[opensuse-kubic] MicroOS (Desktop) and PolicyKit stuff
Hello, I was having a look at that little issue that we have with MicroOS Desktop asking passwords every 3 seconds, and I think I bumped into something I'm not sure I understand. So, one operation for which it asks for the root password (when it shouldn't, e.g., Tumbleweed doesn't, for doing that) is when I plug an USB key. In order to understand what is going on, I added some logging to polkitd, and here's what I've found. On Tumbleweed: nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:2: action=[Action id='com.endlessm.ParentalControls.AppFilter.ReadOwn'] nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:3: subject=[Subject pid=2321 user='dario' groups=audio,bin,dialout,docker,kvm,lp,mail,tty,video,vnc,wheel,dario,users,libvirt,osc seat=null session=nul> nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:1027: com.endlessm.ParentalControls.AppFilter.ReadOwn => yes On MicroOS: nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:2: action=[Action id='org.freedesktop.udisks2.filesystem-mount' device='/dev/sdd1' polkit.message='Authentication is required to mount $(drive)' partition> nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:3: subject=[Subject pid=1754 user='dario' groups=users,wheel,dario seat=null session=null local=true active=true] nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:1026: org.freedesktop.udisks2.filesystem-mount => auth_admin So, why 'yes' on one hand and 'auth_admin' on the other? Well, the code is in /etc/polkit-1/rules.d/90-default-privs.rules (at the bottom). There's a big array with all the actions and, on Tumbleweed, I have this, for the action above: 'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'yes' ], While on MicroOS: 'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'auth_admin' ], So here's from where 'yes' and 'auth_admin' come from. Now, let's do the same dance again. Tumbleweed: $ rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-1550+20201119.2c1dce4-1.1.noarch MicroOS $ rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-1550+20201119.2c1dce4-1.1.noarch So, same package, different content. I'm sure there's a way to understand why that is, probably looking at: https://build.opensuse.org/package/view_file/openSUSE:Factory/polkit-default... And: https://github.com/openSUSE/polkit-default-privs And I plan to do so, but I haven't had the time yet. However, it's definitely not my field. So, if anyone more knowledgeable on these matters want to beat me at it, please, feel free :-) Thanks and Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
Hi, Am Donnerstag, 26. November 2020, 12:09:12 CET schrieb Dario Faggioli:
Hello,
I was having a look at that little issue that we have with MicroOS Desktop asking passwords every 3 seconds, and I think I bumped into something I'm not sure I understand.
So, one operation for which it asks for the root password (when it shouldn't, e.g., Tumbleweed doesn't, for doing that) is when I plug an USB key.
In order to understand what is going on, I added some logging to polkitd, and here's what I've found.
On Tumbleweed:
nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:2: action=[Action id='com.endlessm.ParentalControls.AppFilter.ReadOwn'] nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:3: subject=[Subject pid=2321 user='dario' groups=audio,bin,dialout,docker,kvm,lp,mail,tty,video,vnc,wheel,dario,users,libvirt,osc seat=null session=nul> nov 26 11:57:27 Palanthas polkitd[14840]: <no filename>:1027: com.endlessm.ParentalControls.AppFilter.ReadOwn => yes
On MicroOS:
nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:2: action=[Action id='org.freedesktop.udisks2.filesystem-mount' device='/dev/sdd1' polkit.message='Authentication is required to mount $(drive)' partition> nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:3: subject=[Subject pid=1754 user='dario' groups=users,wheel,dario seat=null session=null local=true active=true] nov 26 10:27:31 Wayrath polkitd[9619]: <no filename>:1026: org.freedesktop.udisks2.filesystem-mount => auth_admin
So, why 'yes' on one hand and 'auth_admin' on the other? Well, the code is in /etc/polkit-1/rules.d/90-default-privs.rules (at the bottom).
There's a big array with all the actions and, on Tumbleweed, I have this, for the action above:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'yes' ],
While on MicroOS:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'auth_admin' ],
So here's from where 'yes' and 'auth_admin' come from.
Now, let's do the same dance again.
Tumbleweed:
$ rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-1550+20201119.2c1dce4-1.1.noarch
MicroOS
$ rpm -qf /etc/polkit-1/rules.d/90-default-privs.rules polkit-default-privs-1550+20201119.2c1dce4-1.1.noarch
So, same package, different content.
What's the value of PERMISSION_SECURITY in /etc/sysconfig/security? It decides which of /etc/polkit-default-privs.* gets used for generating the .rules file. Cheers, Fabian
I'm sure there's a way to understand why that is, probably looking at: https://build.opensuse.org/package/view_file/openSUSE:Factory/polkit-default...
