Bug#1037295: live-config: starting Calamares installer requires a password (which is 'live')
Control: user pkg-utopia-maintainers@lists.alioth.debian.org
Control: usertags -1 + pkla-without-js
On Sat, 10 Jun 2023 at 15:10:35 +0100, Simon McVittie wrote:
> * Boot debian-live-12.0.0-amd64-gnome.iso (the version used for
> release-day testing)
> - KDE has a similar issue with slightly different steps to start the
> installer, probably all desktops' variants are affected
GNOME, KDE and LXQT are affected.
MATE, Cinnamon and LXDE don't seem to be, because those desktops still
pull in the legacy policykit-1 package.
> If this is not the intended behaviour, the solution would be:
>
> - drop a file similar to /usr/share/doc/polkitd/examples/50-local-allow.rules
> into /usr/share/polkit-1/rules.d (if it's owned by a .deb) or into
> /etc/polkit-1/rules.d (if it's created on an ad-hoc basis by scripts)
>
> - use that file to configure polkitd to allow whatever action Calamares
> is using, without authentication (polkit.Result.YES), for either the
> live user or all members of the sudo group
>
> - when installing with Calamares, make sure that file is not included in
> the installed system
I see why this has happened. I did a mass-bug-filing for packages that
*contain* files in /var/lib/polkit-1/localauthority, but my search didn't
find live-config, because it creates the file programmatically.
Desktop environments that still pull in the legacy policykit-1 package
in bookworm are unaffected, because live-config does create a file that
will be read by polkitd-pkla.
In https://sources.debian.org/src/live-config/11.0.3%2Bnmu1/components/1080-policykit/:
> if ! pkg_is_installed "policykit-1" || \
This should now be polkitd, not policykit-1. policykit-1 is now a
transitional package.
> cat > /etc/PolicyKit/PolicyKit.conf << EOF
I don't think this file has been used for years.
> <define_admin_auth group="adm"/>
If this file *is* still used, the group you'll want here is 'sudo'.
> [Live CD user permissions]
> Identity=unix-user:${LIVE_USERNAME}
> Action=*
> ResultAny=no
> ResultInactive=no
> ResultActive=yes
This should be replaced by something very similar to
/usr/share/doc/polkitd/examples/50-local-allow.rules.
I tried this on the GNOME live image (not tested on KDE or LXQT but
should work equally well):
sudo tee /etc/polkit-1/rules.d/50-live.rules >/dev/null <<EOF
polkit.addRule(function(action, subject) {
if (subject.isInGroup("sudo")) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
EOF
Or you could use subject.user === "live" if you'd prefer. This is
JavaScript, so the "===" is intentionally three equals signs, not a typo.
smcv
Reply to: