Bug 1216178

Summary: Switch from xdg-su/libgnomesu to polkit
Product: [openSUSE] openSUSE Tumbleweed Reporter: Tobias Görgens <tobi.goergens>
Component: YaST2Assignee: E-mail List <yast2-maintainers>
Status: RESOLVED WONTFIX QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None CC: rokejulianlockhart+1674683091, tobi.goergens
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Tobias Görgens 2023-10-12 12:01:07 UTC 
Hey there,

When opening yast2 via the desktop file, it calls yast2 using xdg-su, which on e.g. GNOME calls gnomesu.
gnomesu is developed and maintained just by openSUSE (git repo here: https://github.com/openSUSE/libgnomesu) and has seen its last release over a year ago. xdg-su Isn't maintained at all anymore, with its last commit over 10(!) years ago (git repo: https://github.com/tarakbumba/xdg-su).
There is, however, a newer authentication method widely adapted, polkit (former policykit). It allows to set custom actions/policies. Using it, yast can also be started as GUI, by using a policy like this one (could be saved as /usr/share/polkit-1/actions/org.opensuse.pkexec.yast2.policy):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
<policyconfig>

  <action id="org.opensuse.pkexec.yast2">
    <message>Authentication is required to run YaST2</message>
    <icon_name>yast2</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/yast2</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

Now calling pkexec /usr/sbin/yast2 will show a nice authentication dialog and start yast2 with a GUI, when authenticated (found here: https://forums.opensuse.org/t/run-yast-without-entering-root-password-sudoers-help/107326/5).
The switch would only need the addition of this polit rule and the adaption of the start command of yast2 in the desktop files.

Should other components use xdg-su or libgnomesu, they should switch to polkit as well.
Comment 1 Stefan Hundhammer 2023-10-12 13:27:18 UTC 
What problem is this trying to solve? This sounds like busywork for no real purpose at all.
Comment 2 Tobias Görgens 2023-10-12 13:31:23 UTC 
(In reply to Stefan Hundhammer from comment #1)
> What problem is this trying to solve? This sounds like busywork for no real
> purpose at all.

This would allow modifying authentication requirements. Currently, su is used directly, where it's not possible to define extra authentication rules. Polkit allows that.
Have a look at the above-mentioned thread. The user tries to get rid of the authentication passwords for yast. Currently, this is not possible, with polkit it is. This would also allow users of specific groups to authorize without password or other use cases.
Comment 3 Stefan Hundhammer 2023-10-12 14:09:42 UTC 
The last thing on earth that we need is to debug people's botched configurations when they try that, and then YaST doesn't work anymore, or it does weird things. We are receiving enough weird bug reports already.
Comment 4 Stefan Hundhammer 2023-10-12 14:15:23 UTC 
If you seriously want that, there is the possibility to start an Open Source project for an alternative YaST control center.

The Qt YaST control center is just a very simplistic pure-Qt pure-C++ application that just acts as a very simplistic launcher for YaST modules. It's not very hard to write a new one that uses policy kit or whatever other authentication framework. It could still use the existing .desktop files and just call that other authentication framework instead of xdg-su.

But we are certainly not going to debug and fix any resulting bug reports and problems.
Comment 5 Stefan Hundhammer 2023-10-12 14:40:56 UTC 
BTW a much simpler alternative would be to use 'sudo' with its powerful configuration options (see 'man sudoers') for individual YaST modules.
Comment 6 Stefan Hundhammer 2023-10-25 14:24:07 UTC 
For a longer discussion of this, see

https://github.com/yast/yast-yast2/issues/1132#issuecomment-1779286193

https://github.com/yast/yast-yast2/issues/1132#issuecomment-1779340635

If you would like to discuss this in more detail, please continue there so we have it all at one central place.