And: https://github.com/openSUSE/polkit-default-privs
And I plan to do so, but I haven't had the time yet.
However, it's definitely not my field. So, if anyone more knowledgeable on these matters want to beat me at it, please, feel free :-)
Thanks and Regards
On Thu, 2020-11-26 at 12:25 +0100, Fabian Vogt wrote:
Hi,
Hey!
Am Donnerstag, 26. November 2020, 12:09:12 CET schrieb Dario Faggioli:
There's a big array with all the actions and, on Tumbleweed, I have this, for the action above:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'yes' ],
While on MicroOS:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'auth_admin' ],
So here's from where 'yes' and 'auth_admin' come from.
What's the value of PERMISSION_SECURITY in /etc/sysconfig/security? It decides which of /etc/polkit-default-privs.* gets used for generating the .rules file.
Ah, cool to know... And thanks for checking so quickly. :-) Ok, so PERMISSION_SECURITY is "easy local" in both distros. However, still in the same file, on Tumbleweed we have: POLKIT_DEFAULT_PRIVS="" While on MicroOS: POLKIT_DEFAULT_PRIVS="restrictive" Does this have a say in putting the rules together too? Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
Hi, Am Donnerstag, 26. November 2020, 12:32:18 CET schrieb Dario Faggioli:
On Thu, 2020-11-26 at 12:25 +0100, Fabian Vogt wrote:
Hi,
Hey!
Am Donnerstag, 26. November 2020, 12:09:12 CET schrieb Dario Faggioli:
There's a big array with all the actions and, on Tumbleweed, I have this, for the action above:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'yes' ],
While on MicroOS:
'org.freedesktop.udisks2.filesystem-mount': [ 'auth_admin', 'auth_admin', 'auth_admin' ],
So here's from where 'yes' and 'auth_admin' come from.
What's the value of PERMISSION_SECURITY in /etc/sysconfig/security? It decides which of /etc/polkit-default-privs.* gets used for generating the .rules file.
Ah, cool to know... And thanks for checking so quickly. :-)
Ok, so PERMISSION_SECURITY is "easy local" in both distros.
However, still in the same file, on Tumbleweed we have: POLKIT_DEFAULT_PRIVS=""
While on MicroOS: POLKIT_DEFAULT_PRIVS="restrictive"
Does this have a say in putting the rules together too?
That's documented in the sysconfig file: # SUSE ships with two sets of default privilege settings. These are # "standard" and "restrictive". # # Examples: "standard", "restrictive foo bar" # # If not set the value depends on the setting of # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or # 'paranoid' the value will be 'restrictive', otherwise 'standard'. # # The 'local' file is always evaluated and takes precedence over all # other files. So if you change that to "standard" or "", it should work like on plain TW. Richard probably knows where this default is set. Cheers, Fabian
Regards
On Thu, 2020-11-26 at 12:34 +0100, Fabian Vogt wrote:
Am Donnerstag, 26. November 2020, 12:32:18 CET schrieb Dario Faggioli: # SUSE ships with two sets of default privilege settings. These are # "standard" and "restrictive". # # Examples: "standard", "restrictive foo bar" # # If not set the value depends on the setting of # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or # 'paranoid' the value will be 'restrictive', otherwise 'standard'. # # The 'local' file is always evaluated and takes precedence over all # other files.
So if you change that to "standard" or "", it should work like on plain TW.
Richard probably knows where this default is set.
Yes... Although I think I found it (maybe): https://github.com/yast/skelcd-control-MicroOS/blob/master/control/control.M... https://github.com/yast/skelcd-control-MicroOS/blob/master/control/control.M... I may even try to understand how to override it for the Desktop variant, but not right now (no time). So, again, feel free to beat me to it. :-) Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote:
On Thu, 2020-11-26 at 12:34 +0100, Fabian Vogt wrote:
Am Donnerstag, 26. November 2020, 12:32:18 CET schrieb Dario Faggioli: # SUSE ships with two sets of default privilege settings. These are # "standard" and "restrictive". # # Examples: "standard", "restrictive foo bar" # # If not set the value depends on the setting of # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or # 'paranoid' the value will be 'restrictive', otherwise 'standard'. # # The 'local' file is always evaluated and takes precedence over all # other files.
So if you change that to "standard" or "", it should work like on plain TW.
Richard probably knows where this default is set.
