4

I run Debian Wheezy with a simple window manager (Blackbox). If I remember correctly, in Ubuntu some applications like Synaptic and Update Manager ask for sudo password only when/if needed. How do I configure the system so I can launch for instance Update Manager as normal user and only provide sudo password when the system is to be updated?

The window manager is started from ~/.xinitrc with 

exec ck-launch-session dbus-launch blackbox

I have tried adding the file /var/lib/polkit-1/localauthority/50-local.d/test.pkla with the content below (and restarting X) but it makes no difference; update-manager still asks for root password when launched.

$ sudo cat /var/lib/polkit-1/localauthority/50-local.d/test.pkla
[test]
Identity=unix-group:sudo
Action=org.debian.apt.update-cache
ResultActive=yes

As requested by Graeme the content of directory /usr/share/polkit-1/actions/ is

com.hp.hplip.policy
com.ubuntu.pkexec.synaptic.policy
com.ubuntu.softwareproperties.policy
org.debian.apt.policy
org.freedesktop.color.policy
org.freedesktop.consolekit.policy
org.freedesktop.policykit.policy
org.freedesktop.udisks.policy
org.opensuse.cupspkhelper.mechanism.policy

Below follows the content of the directory /etc/polkit-1/localauthority.conf.d:

$ ls /etc/polkit-1/localauthority.conf.d/
50-localauthority.conf  51-debian-sudo.conf

$ cat /etc/polkit-1/localauthority.conf.d/50-localauthority.conf 
# Configuration file for the PolicyKit Local Authority.
#
# DO NOT EDIT THIS FILE, it will be overwritten on update.
#
# See the pklocalauthority(8) man page for more information
# about configuring the Local Authority.
#

[Configuration]
AdminIdentities=unix-user:0

$ cat /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf 
[Configuration]
AdminIdentities=unix-group:sudo

Here is the content of the sudoers file:

$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
Improve this question
22
  • sudo is the default mechanism for privilege elevation in all Debian based OS's... Debian/Ubuntu/Mint etc. As such your normal user is already a member of the wheel/sudoers group, so what exactly are you asking? Commented Dec 30, 2014 at 16:14
  • Sure, I can launch e.g. Update Manager with gksudo but then I need to provide my password even though I don't necessarily want to modify the system (for instance when there are no updates available). I want to be asked for password when I click on the update button. Commented Dec 30, 2014 at 16:20
  • 1
    That's done through Polkit, I believe. So you probably just need to install it, and make sure its started at boot/via dbus activation/etc. Commented Dec 30, 2014 at 16:28
  • What happens if you try to launch Update Manager as normal user now? Commented Dec 30, 2014 at 16:29
  • That's not how sudo/kdesudo/gksudo work. Update Manager/Synaptic and other applications require privilege elevation, therefore the elevation must take place before the application starts not after. Polkit rides on top of sudo, but cannot alter behavior of sudo. See How does sudo work and How is sudo intended to be used Commented Dec 30, 2014 at 16:32

1 Answer 1

Reset to default
0

You're probably not listed as a PolKit admin user. On Ubuntu, for example, you'll find:

$ cat /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

And the user created on install is a member of sudo, so they automatically become admin.

To add yourself as an admin, create a .conf file in /etc/polkit-1/localauthority.conf.d/ (for example, 99-local-admin.conf) containing (august being your username):

[Configuration]
AdminIdentities=unix-user:august
Improve this answer
14
  • 1
    This doesn't answer his question, He wants the Sudo Authentication Window to Appear when the Update Button in Update Manager is clicked, not when Update Manager starts, which implies update manager would need to be started w/o gksudo. I belieive he can already gksudo, therefore polkit is not needed. Commented Dec 30, 2014 at 17:46
  • @eyoung100 you're missing the point. Update Manager does not need sudo, it can work well enough with Polkit, and with Polkit, delayed privilege escalation is possible. Therefore "polkit is not needed" is going backwards. Commented Dec 30, 2014 at 17:53
  • Is this Identical, if so, I'll retract my downvote: Update Manager doesn't ask for a password Commented Dec 30, 2014 at 18:00
  • @eyoung100 it is related, but not identical. That shows how Update Manager use polkit. In this instance, see this comment, where you will see that when Update Manager needs privilege, it asks for the only user who can (root), because OP isn't an admin, which is why I tell him to add himself as an admin. Commented Dec 30, 2014 at 18:07
  • Ill still retract my downvote, as enabling root on Debian is not normally done, IIRC. Grr my vote is locked... Commented Dec 30, 2014 at 18:10

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.