Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: run yast without entering root password, sudoers help

  1. #1

    Question run yast without entering root password, sudoers help

    13.2 64

    Trying to figure out the best way to configure sudoers so I can run yast gui without entering a password. (no need to lecture me on the security implications)

    The console version of yast was easy. But getting the gui to run is tricky-er. Looks like the menu shortcuts are using xdg-su. Would adding xdg-su in sudoers work? sudo /usr/sbin/yast --qt always runs the console version even with the --qt swtich, but when you run it using xdg-su or kdesu it goes to the gui version.

  2. #2

    Default Re: run yast without entering root password, sudoers help

    Quote Originally Posted by JAMcInnes View Post
    The console version of yast was easy. But getting the gui to run is tricky-er. Looks like the menu shortcuts are using xdg-su. Would adding xdg-su in sudoers work?
    No.
    xdg-su is not run as root via sudo, it is xdg-su that runs yast (or whatever command you specify) as root by using other tools depending on your desktop.

    For KDE it uses kdesu, which in turn uses "su" to run the command as root. So no chance via sudoers.
    But it is possible to configure kdesu to use "sudo" instead of "su".
    See here: http://www.freetechie.com/blog/defau...do-and-not-su/
    Then the settings in sudoers apply to kdesu as well.

    To change the default systemwide, just copy the ~/.kde4/share/config/kdesurc to /etc/kde4/share/config/.

    For other desktops xdg-su uses gnomesu, or even "su -" directly. So this would not work in that case.

    PS: you _can_ run the GUI version of YaST via sudo as well, but by default sudo doesn't pass the necessary environment variables ($DISPLAY e.g.). You can change that via settings in sudoers as well, see env_reset and/or env_keep in particular. Or pass $DISPLAY explicitely by running e.g. "sudo DISPLAY=:0 yast2". And you'd also have to allow root to connect to your Xsession via xhost.
    Last edited by wolfi323; 04-Mar-2015 at 01:56.

  3. #3

    Default Re: run yast without entering root password, sudoers help

    interesting, thanks for the info!

  4. #4

    Default Re: run yast without entering root password, sudoers help

    Hi There,

    This is really helpful, You wouldn't know how to do the same thing for gnome environments would you ?

    Thanks

  5. #5

    Default Re: run yast without entering root password, sudoers help

    Quote Originally Posted by aqueries View Post
    This is really helpful, You wouldn't know how to do the same thing for gnome environments would you ?
    Well, you could use kdesu in GNOME as well...

    But as I already wrote:
    For other desktops xdg-su uses gnomesu, or even "su -" directly. So this would not work in that case.
    You could use "sudo" directly, as I wrote as well:
    PS: you _can_ run the GUI version of YaST via sudo as well, but by default sudo doesn't pass the necessary environment variables ($DISPLAY e.g.). You can change that via settings in sudoers as well, see env_reset and/or env_keep in particular. Or pass $DISPLAY explicitely by running e.g. "sudo DISPLAY=:0 yast2". And you'd also have to allow root to connect to your Xsession via xhost.
    It should be possible to use "pkexec" to run YaST as root and change the polkit rules accordingly to not require a password, but for some reason I cannot get this to open a YaST GUI (it runs in text mode instead).
    The problem is this (from "man pkexec"):
    The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through
    LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID
    environment variable is set to the user id of the process invoking
    pkexec. As a result, pkexec will not by default allow you to run X11
    applications as another user since the $DISPLAY and $XAUTHORITY
    environment variables are not set. These two variables will be retained
    if the org.freedesktop.policykit.exec.allow_gui annotation on an action
    is set to a nonempty value; this is discouraged, though, and should only
    be used for legacy programs.
    I have no idea how you would set the "freedesktop.policykit.exec.allow_gui annotation on an action" though.
    Apparently you would need to create a file in /usr/share/polkit-1/actions/ similar to this one:
    https://wiki.archlinux.org/index.php/Polkit#Actions

    I just tried it and it works.
    So, create a file /usr/share/polkit-1/actions/org.opensuse.pkexec.yast2.policy with the following content:
    Code:
    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policyconfig PUBLIC
     "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
     "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
    <policyconfig>
    