Yes... Although I think I found it (maybe):
https://github.com/yast/skelcd-control-MicroOS/blob/master/control/control.M...
https://github.com/yast/skelcd-control-MicroOS/blob/master/control/control.M...
I may even try to understand how to override it for the Desktop variant, but not right now (no time).
So, again, feel free to beat me to it. :-)
Gladly ;) https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the way :) Thanks so much for solving that mystery :) -- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer
On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote:
On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote:
I may even try to understand how to override it for the Desktop variant, but not right now (no time).
So, again, feel free to beat me to it. :-)
Gladly ;)
https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the way :)
Yay! And that's another roadblock smashed. :-P We're surely not done yet, but this one here was pretty annoying IMO. It was a bit of a pain, for me, in my daily basis usage, but it was even worse having to explain it to curious users that were testing MicroOS Desktop, even if with all the premises of project being ALPHA, etc.
Thanks so much for solving that mystery :)
Yes, thanks to Fabian for finding the root cause of the symptoms that I showed, and to you for the quick fix! Regarss -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
Hi all, This fix only applies to new installs? As I still get loads of password requests on both KDE and Gnome.. Also kudos to the work on MicroOS, it's been my main distro now for 1,5 months and it keeps getting better! BR, Syds -- Syds Bearda *@syds.eu On Thu, Nov 26, 2020, at 16:50, Dario Faggioli wrote:
On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote:
On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote:
I may even try to understand how to override it for the Desktop variant, but not right now (no time).
So, again, feel free to beat me to it. :-)
Gladly ;)
https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the way :)
Yay! And that's another roadblock smashed. :-P
We're surely not done yet, but this one here was pretty annoying IMO. It was a bit of a pain, for me, in my daily basis usage, but it was even worse having to explain it to curious users that were testing MicroOS Desktop, even if with all the premises of project being ALPHA, etc.
Thanks so much for solving that mystery :)
Yes, thanks to Fabian for finding the root cause of the symptoms that I showed, and to you for the quick fix!
Regarss -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
*Attachments:* * signature.asc
On Tue, 2020-12-01 at 22:41 +0100, Syds Bearda wrote:
Hi all,
This fix only applies to new installs? As I still get loads of password requests on both KDE and Gnome..
Also kudos to the work on MicroOS, it's been my main distro now for 1,5 months and it keeps getting better!
BR, Syds
Yes, we have no mechanism for automagically changing such security related stuff in existing installs. That's probably a good thing :)
On Thu, Nov 26, 2020, at 16:50, Dario Faggioli wrote:
On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote:
On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote:
I may even try to understand how to override it for the Desktop variant, but not right now (no time). So, again, feel free to beat me to it. :-) Gladly ;) https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the way :) Yay! And that's another roadblock smashed. :-P
We're surely not done yet, but this one here was pretty annoying IMO. It was a bit of a pain, for me, in my daily basis usage, but it was even worse having to explain it to curious users that were testing MicroOS Desktop, even if with all the premises of project being ALPHA, etc.
Thanks so much for solving that mystery :)
Yes, thanks to Fabian for finding the root cause of the symptoms that I showed, and to you for the quick fix!
Regarss -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
Attachments: * signature.asc
openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer
Hi, On Tue, Dec 1, 2020, at 22:51, Richard Brown wrote:
On Tue, 2020-12-01 at 22:41 +0100, Syds Bearda wrote:
Hi all,
This fix only applies to new installs? As I still get loads of password requests on both KDE and Gnome..
Also kudos to the work on MicroOS, it's been my main distro now for 1,5 months and it keeps getting better!
BR, Syds
Yes, we have no mechanism for automagically changing such security related stuff in existing installs.
That's probably a good thing :)
Reinstall here i come :) And yes, unfortunately, not being able to change security settings automatically is a good thing.
On Thu, Nov 26, 2020, at 16:50, Dario Faggioli wrote:
On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote:
On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote:
I may even try to understand how to override it for the Desktop variant, but not right now (no time). So, again, feel free to beat me to it. :-) Gladly ;) https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the way :) Yay! And that's another roadblock smashed. :-P
We're surely not done yet, but this one here was pretty annoying IMO. It was a bit of a pain, for me, in my daily basis usage, but it was even worse having to explain it to curious users that were testing MicroOS Desktop, even if with all the premises of project being ALPHA, etc.
Thanks so much for solving that mystery :)
Yes, thanks to Fabian for finding the root cause of the symptoms that I showed, and to you for the quick fix!
