 2010 07:32:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:30:24 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.