Allow users to install packages

Hi all

I have setup sudoers to allow users to install software already in the repos, but I’d like to allow them to do so in Gnome Software as well. I have tried to edit /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules to add a rule there, but it didn’t change anything. It still falls back to prompting for the admin user’s password. Any idea how I can do this? I am aware of the security issues with this, but please, let me be the judge of this :wink:

You found the right file to edit. Did you restart PackageKit after modifying it? If you have it immediately return polkit.Result.YES then it will probably work and then you can tighten the permissions from there.

(And of course you would want to copy the file to /etc rather than modifying packaged files under /usr.)

(And of course you would want to copy the file to /etc rather than modifying packaged files under /usr.)

That makes sense, but where under /etc? /etc/polkit-1/localauthority/20-org.d seems like a good candidate. Also, does this make sense?

polkit.addRule(function(action, subject) {
    if (( == "org.freedesktop.packagekit.package-install" || == "org.freedesktop.packagekit.package-reinstall" || == "org.freedesktop.packagekit.system-update" || == "org.freedesktop.packagekit.upgrade-system") &&
         (subject.isInGroup("sudo") || subject.isInGroup("installers"))) {
            return polkit.Result.YES;

I tried this, but no

Feb 27 15:25:28 myhostname polkitd(authority=local)[64507]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.packagekit.package-install for system-bus-name::1.86 [/usr/bin/gnome-software --gapplication-service] (owned by unix-user:myuser)

Any idea where to go next?

Removed the old one and added the file /etc/polkit-1/localauthority/20-org.d/org.freedesktop.packagekit.pkla with

[Allow installers to upgrade the system]

This worked. Someone should possibly document it somewhere too :wink:

Oh, the problem is you’re using Debian (or Ubuntu or another Debian-based system). The pkla support was removed from polkit roughly a decade ago, so a pkla file won’t do anything at all in upstream GNOME. But Debian has just decided to stick with a very old version of polkit that uses pkla instead of JavaScript configuration. Sorry that I forgot about this or it would have been one of my first suggestions to you.

Thanks. Perhaps bookworm will get something newer?

Yes, bookworm uses JavaScript configuration for polkit rules.

This topic was automatically closed 45 days after the last reply. New replies are no longer allowed.