Regarss -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
Attachments: * signature.asc
openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
Hi, On Wed, Dec 02, Syds Bearda wrote:
Hi,
On Tue, Dec 1, 2020, at 22:51, Richard Brown wrote:
On Tue, 2020-12-01 at 22:41 +0100, Syds Bearda wrote:
Hi all,
This fix only applies to new installs? As I still get loads of password requests on both KDE and Gnome..
Also kudos to the work on MicroOS, it's been my main distro now for 1,5 months and it keeps getting better!
BR, Syds
Yes, we have no mechanism for automagically changing such security related stuff in existing installs.
That's probably a good thing :)
Reinstall here i come :)
No reinstall required, you just need to adjust /etc/sysconfig/security. So adjust POLKIT_DEFAULT_PRIVS and call set_polkit_default_privs Thorsten
And yes, unfortunately, not being able to change security settings automatically is a good thing.
On Thu, Nov 26, 2020, at 16:50, Dario Faggioli wrote:
On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote:
On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote:
I may even try to understand how to override it for the Desktop variant, but not right now (no time). So, again, feel free to beat me to it. :-) Gladly ;) https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the way :) Yay! And that's another roadblock smashed. :-P
We're surely not done yet, but this one here was pretty annoying IMO. It was a bit of a pain, for me, in my daily basis usage, but it was even worse having to explain it to curious users that were testing MicroOS Desktop, even if with all the premises of project being ALPHA, etc.
Thanks so much for solving that mystery :)
Yes, thanks to Fabian for finding the root cause of the symptoms that I showed, and to you for the quick fix!
Regarss -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
Attachments: * signature.asc
openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
On Wed, Dec 2, 2020, at 09:40, Thorsten Kukuk wrote:
Hi,
On Wed, Dec 02, Syds Bearda wrote:
Hi,
On Tue, Dec 1, 2020, at 22:51, Richard Brown wrote:
On Tue, 2020-12-01 at 22:41 +0100, Syds Bearda wrote:
Hi all,
This fix only applies to new installs? As I still get loads of password requests on both KDE and Gnome..
Also kudos to the work on MicroOS, it's been my main distro now for 1,5 months and it keeps getting better!
BR, Syds
Yes, we have no mechanism for automagically changing such security related stuff in existing installs.
That's probably a good thing :)
Reinstall here i come :)
No reinstall required, you just need to adjust /etc/sysconfig/security. So adjust POLKIT_DEFAULT_PRIVS and call set_polkit_default_privs
Thanks, I've changed the polkit_default_privs to standard, but get the error that call command is not found with "call set_polkit_default_privs"
Thorsten
And yes, unfortunately, not being able to change security settings automatically is a good thing.
On Thu, Nov 26, 2020, at 16:50, Dario Faggioli wrote:
On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote:
On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote: > > I may even try to understand how to override it for the Desktop > variant, but not right now (no time). > > So, again, feel free to beat me to it. :-) Gladly ;) https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the way :) Yay! And that's another roadblock smashed. :-P
We're surely not done yet, but this one here was pretty annoying IMO. It was a bit of a pain, for me, in my daily basis usage, but it was even worse having to explain it to curious users that were testing MicroOS Desktop, even if with all the premises of project being ALPHA, etc.
Thanks so much for solving that mystery :)
Yes, thanks to Fabian for finding the root cause of the symptoms that I showed, and to you for the quick fix!
Regarss -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
Attachments: * signature.asc
openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
On Wed, Dec 02, Syds Bearda wrote:
On Wed, Dec 2, 2020, at 09:40, Thorsten Kukuk wrote:
Hi,
On Wed, Dec 02, Syds Bearda wrote:
Hi,
On Tue, Dec 1, 2020, at 22:51, Richard Brown wrote:
On Tue, 2020-12-01 at 22:41 +0100, Syds Bearda wrote:
Hi all,
This fix only applies to new installs? As I still get loads of password requests on both KDE and Gnome..
Also kudos to the work on MicroOS, it's been my main distro now for 1,5 months and it keeps getting better!
BR, Syds
Yes, we have no mechanism for automagically changing such security related stuff in existing installs.
That's probably a good thing :)
Reinstall here i come :)
No reinstall required, you just need to adjust /etc/sysconfig/security. So adjust POLKIT_DEFAULT_PRIVS and call set_polkit_default_privs
Thanks, I've changed the polkit_default_privs to standard, but get the error that call command is not found with "call set_polkit_default_privs"
You should run the command "/sbin/set_polkit_default_privs". Thorsten
Thorsten
And yes, unfortunately, not being able to change security settings automatically is a good thing.
