Bugzilla – Bug 1216178
Switch from xdg-su/libgnomesu to polkit
Last modified: 2023-10-25 14:24:07 UTC
Hey there, When opening yast2 via the desktop file, it calls yast2 using xdg-su, which on e.g. GNOME calls gnomesu. gnomesu is developed and maintained just by openSUSE (git repo here: https://github.com/openSUSE/libgnomesu) and has seen its last release over a year ago. xdg-su Isn't maintained at all anymore, with its last commit over 10(!) years ago (git repo: https://github.com/tarakbumba/xdg-su). There is, however, a newer authentication method widely adapted, polkit (former policykit). It allows to set custom actions/policies. Using it, yast can also be started as GUI, by using a policy like this one (could be saved as /usr/share/polkit-1/actions/org.opensuse.pkexec.yast2.policy): <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd"> <policyconfig> <action id="org.opensuse.pkexec.yast2"> <message>Authentication is required to run YaST2</message> <icon_name>yast2</icon_name> <defaults> <allow_any>auth_admin</allow_any> <allow_inactive>auth_admin</allow_inactive> <allow_active>yes</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/yast2</annotate> <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate> </action> </policyconfig> Now calling pkexec /usr/sbin/yast2 will show a nice authentication dialog and start yast2 with a GUI, when authenticated (found here: https://forums.opensuse.org/t/run-yast-without-entering-root-password-sudoers-help/107326/5). The switch would only need the addition of this polit rule and the adaption of the start command of yast2 in the desktop files. Should other components use xdg-su or libgnomesu, they should switch to polkit as well.
What problem is this trying to solve? This sounds like busywork for no real purpose at all.
(In reply to Stefan Hundhammer from comment #1) > What problem is this trying to solve? This sounds like busywork for no real > purpose at all. This would allow modifying authentication requirements. Currently, su is used directly, where it's not possible to define extra authentication rules. Polkit allows that. Have a look at the above-mentioned thread. The user tries to get rid of the authentication passwords for yast. Currently, this is not possible, with polkit it is. This would also allow users of specific groups to authorize without password or other use cases.
The last thing on earth that we need is to debug people's botched configurations when they try that, and then YaST doesn't work anymore, or it does weird things. We are receiving enough weird bug reports already.
If you seriously want that, there is the possibility to start an Open Source project for an alternative YaST control center. The Qt YaST control center is just a very simplistic pure-Qt pure-C++ application that just acts as a very simplistic launcher for YaST modules. It's not very hard to write a new one that uses policy kit or whatever other authentication framework. It could still use the existing .desktop files and just call that other authentication framework instead of xdg-su. But we are certainly not going to debug and fix any resulting bug reports and problems.
BTW a much simpler alternative would be to use 'sudo' with its powerful configuration options (see 'man sudoers') for individual YaST modules.
For a longer discussion of this, see https://github.com/yast/yast-yast2/issues/1132#issuecomment-1779286193 https://github.com/yast/yast-yast2/issues/1132#issuecomment-1779340635 If you would like to discuss this in more detail, please continue there so we have it all at one central place.