Control: user pkg-utopia-maintain...@lists.alioth.debian.org Control: usertags -1 + pkla-without-js
On Sat, 10 Jun 2023 at 15:10:35 +0100, Simon McVittie wrote: > * Boot debian-live-12.0.0-amd64-gnome.iso (the version used for > release-day testing) > - KDE has a similar issue with slightly different steps to start the > installer, probably all desktops' variants are affected GNOME, KDE and LXQT are affected. MATE, Cinnamon and LXDE don't seem to be, because those desktops still pull in the legacy policykit-1 package. > If this is not the intended behaviour, the solution would be: > > - drop a file similar to /usr/share/doc/polkitd/examples/50-local-allow.rules > into /usr/share/polkit-1/rules.d (if it's owned by a .deb) or into > /etc/polkit-1/rules.d (if it's created on an ad-hoc basis by scripts) > > - use that file to configure polkitd to allow whatever action Calamares > is using, without authentication (polkit.Result.YES), for either the > live user or all members of the sudo group > > - when installing with Calamares, make sure that file is not included in > the installed system I see why this has happened. I did a mass-bug-filing for packages that *contain* files in /var/lib/polkit-1/localauthority, but my search didn't find live-config, because it creates the file programmatically. Desktop environments that still pull in the legacy policykit-1 package in bookworm are unaffected, because live-config does create a file that will be read by polkitd-pkla. In https://sources.debian.org/src/live-config/11.0.3%2Bnmu1/components/1080-policykit/: > if ! pkg_is_installed "policykit-1" || \ This should now be polkitd, not policykit-1. policykit-1 is now a transitional package. > cat > /etc/PolicyKit/PolicyKit.conf << EOF I don't think this file has been used for years. > <define_admin_auth group="adm"/> If this file *is* still used, the group you'll want here is 'sudo'. > [Live CD user permissions] > Identity=unix-user:${LIVE_USERNAME} > Action=* > ResultAny=no > ResultInactive=no > ResultActive=yes This should be replaced by something very similar to /usr/share/doc/polkitd/examples/50-local-allow.rules. I tried this on the GNOME live image (not tested on KDE or LXQT but should work equally well): sudo tee /etc/polkit-1/rules.d/50-live.rules >/dev/null <<EOF polkit.addRule(function(action, subject) { if (subject.isInGroup("sudo")) { return polkit.Result.YES; } return polkit.Result.NOT_HANDLED; }); EOF Or you could use subject.user === "live" if you'd prefer. This is JavaScript, so the "===" is intentionally three equals signs, not a typo. smcv
