install updates as unprivileged user

mgoppold · February 15, 2010, 7:59pm

Hi,

I’m getting frustrated. I want to grant an unprivileged user to install updates via gpk-update-viewer for more than 2 days :(.

That’s what I have tried to do:

run polkit-gnome-authorization
but there ist no org.freedesktop.packagekit.system-update to edit
edit** /etc/PolicyKit/PolicyKit.conf**
with

<config version="0.1">
   <match action="org.freedesktop.packagekit.system-update">
      <match user="user1">
         <return result="yes"/>
      </match>
   </match>
</config>

run as root polkit-auth


polkit-auth --user user1 --grant org.freedesktop.packagekit.system-update
polkit-auth --user user1 --explicit-detailorg.freedesktop.packagekit.system-update
  Authorized:  No
  Scope:       Indefinitely
  Obtained:    Mon Feb 15 18:41:29 2010 from root (uid 0)

edit /etc/polkit-default-privs.local
with

org.freedesktop.packagekit.package-install                      auth_self_keep_session
org.freedesktop.packagekit.package-remove                       auth_self_keep_session
org.freedesktop.packagekit.system-update                        auth_self_keep_session

edit /etc/polkit-1/localauthority.conf.d/50-localauthority.conf
with

[Updates]
Identity=unix-user:user1
Action=org.freedesktop.packagekit.system-update
ResultAny=auth_self_keep
ResultInactive=auth_self_keep
ResultActive=auth_self_keep

Without success! What’s wrong? Am I too stupid to read config-files and/or man-pages?

Thanks in regard

Mario

knurpht · February 15, 2010, 8:12pm

Just a wild guess:

is it in ‘auth_self_keep_session’ ? Could it be that that requires authentication per session? Instead of auth_self_keep ?

mgoppold · February 15, 2010, 8:26pm

Yes ‘auth_self_keep_session’ is rigth in /etc/polkit-default-privs.local but ‘man pklocalauthority’ says ResultActive={yes,no,auth_self,auth_self_keep, auth_admin,auth_admin_keep} in /etc/polkit-1/localauthority.conf.d/50-localauthority.conf

mgoppold · February 18, 2010, 7:36pm

Hi all,

the solution is to edit /etc/polkit-default-privs.local like above and run /sbin/set_polkit_default_privs once .

The result can be found at /var/lib/polkit-1/localauthority/10-vendor.d.
There are files named like their corresponding pokit action with pkla suffix.
The content of the file is like my last try in the post (with little differences).

/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.system-update.pkla:

[org.freedesktop.packagekit.system-update]
Identity=unix-user:*
Action=org.freedesktop.packagekit.system-update
ResultAny=auth_self_keep
ResultInactive=auth_self_keep
ResultActive=auth_self_keep

There is one question left:
Why doesn’t polkit-gnome-authorization provide org.freedesktop.packagekit.* and other useful actions?

Mario