You are not logged in.

#1 2017-03-16 15:18:55

Alko89
Member
Registered: 2012-09-16
Posts: 16

packagekit does not need sudo to install packages!?

I have plasma-meta package installed and in the recent update I noticed an optional dependency for Discover named packagekit.
I don't really use the GUI store since I am completely comfortable using pacman from the terminal. But I played around with it immediately noticed it does not need any root privileges to install, update or remove packages and am wondering if this is the way its intended to work or is this a security issue?

Offline

#2 2017-03-16 16:02:53

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: packagekit does not need sudo to install packages!?

This is intended behaviour by the packagekit devs, it uses polkit for elevated privileges.

Read the polkit wiki page for more info.


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#3 2017-03-16 16:10:00

Docbroke
Member
From: India
Registered: 2015-06-13
Posts: 1,433

Re: packagekit does not need sudo to install packages!?

Packagekit runs as a system activated daemon, so it can perform tasks that needs elevated previlages.
https://www.freedesktop.org/software/Pa … intro.html

Offline

#4 2017-03-17 08:54:39

Alko89
Member
Registered: 2012-09-16
Posts: 16

Re: packagekit does not need sudo to install packages!?

Ok, thanks for the explanation. But I still don't exactly get it. Packagekit executes pacman in the background so does it run it as a separate user? Where are those privilages elevated?

Also on reading about packagekit it is stated you can set it up to ask for password. Kubuntu still asks for password and uses packagekit (if I'm not mistaken). How can I set this up?

Last edited by Alko89 (2017-03-17 08:54:51)

Offline

#5 2017-03-17 10:49:34

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: packagekit does not need sudo to install packages!?

You started the packagekit service, right?  You had to do so as root or with sudo.  This started a system-wide service which, just like all other such services, run as root.  Polkit allows your user processes to communicate wth that root process.  So the user process doesn't install packages, but more or less sends a request to the root process asking it to install packages.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#6 2017-03-17 11:24:42

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: packagekit does not need sudo to install packages!?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#7 2017-03-17 11:47:06

Alko89
Member
Registered: 2012-09-16
Posts: 16

Re: packagekit does not need sudo to install packages!?

Trilby wrote:

You started the packagekit service, right?

No I didn't. Discover worked out of the box for me. But now that I checed, packagekit and polkit services are running. And I have these services enabled:

systemctl list-unit-files | grep enabled
org.cups.cupsd.path                                              enabled        
autovt@.service                                                  enabled        
dbus-org.freedesktop.NetworkManager.service                      enabled        
dbus-org.freedesktop.nm-dispatcher.service                       enabled        
dbus-org.freedesktop.resolve1.service                            enabled        
display-manager.service                                          enabled        
getty@.service                                                   enabled        
lm_sensors.service                                               enabled        
NetworkManager-dispatcher.service                                enabled        
NetworkManager.service                                           enabled        
ntpd.service                                                     enabled        
org.cups.cupsd.service                                           enabled        
sddm.service                                                     enabled        
systemd-fsck-root.service                                        enabled-runtime
systemd-resolved.service                                         enabled        
org.cups.cupsd.socket                                            enabled        
remote-fs.target                                                 enabled

Offline

#8 2017-03-17 11:55:40

Alko89
Member
Registered: 2012-09-16
Posts: 16

Re: packagekit does not need sudo to install packages!?

Ok, my user is in the wheel group. So I guess this is expected. I didn't know about polkit and what it does till now. I learned something! smile

Offline

#9 2017-03-17 11:56:05

Docbroke
Member
From: India
Registered: 2015-06-13
Posts: 1,433

Re: packagekit does not need sudo to install packages!?

This appears to be a security issue. I am having simple-scan installed, which depends on packagekit (why?). So I just tested with it's commandline client pkcon, and it can install packages without asking for password.

REMOVED: simple-scan along with packagekit from my system

EDIT: packagekitd daemon starts whenever it is called by pkcon or other gui clients, even when the service is not started by the user.

Last edited by Docbroke (2017-03-17 12:05:52)

Offline

#10 2017-03-17 12:13:43

phw
Member
Registered: 2013-05-27
Posts: 318

Re: packagekit does not need sudo to install packages!?

Docbroke wrote:

REMOVED: simple-scan along with packagekit from my system

You could also place something like this in /etc/polkit-1/rules.d/org.freedesktop.packagekit.rules:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.package-install") {
            return polkit.Result.NO;
    }
});

Last edited by phw (2017-03-17 12:14:48)

Offline

#11 2017-03-17 14:17:52

Docbroke
Member
From: India
Registered: 2015-06-13
Posts: 1,433

Re: packagekit does not need sudo to install packages!?

Infact, I don't have much use of simple-scan (as I can use sane with imagescan comfortably), so I did choose to remove both. Additionally I didn't understand why simple-scan needed packagekit.

Offline

#12 2017-03-17 14:35:23

phw
Member
Registered: 2013-05-27
Posts: 318

Re: packagekit does not need sudo to install packages!?

Docbroke wrote:

Additionally I didn't understand why simple-scan needed packagekit.

This puzzled me too, so I went digging. See my comment on https://bugs.archlinux.org/task/46736#comment156215

TLDR: It is useless for Arch and the dependency should be removed

Last edited by phw (2017-03-17 14:36:32)

Offline

#13 2017-03-18 12:48:00

Alko89
Member
Registered: 2012-09-16
Posts: 16

Re: packagekit does not need sudo to install packages!?

I ended up writing this in /etc/polkit-1/rules.d/org.freedesktop.packagekit.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.package-install" ||
        action.id == "org.freedesktop.packagekit.system-update") &&
        subject.active == true &&
        subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.AUTH_ADMIN;
    }
});

But will probably remove packagekit, since I don't like it anyway.

Offline

Board footer

Powered by FluxBB