Sorry for the delayed response, I was quite busy the last days…
Wayland is meant to be a “successor” to X11 and address some of its shortcomings (especially regarding security).
But note that Wayland support in Plasma5 is still unfinished and very much work in progress.
And the Wayland in Leap 42.1 is quite old, Plasma5 will not even start with that version, so it is built without Wayland support anyway.
Even GNOME is not using Wayland in Leap 42.1 AFAIK, though they switched to using Wayland by default in Tumbleweed a while ago already.
(Plasma5 can also run in Wayland in Tumbleweed, but there are still problems and things are missing)
IMHO, it will still be quite a while until Wayland will really replace Xorg in general, and I doubt that Xorg will disappear at all.
I think the best way to try it out currently is using an openSUSE Krypton LiveCD…
I know it is not much on topic but I wonder: what is the reason to have separate security management systems such as sudoers and polkit?
That’s historical.
sudo exists since decades (according to sudo - Wikipedia since about 1980).
polkit was created to address its shortcomings, in particular related to standard desktop usage (e.g. sudo is a command line tool, it cannot be easily integrated into the desktop, and can also only be used to run complete programs as root, and so on).
Anyway, here’s how you could configure pkexec to allow running a certain command as root:
https://forums.opensuse.org/showthread.php/505762-run-yast-without-entering-root-password-sudoers-help?p=2701795#post2701795
In short, create a file /usr/share/polkit-1/actions/org.opensuse.pkexec.yast2.policy with a content like this:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
<policyconfig>
<action id="org.opensuse.pkexec.yast2">
<message>Authentication is required to run YaST2</message>
<icon_name>yast2</icon_name>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/yast2</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
</action>
</policyconfig>
To do the same with other commands, replace yast2 (and /usr/sbin/yast2) accordingly, the line true is only needed for GUI applications, and can be omitted for command line tools.
(and I suppose you don’t have to specify an icon either… )
You should then be able to run YaST as root without a password via:
pkexec yast2
Regarding priviledges, the important part are the three lines with <allow_active>, <allow_inactive>, and <allow_any>.
They specify what user(s) may run it as root with which password (the user’s, root’s, or none).
“yes” means no password is needed, auth_admin means the user needs to enter the root password (there’s also auth_admin_kepp which will remember the password for some time so you don’t have to enter it every time), and there’s also auth_self/auth_self_keep which will request the user’s password, and “no” which disallows the action completely.
By default, polkit knows about three different user types:
- “active” ones that are locally logged in and in an active session, e.g. a normal desktop user
- “inactive” ones that are locally logged in but in an inactive session, e.g. a different user currently logged in but not you that’s actively using the desktop
- “any”, everybody, also remote users
If your satisfied with this, you don’t need the javascript sniplets in /etc/polkit-1/rules.d/ I mentioned.
With such javascript scriptlets you are more flexible though, you can e.g. verify the exact user name or group.
More informations are available in “man polkit” and e.g. here: polkit - ArchWiki (and of course the official documentation at polkit Reference Manual: polkit Reference Manual, but that’s probably overkill…).
See also Polkit - Wikipedia for a more general description of polkit.
As I mentioned already, openSUSE has some simplification to override the default polkit rules via /etc/polkit-default-privs.{local|standard|restrictive}, those get “translated” into javascript code by running “polkit_set_default_privs”.