Fedora-OSTree-Setup-dev / Fedora-OSTree-Setup

Glorified scipt that automates the setup of Fedora Silverblue/Kinoite based on given config file.
GNU General Public License v3.0
7 stars 3 forks source link

Allow user certain tasks #89

Open boredsquirrel opened 1 year ago

boredsquirrel commented 1 year ago

Lets collect tasks where you shouldnt need sudo for here:

Virt-manager because virtualization should be an easy tool on this System.

Mounting LUKS drives requires sudo too, which can be avoided

Adding this script makes future mods easier:

wget https://github.com/trytomakeyouprivate/Polkit-helper/raw/main/create-polkit-rule -P ~/.local/bin/ && chmod +x ~/.local/bin/create-polkit-rule && echo "Polkit rule helper installed."
boredsquirrel commented 1 year ago

Virt-manager:

sudo usermod -a -G libvirt $(whoami)

sudo sed -i 's/#unix_sock_group = "libvirt"/unix_sock_group = "libvirt"/g' /etc/libvirt/libvirtd.conf
sudo sed -i 's/#unix_sock_ro_perms = "0777"/unix_sock_ro_perms = "0777"/g' /etc/libvirt/libvirtd.conf

sudo systemctl restart libvirtd.service

systemctl status libvirtd.service  

source

Add Polkit rule:

printf """polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage" && subject.local && subject.active && subject.isInGroup("wheel")) {
      return polkit.Result.YES;
  }
});""" | sudo tee /etc/polkit-1/rules.d/80-libvirt-manage.rules

Now it works. I actually dont know the polkit details, maybe the first codeblock is not needed. I can try to redo the changes and see if it works just with Polkit, as just the first changes didnt work.

boredsquirrel commented 1 year ago

Polkit changes for allowing to open Luks drives (KDE team will fix the unnessecary password prompt)

printf """polkit.addRule(function(action, subject) {
  if (action.id == "org.freedesktop.udisks2.encrypted-unlock-system" && subject.local && subject.active && subject.isInGroup("wheel")) {
      return polkit.Result.YES;
  }
});
""" | sudo tee /etc/polkit-1/rules.d/80-udisks2-encrypted-unlock.rules

printf """polkit.addRule(function(action, subject) {
  if (action.id == "org.freedesktop.udisks2.filesystem-mount-system" && subject.local && subject.active && subject.isInGroup("wheel")) {
      return polkit.Result.YES;
  }
});
""" | sudo tee /etc/polkit-1/rules.d/80-udisks2-mount.rules

I cant believe it works!

The current rules only apply to wheel users, but I think this is also the norm. Non-sudoers should maybe not be allowed to do these tasks, I dont know children or something?

It doesnt feel like a good protection, for example having secret stuff in a VM or on a LUKS drive, and the only thing hindering your child or anyone from accessing it is the sudoers password.

boredsquirrel commented 1 year ago

sddm themes:

printf """polkit.addRule(function(action, subject) {
  if (action.id == org.kde.kcontrol.kcmsddm.save && subject.local && subject.active && subject.isInGroup(wheel)) {
      return polkit.Result.YES;
  }
});""" | sudo tee /etc/polkit-1/rules.d/80-sddm-kcm-allow.rules
iaacornus commented 1 year ago

what about the mounting of luks drives?

boredsquirrel commented 1 year ago

i have another drive that is encrypted. When you save the password in KWallet (password manager) mounting should work automatically, but it does not because polkit wants authentification for udisks2. This can be turned to "always yes"