On Thu, Nov 26, 2020, at 16:50, Dario Faggioli wrote:
On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote: > On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote: > > > > I may even try to understand how to override it for the Desktop > > variant, but not right now (no time). > > > > So, again, feel free to beat me to it. :-) > > Gladly ;) > > https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the > way > :) > Yay! And that's another roadblock smashed. :-P
We're surely not done yet, but this one here was pretty annoying IMO. It was a bit of a pain, for me, in my daily basis usage, but it was even worse having to explain it to curious users that were testing MicroOS Desktop, even if with all the premises of project being ALPHA, etc.
> Thanks so much for solving that mystery :) > Yes, thanks to Fabian for finding the root cause of the symptoms that I showed, and to you for the quick fix!
Regarss -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
Attachments: * signature.asc
openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
Wow, this works perfectly, no more passwords for turning wifi on or off, or when i want to reboot. Thanks a million! so for future reference: $ sudo transactional-update shell # nano /etc/sysconfig/security adjust POLKIT_DEFAULT_PRIVS to standard # /sbin/set_polkit_default_privs # exit $ sudo reboot On Wed, Dec 2, 2020, at 10:24, Thorsten Kukuk wrote:
On Wed, Dec 02, Syds Bearda wrote:
On Wed, Dec 2, 2020, at 09:40, Thorsten Kukuk wrote:
Hi,
On Wed, Dec 02, Syds Bearda wrote:
Hi,
On Tue, Dec 1, 2020, at 22:51, Richard Brown wrote:
On Tue, 2020-12-01 at 22:41 +0100, Syds Bearda wrote:
Hi all,
This fix only applies to new installs? As I still get loads of password requests on both KDE and Gnome..
Also kudos to the work on MicroOS, it's been my main distro now for 1,5 months and it keeps getting better!
BR, Syds
Yes, we have no mechanism for automagically changing such security related stuff in existing installs.
That's probably a good thing :)
Reinstall here i come :)
No reinstall required, you just need to adjust /etc/sysconfig/security. So adjust POLKIT_DEFAULT_PRIVS and call set_polkit_default_privs
Thanks, I've changed the polkit_default_privs to standard, but get the error that call command is not found with "call set_polkit_default_privs"
You should run the command "/sbin/set_polkit_default_privs".
Thorsten
Thorsten
And yes, unfortunately, not being able to change security settings automatically is a good thing.
On Thu, Nov 26, 2020, at 16:50, Dario Faggioli wrote: > On Thu, 2020-11-26 at 13:26 +0100, Richard Brown wrote: > > On Thu, 2020-11-26 at 12:59 +0100, Dario Faggioli wrote: > > > > > > I may even try to understand how to override it for the Desktop > > > variant, but not right now (no time). > > > > > > So, again, feel free to beat me to it. :-) > > > > Gladly ;) > > > > https://github.com/yast/skelcd-control-MicroOS/pull/25 is on the > > way > > :) > > > Yay! And that's another roadblock smashed. :-P > > We're surely not done yet, but this one here was pretty annoying > IMO. > It was a bit of a pain, for me, in my daily basis usage, but it was > even worse having to explain it to curious users that were testing > MicroOS Desktop, even if with all the premises of project being > ALPHA, > etc. > > > Thanks so much for solving that mystery :) > > > Yes, thanks to Fabian for finding the root cause of the symptoms > that I > showed, and to you for the quick fix! > > Regarss > -- > Dario Faggioli, Ph.D > http://about.me/dario.faggioli > Virtualization Software Engineer > SUSE Labs, SUSE https://www.suse.com/ > ------------------------------------------------------------------- > <<This happens because _I_ choose it to happen!>> (Raistlin Majere) > > _______________________________________________ > openSUSE Kubic mailing list -- kubic@lists.opensuse.org > To unsubscribe, email kubic-leave@lists.opensuse.org > List Netiquette: > https://en.opensuse.org/openSUSE:Mailing_list_netiquette > List Archives: > https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org > > > Attachments: > * signature.asc _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Richard Brown Linux Distribution Engineer - Future Technology Team Phone +4991174053-361 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuernberg (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
_______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg) _______________________________________________ openSUSE Kubic mailing list -- kubic@lists.opensuse.org To unsubscribe, email kubic-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/kubic@lists.opensuse.org
participants (5)
-
Dario Faggioli -
Fabian Vogt -
Richard Brown -
Syds Bearda -
Thorsten Kukuk