Allow users to install packages

rkarlsba · February 26, 2023, 10:24pm

Hi all

I have setup sudoers to allow users to install software already in the repos, but I’d like to allow them to do so in Gnome Software as well. I have tried to edit /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules to add a rule there, but it didn’t change anything. It still falls back to prompting for the admin user’s password. Any idea how I can do this? I am aware of the security issues with this, but please, let me be the judge of this

mcatanzaro · February 26, 2023, 10:41pm

You found the right file to edit. Did you restart PackageKit after modifying it? If you have it immediately return polkit.Result.YES then it will probably work and then you can tighten the permissions from there.

(And of course you would want to copy the file to /etc rather than modifying packaged files under /usr.)

rkarlsba · February 27, 2023, 9:03am

(And of course you would want to copy the file to /etc rather than modifying packaged files under /usr.)

That makes sense, but where under /etc? /etc/polkit-1/localauthority/20-org.d seems like a good candidate. Also, does this make sense?

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.package-install" ||
         action.id == "org.freedesktop.packagekit.package-reinstall" ||
         action.id == "org.freedesktop.packagekit.system-update" ||
         action.id == "org.freedesktop.packagekit.upgrade-system") &&
         (subject.isInGroup("sudo") || subject.isInGroup("installers"))) {
            return polkit.Result.YES;
    }
});

rkarlsba · February 27, 2023, 2:27pm

I tried this, but no

Feb 27 15:25:28 myhostname polkitd(authority=local)[64507]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.packagekit.package-install for system-bus-name::1.86 [/usr/bin/gnome-software --gapplication-service] (owned by unix-user:myuser)

Any idea where to go next?

rkarlsba · February 27, 2023, 5:09pm

Removed the old one and added the file /etc/polkit-1/localauthority/20-org.d/org.freedesktop.packagekit.pkla with

[Allow installers to upgrade the system]
Identity=unix-group:installers
Action=org.freedesktop.packagekit.package-install;org.freedesktop.packagekit.package-reinstall;org.freedesktop.packagekit.system-update;org.freedesktop.packagekit.upgrade-system
ResultAny=no
ResultInactive=no
ResultActive=yes

This worked. Someone should possibly document it somewhere too

mcatanzaro · February 27, 2023, 7:07pm

Oh, the problem is you’re using Debian (or Ubuntu or another Debian-based system). The pkla support was removed from polkit roughly a decade ago, so a pkla file won’t do anything at all in upstream GNOME. But Debian has just decided to stick with a very old version of polkit that uses pkla instead of JavaScript configuration. Sorry that I forgot about this or it would have been one of my first suggestions to you.

rkarlsba · February 27, 2023, 9:36pm

Thanks. Perhaps bookworm will get something newer?

jakedane · February 28, 2023, 8:14am

Yes, bookworm uses JavaScript configuration for polkit rules.

system · April 14, 2023, 8:15am

This topic was automatically closed 45 days after the last reply. New replies are no longer allowed.