Trying to run YaST with pkexec, varying degrees of success

nwstout · April 5, 2025, 2:09pm

I recently switched to OpenSUSE Tumbleweed. Overall, I’m impressed, but I’d like to be able to lock down the root account and use my own password to elevate privileges (like most other distros). So far, I’ve been very successful. I’ve edited the sudoers file to allow anyone in the wheel group to use sudo with their own password. I added a polkit rule to allow anyone in the wheel group to authenticate to the polkit.

The problem, however, comes when I try to open YaST. I’ve looked at this GitHub issue, which describes how to set up a polkit policy for YaST. I copy and pasted that policy into a file. For reference, here’s what that file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
	<action id="org.freedesktop.policykit.pkexec.YaST">
		<description>Run YaST</description>
		<message>Authentication is required to run YaST</message>
		<icon_name>yast-control-center</icon_name>
		<defaults>
			<allow_any>auth_admin</allow_any>
			<allow_inactive>auth_admin</allow_inactive>
			<allow_active>auth_admin</allow_active>
		</defaults>
		<annotate key="org.freedesktop.policykit.exec.path">/sbin/yast2</annotate>
		<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
	</action>
</policyconfig>

I then changed the .desktop file for YaST to use pkexec. To my amazement, it worked. On KDE Plasma. I then tested it on Hyprland (I may be switching to Hyprland in the future), only to find that it does not work. Even when I make sure I have a polkit running (I’ve tried hyprpolkitagent and polkit-kde-agent), wofi just will not launch YaST this way. When I try, nothing happens.

The closest I’ve come to making this work comes from reading the Arch Wiki page on running GUI applications as root. I’ve edited the .desktop file yet again to include:

Exec = pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 /sbin/yast2

That command works on the terminal, but still not through wofi. When I tell wofi to launch YaST, still, nothing happens. I’ve also tested on GNOME and OpenSUSEway, with the same results; I can launch YaST on GNOME, but not on OpenSUSEway.

Can someone point me in the right direction? Why can I launch YaST with pkexec on KDE Plasma but not on Hyprland (via wofi)?

arvidjaar · April 5, 2025, 3:22pm

If setting WAYLAND_DISPLAY helps it implies that your environment does not use Xwayland and so only pure Wayland programs are possible. KDE always starts Xwayland and YaST runs as X11 application. I have no idea what is the difference between command line and wofi (whatever it is). You may try straceing wofi to see what it attempts to launch.

nwstout · April 5, 2025, 6:29pm

First, thank you for telling me about strace. I did not know about that command before.

When I strace wofi in KDE, everything works fine, but when I do it in Hyprland, I get the following error at the end:

Refusing to render service to dead parents.

nwstout · April 6, 2025, 1:14am

So, I found a workaround. I created two wrapper scripts, yast-no-args-pkexec and yast-pkexec, and put them in ~/.local/bin. (I’ll get to why two scripts are needed in a second.) The no-args script looks like

#!/usr/bin/sh
pkexec /sbin/yast2

and the regular script looks like

#!/usr/bin/sh
pkexec /sbin/yast2 "$@"

I then edited the .desktop file for YaST (NOTE: it’s recommended to copy the file to ~/.local/share/applications first, and edit it from there) to include

Exec=$HOME/.local/bin/yast-no-args-pkexec

I did the same thing for all the .desktop files loading a specific module in YaST, but with the yast-pkexec script instead of the no-args script. For example, the .desktop file for managing snapshots included

Exec=$HOME/.local/bin/yast-pkexec snapper

I also added the following to ~/.config/hypr/hyprland.conf:

exec-once = xhost +si:localuser:root

This makes sure that you can launch an X window with root privileges, which are obviously needed for YaST.

If you do these steps (in addition to the ones I described above), you should now be able to launch YaST using polkit in Hyprland!

Now, why were two wrapper scripts needed? Well, I tried using just the script with pkexec /sbin/yast2 "$@" and passing it no args when I just want to access the main YaST screen, but doing that really confused wofi, and the option for just YaST did not appear at all. Hence why I added a no-args script.

system · April 13, 2025, 1:15am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.