Hi everyone, A while ago I did my own digging on this issue, and I've found that a simple workaround to force hplip to use sudo can be done by setting: [authentication] su_sudo=sudo inside ~/.hplip/hplip.conf On 2019-02-14 8:33 a.m., Simon McVittie wrote: > I'm not sure I see how this is related to backports. > > On Thu, 14 Feb 2019 at 16:35:52 +0100, Ronny Standtke wrote: >> On Debian Live we have the followig setup: >> >> The user "user" has full sudo access without any password: >> $ cat /etc/sudoers.d/live >> user ALL=(ALL) NOPASSWD: ALL >> >> The user "root" has no password: >> # cat /etc/shadow | grep root >> root:*:17941:0:99999:7::: > > If this is how Debian Live is set up, then it should probably also > configure polkit (policykit-1) to allow "user" to be considered as > root-equivalent (a sysadmin), and to allow root-equivalent users to > do some things that would normally require authentication without > authenticating. > >> When I run the command hp-plugin as a normal user I get a graphical >> dialog (translation to ASCII by me): >> ---------------------------------------------------------- >> | HP Device Mangager - Enter Username/Password | >> ------------------------------------------------------------ >> | Your HP Device requires to install HP proprietary plugin | >> | Please enter root/superuser password to continue. | >> | -------------------------- | >> | Username: |root | | >> | -------------------------- | >> | -------------------------- | >> | Password: | | | >> | -------------------------- | >> | ---------------- | >> | | OK || >> | ---------------- | >> ------------------------------------------------------------ > > This is probably a polkit agent, which is part of whatever desktop > environment you're using. (In GNOME it's part of gnome-shell.) > >> The Username inputfield (already filled with the value "root") is not >> editable. Actually, the entirety of hplip's password code is custom built[1][2]. hplip does a very peculiar hardcoding if the default auth mechanism based on distro[3], and it looks like it skips polkit and friends entirely. (I really don't understand their decision to do things this way, but I digress...) [1]: https://sources.debian.org/src/hplip/3.19.1+dfsg0-1/ui5/setupdialog.py [2]: https://sources.debian.org/src/hplip/3.19.1+dfsg0-1/base/password.py/#L172-L189 [3]: https://sources.debian.org/src/hplip/3.19.1+dfsg0-1/base/password.py/#L35-L60 > > That's because polkit thinks root is the only root-equivalent user > (sysadmin). If Debian Live wants polkit to think "user" is also a > sysadmin, it should either add "user" to the sudo group, or add a > configuration snippet in /etc/polkit-1/localauthority.conf.d to make > "user" be one of the AdminIdentities. I would recommend the former, > because some polkit policies specifically refer to the sudo group. > > Adding "user" to the sudo group works because the policykit-1 > contains: > > # /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf > [Configuration] > AdminIdentities=unix-group:sudo > > This means "every user in the sudo group is to be considered to be a > sysadmin". (See /usr/share/doc/base-passwd/users-and-groups.txt.gz) > > Normally, polkit policies require an admin user to authenticate. > For example, /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy > says that by default, admin users can do an upgrade using PackageKit, > but they have to authenticate first: > > # /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy > <action id="org.freedesktop.packagekit.trigger-offline-upgrade"> > <description>Trigger offline updates</description> > ... > <defaults> > <allow_any>auth_admin</allow_any> > <allow_inactive>auth_admin</allow_inactive> > <allow_active>auth_admin_keep</allow_active> > </defaults> > > However, files can be installed into > /var/lib/polkit-1/localauthority/10-vendor.d/ by packages, or into > /etc/polkit-1/localauthority/*.d by local sysadmins, to override this; > and in fact packagekit installs one itself, to let members of the > sudo group upgrade without entering a password: > > # /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla > [Allow admins to upgrade the system] > Identity=unix-group:sudo > Action=org.freedesktop.packagekit.upgrade-system;org.freedesktop.packagekit.trigger-offline-update > ResultAny=no > ResultInactive=no > ResultActive=yes > > If configuration fragments like this are considered to be appropriate for > live systems, Debian Live could install some. > > For example, if Debian Live wants members of the "sudo" group to be > able to do *anything* that is mediated by polkit, without any prompting, > it could install something like this (untested): > > # /etc/polkit-1/localauthority/30-site.d/debian-live.pkla > [Make sudo group completely root-equivalent, with no prompting] > Identity=unix-group:sudo > Action=* > ResultAny=yes > ResultInactive=yes > ResultActive=yes > > Regards, > smcv > Best, James
Attachment:
signature.asc
Description: OpenPGP digital signature