Inconsistent permissions for dnf install

4

1

Why do I not need to install as root when the shell "guesses" the package I need to execute a command?

For example: 

(cseymour) : ~ $ dnf install rogue
Error: This command has to be run under the root user.
(cseymour) : ~ $ rogue
bash: rogue: command not found...
Install package 'rogue' to provide command 'rogue'? [N/y] y


 * Waiting in queue... 
The following packages have to be installed:
 rogue-5.4.5-19.fc24.x86_64 The original graphical adventure game
Proceed with changes? [N/y] y


 * Waiting in queue... 
 * Waiting for authentication... 
 * Waiting in queue... 
 * Downloading packages... 
 * Requesting data... 
 * Testing changes... 
 * Installing packages...

and so on, successfully installing the package without requiring root password.

csey

Posted 2016-11-01T18:05:26.363

Reputation: 63

Answers

2

There is small package PackageKit-command-not-found installed in Fedora, that makes this happen. The policy is configured in /etc/PackageKit/CommandNotFound.conf.

The authentication is done using PolicyKit (over D-bus), where you already granted installation of new package using PackageKit GUI. The respective file is usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules allowing to install packages for locally logged in users in wheel group:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.package-install" &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

If you are not satisfied with this behaviour, you can always uninstall this package (dnf remove PackageKit-command-not-found) and the packages will not get installed automatically.

Jakuje

Posted 2016-11-01T18:05:26.363

Reputation: 7 981

Thanks so much! Given this is installed by default, why is it that dnf deems to use a password request rather than something similar? Are these differing behaviours intentional? – csey – 2016-11-01T20:22:05.497

Because dnf is not PackageKit and the rule above is only for PackageKit. DNF is standard command-line tool, that needs root privileges, but PackageKit is using authentication using D-Bus and some backend already running as a root. – Jakuje – 2016-11-01T20:24:15.913

1@csey I agree that it's inconsistent. You can also install software without a password using the GNOME Software GUI tool. I think it's mostly just that the behavior which we decided is okay for command-not-found and GUI installs is to install packages from already-configured repos. Since Fedora in general avoids activating services simply on installation, the risk of this is fairly low. On the other hand, DNF can do a lot of other things, many of them dangerous. – mattdm – 2016-11-02T18:54:43.603

@mattdm thank you for the addition and background, which I was missing (still only few years around Fedora). I will add it to the answer or you can edit it in, since it can be interesting also for others. – Jakuje – 2016-11-02T18:57:30.173

Asked: 2016-11-01T18:05:26.363

Viewed: 463 times

Active: 2016-11-01T20:34:44.147