I'm not sure I see how this is related to backports.
On Thu, 14 Feb 2019 at 16:35:52 +0100, Ronny Standtke wrote:
> On Debian Live we have the followig setup:
>
> The user "user" has full sudo access without any password:
> $ cat /etc/sudoers.d/live
> user ALL=(ALL) NOPASSWD: ALL
>
> The user "root" has no password:
> # cat /etc/shadow | grep root
> root:*:17941:0:99999:7:::
If this is how Debian Live is set up, then it should probably also
configure polkit (policykit-1) to allow "user" to be considered as
root-equivalent (a sysadmin), and to allow root-equivalent users to
do some things that would normally require authentication without
authenticating.
> When I run the command hp-plugin as a normal user I get a graphical
> dialog (translation to ASCII by me):
> ----------------------------------------------------------
> | HP Device Mangager - Enter Username/Password |
> ------------------------------------------------------------
> | Your HP Device requires to install HP proprietary plugin |
> | Please enter root/superuser password to continue. |
> | -------------------------- |
> | Username: |root | |
> | -------------------------- |
> | -------------------------- |
> | Password: | | |
> | -------------------------- |
> | ---------------- |
> | | OK ||
> | ---------------- |
> ------------------------------------------------------------
This is probably a polkit agent, which is part of whatever desktop
environment you're using. (In GNOME it's part of gnome-shell.)
> The Username inputfield (already filled with the value "root") is not
> editable.
That's because polkit thinks root is the only root-equivalent user
(sysadmin). If Debian Live wants polkit to think "user" is also a
sysadmin, it should either add "user" to the sudo group, or add a
configuration snippet in /etc/polkit-1/localauthority.conf.d to make
"user" be one of the AdminIdentities. I would recommend the former,
because some polkit policies specifically refer to the sudo group.
Adding "user" to the sudo group works because the policykit-1
contains:
# /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
[Configuration]
AdminIdentities=unix-group:sudo
This means "every user in the sudo group is to be considered to be a
sysadmin". (See /usr/share/doc/base-passwd/users-and-groups.txt.gz)
Normally, polkit policies require an admin user to authenticate.
For example, /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
says that by default, admin users can do an upgrade using PackageKit,
but they have to authenticate first:
# /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
<action id="org.freedesktop.packagekit.trigger-offline-upgrade">
<description>Trigger offline updates</description>
...
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
However, files can be installed into
/var/lib/polkit-1/localauthority/10-vendor.d/ by packages, or into
/etc/polkit-1/localauthority/*.d by local sysadmins, to override this;
and in fact packagekit installs one itself, to let members of the
sudo group upgrade without entering a password:
#
/var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla
[Allow admins to upgrade the system]
Identity=unix-group:sudo
Action=org.freedesktop.packagekit.upgrade-system;org.freedesktop.packagekit.trigger-offline-update
ResultAny=no
ResultInactive=no
ResultActive=yes
If configuration fragments like this are considered to be appropriate for
live systems, Debian Live could install some.
For example, if Debian Live wants members of the "sudo" group to be
able to do *anything* that is mediated by polkit, without any prompting,
it could install something like this (untested):
# /etc/polkit-1/localauthority/30-site.d/debian-live.pkla
[Make sudo group completely root-equivalent, with no prompting]
Identity=unix-group:sudo
Action=*
ResultAny=yes
ResultInactive=yes
ResultActive=yes
Regards,
smcv
