run yast without entering root password, sudoers help

13.2 64

Trying to figure out the best way to configure sudoers so I can run yast gui without entering a password. (no need to lecture me on the security implications)

The console version of yast was easy. But getting the gui to run is tricky-er. Looks like the menu shortcuts are using xdg-su. Would adding xdg-su in sudoers work? sudo /usr/sbin/yast --qt always runs the console version even with the --qt swtich, but when you run it using xdg-su or kdesu it goes to the gui version.

No.
xdg-su is not run as root via sudo, it is xdg-su that runs yast (or whatever command you specify) as root by using other tools depending on your desktop.

For KDE it uses kdesu, which in turn uses “su” to run the command as root. So no chance via sudoers.
But it is possible to configure kdesu to use “sudo” instead of “su”.
See here: Default kdesu to use sudo and not su | Free Techie Blog
Then the settings in sudoers apply to kdesu as well.

To change the default systemwide, just copy the ~/.kde4/share/config/kdesurc to /etc/kde4/share/config/.

For other desktops xdg-su uses gnomesu, or even “su -” directly. So this would not work in that case.

PS: you can run the GUI version of YaST via sudo as well, but by default sudo doesn’t pass the necessary environment variables ($DISPLAY e.g.). You can change that via settings in sudoers as well, see env_reset and/or env_keep in particular. Or pass $DISPLAY explicitely by running e.g. “sudo DISPLAY=:0 yast2”. And you’d also have to allow root to connect to your Xsession via xhost.

interesting, thanks for the info!

Hi There,

This is really helpful, You wouldn’t know how to do the same thing for gnome environments would you ?

Thanks

Well, you could use kdesu in GNOME as well… :wink:

But as I already wrote:

For other desktops xdg-su uses gnomesu, or even “su -” directly. So this would not work in that case.

You could use “sudo” directly, as I wrote as well:

PS: you can run the GUI version of YaST via sudo as well, but by default sudo doesn’t pass the necessary environment variables ($DISPLAY e.g.). You can change that via settings in sudoers as well, see env_reset and/or env_keep in particular. Or pass $DISPLAY explicitely by running e.g. “sudo DISPLAY=:0 yast2”. And you’d also have to allow root to connect to your Xsession via xhost.

It should be possible to use “pkexec” to run YaST as root and change the polkit rules accordingly to not require a password, but for some reason I cannot get this to open a YaST GUI (it runs in text mode instead).
The problem is this (from “man pkexec”):

   The environment that PROGRAM will run it, will be set to a minimal known       and safe environment in order to avoid injecting code through
   LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID
   environment variable is set to the user id of the process invoking
   pkexec. As a result, pkexec will not by default allow you to run X11

applications as another user since the $DISPLAY and $XAUTHORITY
environment variables are not set. These two variables will be retained
if the org.freedesktop.policykit.exec.allow_gui annotation on an action
is set to a nonempty value; this is discouraged, though, and should only
be used for legacy programs.

I have no idea how you would set the “freedesktop.policykit.exec.allow_gui annotation on an action” though.
Apparently you would need to create a file in /usr/share/polkit-1/actions/ similar to this one:
https://wiki.archlinux.org/index.php/Polkit#Actions

I just tried it and it works.
So, create a file /usr/share/polkit-1/actions/org.opensuse.pkexec.yast2.policy with the following content:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
<policyconfig>

  <action id="org.opensuse.pkexec.yast2">
    <message>Authentication is required to run YaST2</message>
    <icon_name>yast2</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/yast2</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

And you should be able to run YaST without password via:

pkexec yast2

and also “pkexec yast2 sw_single” or similar will work.
And this should work with all desktop environments.

Isn’t yast2 the GUI version. yast is the command line version

Yes, of course.

It’s no problem to run the console version with sudo anyway. But it’s not as easy to get the GUI up.
And this thread is about the latter.

Yes but I did not mention of yast2 only yast and if you use yast at that command line you get the command line version no matter what else is set. You have to use yast2 for the GUI version to get the GUI version. I don’t have a clue how to get it to start without root password and really don’t understand why someone would want to considering the huge hole that it would open in security. But each to his own. Just want to be clear the yast2 is the GUI version which the OP did not seem to get.

Hi!
Actually you can run “yast --qt” and get the GUI. Vice-versa, run “yast2” from a tty and you get the console version.

file /usr/sbin/yast
/usr/sbin/yast: symbolic link to `yast2’

file /usr/sbin/yast2
/usr/sbin/yast2: Bourne-Again shell script, ASCII text executable

As far as the ‘huge’ security hole, if these were multiuser machines in a public lab I might agree with that… well I guess that is a topic for another thread.

???
You only jumped in with a question:

And my answer to that was and is that this thread is about the GUI version.

You have to use yast2 for the GUI version to get the GUI version. I don’t have a clue how to get it to start without root password and really don’t understand why someone would want to considering the huge hole that it would open in security. But each to his own. Just want to be clear the yast2 is the GUI version which the OP did not seem to get.

The OP wanted to start the GUI version, without having to enter the root password, over three weeks ago.

No need for you to confuse things now.

Correct.

And actually yast is just a shell script that tries to detect how it is called, under which DE it is run and what is set in /etc/sysconfig/yast2, to then call the “real” yast with the corresponding parameters.

As far as the ‘huge’ security hole, if these were multiuser machines in a public lab I might agree with that… well I guess that is a topic for another thread.

I fully agree.
We don’t have to discuss all security aspects in every thread where someone mentions the word “root” IMHO.

On 03/27/2015 12:36 PM, wolfi323 wrote:
>
> gogalthorp;2701817 Wrote:
>> Isn’t yast2 the GUI version. yast is the command line version
> Yes, of course.
>
> It’s no problem to run the console version with sudo anyway. But it’s
> not as easy to get the GUI up.
> And this thread is about the latter.
>
>
I can get it up using kdesu.

Ken

Of course you can.
But you have to enter the root password.

The question was how to run it without having to enter the root pasword, see the title.