The current polkit rule looks like this:
cat /usr/share/polkit-1/rules.d/org.projectatomic.rpmostree1.rules polkit.addRule(function(action, subject) { if (action.id == "org.projectatomic.rpmostree1.repo-refresh" && subject.active == true && subject.local == true) { return polkit.Result.YES; } if ((action.id == "org.projectatomic.rpmostree1.install-uninstall-packages" || action.id == "org.projectatomic.rpmostree1.install-local-packages" || action.id == "org.projectatomic.rpmostree1.override" || action.id == "org.projectatomic.rpmostree1.deploy" || action.id == "org.projectatomic.rpmostree1.upgrade" || action.id == "org.projectatomic.rpmostree1.rebase" || action.id == "org.projectatomic.rpmostree1.rollback" || action.id == "org.projectatomic.rpmostree1.bootconfig" || action.id == "org.projectatomic.rpmostree1.reload-daemon" || action.id == "org.projectatomic.rpmostree1.cancel" || action.id == "org.projectatomic.rpmostree1.cleanup" || action.id == "org.projectatomic.rpmostree1.client-management") && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.YES; } });
It is necessary for automatic updates to have all these working, but I would propose this rule instead, removing some more advanced system modifications you may want to avoid.
polkit.addRule(function(action, subject) { if ((action.id == "org.projectatomic.rpmostree1.repo-refresh" || action.id == "org.projectatomic.rpmostree1.upgrade" || action.id == "org.projectatomic.rpmostree1.deploy") && subject.active == true && subject.local == true) { return polkit.Result.YES; } if ((action.id == "org.projectatomic.rpmostree1.rollback" || action.id == "org.projectatomic.rpmostree1.bootconfig" || action.id == "org.projectatomic.rpmostree1.reload-daemon" || action.id == "org.projectatomic.rpmostree1.cancel" || action.id == "org.projectatomic.rpmostree1.cleanup" || action.id == "org.projectatomic.rpmostree1.client-management") && subject.active == true && subject.local == true && subject.isInGroup("wheel")) { return polkit.Result.YES; } });
Explanation: This combines all rpm-ostree polkit permissions formerly found in my configuration.
I rearranged some permissions, allowing all local and active users to upgrade, repo-refresh and deploy, which seems to be necessary for the automatic-update service to work.
Meanwhile, I removed the permissions
action.id == "org.projectatomic.rpmostree1.install-uninstall-packages" || action.id == "org.projectatomic.rpmostree1.install-local-packages" || action.id == "org.projectatomic.rpmostree1.override" || action.id == "org.projectatomic.rpmostree1.rebase" ||
as these can harm a system, install or remove un-/wanted software while the PC is unlocked unattended e.g.
These are nontrivial commands users don't need to execute lots of times, so it should be no problem for UX.
again, should this issue be mentioned somewhere upstream, as it affects all atomic Desktop variants?
This is part of a larger discussion around whether we should allow unprivileged users to update the system or not.
Maybe you should file that in the Atomic Desktops tracker: https://gitlab.com/fedora/ostree/sig/-/issues
Metadata Update from @siosm: - Issue tagged with: kinoite
Thanks, yes I will do that there
Moved to https://gitlab.com/fedora/ostree/sig/-/issues/7
Metadata Update from @siosm: - Issue close_status updated to: Deferred to upstream - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.