Re: Running GParted and Synaptic without entering password

[Richard Owlett <rowlett@cloud85.net>]

On 05/16/2018 12:36 AM, John Crawley wrote:
> On 2018-05-15 22:24, Richard Owlett wrote:
> > On 05/15/2018 12:48 AM, John Crawley (johnraff) wrote:
> > > Policykit brings its own complications, but I think it should be 
> > > possible to create a .pkla file in /var/lib/polkit-1/localauthority 
> > > to allow a certain user, or group member, to perform an action 
> > > defined in /usr/share/polkit-1/actions/* without a password. You 
> > > could even add a new action if necessary.
> >
> > Through a chain of references I discovered
> >    /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy
> >
> > The initial lines read:
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!DOCTYPE policyconfig PUBLIC
> > >  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
> > >  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd";>
> > > <policyconfig>
> >
> > However
> >    [http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd]
> > gives a 404 File not found message.
>
> Indeed. Even so, that seems to be what is required in the xml.
>
> > Where would I find its syntax?
>
> I had a similar problem a while ago and found internet searches to be 
> somewhat helpful.

My searches were not as good. Thank you.

> This is not Debian, but on-topic:
> https://wiki.archlinux.org/index.php/Polkit
> And:
> https://www.freedesktop.org/software/polkit/docs/0.105/pklocalauthority.8.html 
>
> http://davidz25.blogspot.jp/2012/06/authorization-rules-in-polkit.html
> https://github.com/systemd/systemd/issues/5523

I don't know if they answer ALL my questions.
BUT they each specifically address one or more of my questions.
They also suggest some likely fruitful search terms.

> It seems polkit want to shift from .pkla files to (javascript-like) 
> .rules files, but at the moment both might work on Debian, so use 
> whichever you feel less uncomfortable with.
>
> I used a .pkla file in /var/lib/polkit-1/localauthority/10-vendor.d/. If 
> you search for *.pkla files on your system, there might be some there, 
> or in /etc/polkit-1/localauthority/* to use as a template.
>
> > By a convoluted path I found:
> > [https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html]
> >
> > Its last example strongly suggests I can do just what I want without 
> > messing up other users &/or apps.
>
> That's what I think too. Just as an untested guess, since the action is 
> already defined, something like this in 
> /etc/polkit-1/localauthority/50-local.d/gparted.pkla?
>
> [Allow specific user to use gparted]
> Identity=unix-user:yourusername
> Action=com.ubuntu.pkexec.gparted
> ResultAny=no
> ResultInactive=no
> ResultActive=yes
>
> BTW To see the currently defined actions on your system, try this:
> cat /usr/share/polkit-1/actions/* | grep -E 
> '(<action|<description>|<message>|<allow|</action>)'|sed 
> 's/<\/action>/\n/g;s/<\/[^>]*>//g'
> But you can add one of your own too.