      <action id="org.opensuse.pkexec.yast2">
        <message>Authentication is required to run YaST2</message>
        <icon_name>yast2</icon_name>
        <defaults>
          <allow_any>auth_admin</allow_any>
          <allow_inactive>auth_admin</allow_inactive>
          <allow_active>yes</allow_active>
        </defaults>
        <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/yast2</annotate>
        <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
      </action>
    
    </policyconfig>
    And you should be able to run YaST without password via:
    Code:
    pkexec yast2
    and also "pkexec yast2 sw_single" or similar will work.
    And _this_ should work with _all_ desktop environments.
    Last edited by wolfi323; 27-Mar-2015 at 05:13.

  6. #6
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,648

    Default Re: run yast without entering root password, sudoers help

    Isn't yast2 the GUI version. yast is the command line version

  7. #7

    Default Re: run yast without entering root password, sudoers help

    Quote Originally Posted by gogalthorp View Post
    Isn't yast2 the GUI version. yast is the command line version
    Yes, of course.

    It's no problem to run the console version with sudo anyway. But it's not as easy to get the GUI up.
    And this thread is about the latter.

  8. #8
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,648

    Default Re: run yast without entering root password, sudoers help

    Yes but I did not mention of yast2 only yast and if you use yast at that command line you get the command line version no matter what else is set. You have to use yast2 for the GUI version to get the GUI version. I don't have a clue how to get it to start without root password and really don't understand why someone would want to considering the huge hole that it would open in security. But each to his own. Just want to be clear the yast2 is the GUI version which the OP did not seem to get.

  9. #9

    Default Re: run yast without entering root password, sudoers help

    Quote Originally Posted by gogalthorp View Post
    Yes but I did not mention of yast2 only yast and if you use yast at that command line you get the command line version no matter what else is set. You have to use yast2 for the GUI version to get the GUI version. I don't have a clue how to get it to start without root password and really don't understand why someone would want to considering the huge hole that it would open in security. But each to his own. Just want to be clear the yast2 is the GUI version which the OP did not seem to get.
    Hi!
    Actually you can run "yast --qt" and get the GUI. Vice-versa, run "yast2" from a tty and you get the console version.

    file /usr/sbin/yast
    /usr/sbin/yast: symbolic link to `yast2'

    file /usr/sbin/yast2
    /usr/sbin/yast2: Bourne-Again shell script, ASCII text executable

    As far as the 'huge' security hole, if these were multiuser machines in a public lab I might agree with that.. well I guess that is a topic for another thread.

  10. #10

    Default Re: run yast without entering root password, sudoers help

    Quote Originally Posted by gogalthorp View Post
    Yes but I did not mention of yast2 only yast and if you use yast at that command line you get the command line version no matter what else is set.
    ???
    You only jumped in with a question:
    Quote Originally Posted by gogalthorp View Post
    Isn't yast2 the GUI version. yast is the command line version
    And my answer to that was and is that this thread is about the GUI version.

    You have to use yast2 for the GUI version to get the GUI version. I don't have a clue how to get it to start without root password and really don't understand why someone would want to considering the huge hole that it would open in security. But each to his own. Just want to be clear the yast2 is the GUI version which the OP did not seem to get.
    The OP wanted to start the GUI version, without having to enter the root password, over three weeks ago.

    No need for you to confuse things _now_.

    Quote Originally Posted by JAMcInnes View Post
    Actually you can run "yast --qt" and get the GUI. Vice-versa, run "yast2" from a tty and you get the console version.[

    file /usr/sbin/yast
    /usr/sbin/yast: symbolic link to `yast2'

    file /usr/sbin/yast2
    /usr/sbin/yast2: Bourne-Again shell script, ASCII text executable
    Correct.

    And actually yast is just a shell script that tries to detect how it is called, under which DE it is run and what is set in /etc/sysconfig/yast2, to then call the "real" yast with the corresponding parameters.

    As far as the 'huge' security hole, if these were multiuser machines in a public lab I might agree with that.. well I guess that is a topic for another thread.
    I fully agree.
    We don't have to discuss all security aspects in every thread where someone mentions the word "root" IMHO.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •