You are not logged in.
I have plasma-meta package installed and in the recent update I noticed an optional dependency for Discover named packagekit.
I don't really use the GUI store since I am completely comfortable using pacman from the terminal. But I played around with it immediately noticed it does not need any root privileges to install, update or remove packages and am wondering if this is the way its intended to work or is this a security issue?
Offline
This is intended behaviour by the packagekit devs, it uses polkit for elevated privileges.
Read the polkit wiki page for more info.
Offline
Packagekit runs as a system activated daemon, so it can perform tasks that needs elevated previlages.
https://www.freedesktop.org/software/Pa … intro.html
Arch is home!
https://github.com/Docbroke
Offline
Ok, thanks for the explanation. But I still don't exactly get it. Packagekit executes pacman in the background so does it run it as a separate user? Where are those privilages elevated?
Also on reading about packagekit it is stated you can set it up to ask for password. Kubuntu still asks for password and uses packagekit (if I'm not mistaken). How can I set this up?
Last edited by Alko89 (2017-03-17 08:54:51)
Offline
You started the packagekit service, right? You had to do so as root or with sudo. This started a system-wide service which, just like all other such services, run as root. Polkit allows your user processes to communicate wth that root process. So the user process doesn't install packages, but more or less sends a request to the root process asking it to install packages.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Online
You started the packagekit service, right?
No I didn't. Discover worked out of the box for me. But now that I checed, packagekit and polkit services are running. And I have these services enabled:
systemctl list-unit-files | grep enabled
org.cups.cupsd.path enabled
autovt@.service enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
dbus-org.freedesktop.resolve1.service enabled
display-manager.service enabled
getty@.service enabled
lm_sensors.service enabled
NetworkManager-dispatcher.service enabled
NetworkManager.service enabled
ntpd.service enabled
org.cups.cupsd.service enabled
sddm.service enabled
systemd-fsck-root.service enabled-runtime
systemd-resolved.service enabled
org.cups.cupsd.socket enabled
remote-fs.target enabled
Offline
Ok, my user is in the wheel group. So I guess this is expected. I didn't know about polkit and what it does till now. I learned something!
Offline
This appears to be a security issue. I am having simple-scan installed, which depends on packagekit (why?). So I just tested with it's commandline client pkcon, and it can install packages without asking for password.
REMOVED: simple-scan along with packagekit from my system
EDIT: packagekitd daemon starts whenever it is called by pkcon or other gui clients, even when the service is not started by the user.
Last edited by Docbroke (2017-03-17 12:05:52)
Arch is home!
https://github.com/Docbroke
Offline
REMOVED: simple-scan along with packagekit from my system
You could also place something like this in /etc/polkit-1/rules.d/org.freedesktop.packagekit.rules:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.packagekit.package-install") {
return polkit.Result.NO;
}
});
Last edited by phw (2017-03-17 12:14:48)
Offline
Infact, I don't have much use of simple-scan (as I can use sane with imagescan comfortably), so I did choose to remove both. Additionally I didn't understand why simple-scan needed packagekit.
Arch is home!
https://github.com/Docbroke
Offline
Additionally I didn't understand why simple-scan needed packagekit.
This puzzled me too, so I went digging. See my comment on https://bugs.archlinux.org/task/46736#comment156215
TLDR: It is useless for Arch and the dependency should be removed
Last edited by phw (2017-03-17 14:36:32)
Offline
I ended up writing this in /etc/polkit-1/rules.d/org.freedesktop.packagekit.rules:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.packagekit.package-install" ||
action.id == "org.freedesktop.packagekit.system-update") &&
subject.active == true &&
subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.AUTH_ADMIN;
}
});
But will probably remove packagekit, since I don't like it anyway.
Offline