Hello.
A bit strange behavior: I have two accounts on my Fedora install and sometimes I use both at the same time and switch between both with [CTRL]+[ALT]+[F1], [CTRL]+[ALT]+[F2], and [CTRL]+[ALT]+[F3].
Sometimes after switching it asks for a password with the reason:
Legitimierung wird benötigt, um Metadaten zu aktualisieren
Translation:
Legitimization is necessary, to update meta data.
Screenshot:
Why? What does this do? Can I / Should I disable this?
I also got this issue.
GNOME Software does automatic updates in the background for the system using rpm-ostree and that requires permissions, which are asked via polkit, which opens this dialog.
Kinoite has a similar issue right now: Why does this window pop up when I log in?
This can’t be the whole story.
I don’t get this password request when I log in, only when I switch between different sessions.
Also I should add this bit of information:
I have disabled passwords on policy kit and sudo with this settings:
# sudo without password
# https://askubuntu.com/questions/98006/how-do-i-prevent-policykit-from-asking-for-a-password
export XUSER=${USER}
sudo --preserve-env bash -c 'cat <<EOF | tee "/etc/sudoers.d/${XUSER}" >/dev/null
${XUSER} ALL=(ALL) NOPASSWD: ALL
EOF'
# policy kit without password
# https://askubuntu.com/questions/98006/how-do-i-prevent-policykit-from-asking-for-a-password
cat <<EOF | sudo tee "/var/lib/polkit-1/localauthority/50-local.d/disable-passwords.pkla" >/dev/null
[Do anything you want]
Identity=unix-group:wheel
Action=*
ResultActive=yes
EOF
But that does not explain, why it asks for the password if I switch between sessions. Or does it?
If the user is unprivileged (not part of the wheel group) then your polkit policy does not apply to them.
This also may be an issue. It puts the username into a file named for the user that is located in /etc/sudoers.d/
That means if the user is part of the wheel group the entry for the wheel group in /etc/sudoers may have effect, or may be conflicted with the username entry in the file just created. Which takes effect may be determined by the order in which the sudo command checks for username permissions versus group permissions.
If the user is part of the wheel group and no other users are allowed to use sudo without passwords that line probably should read
%wheel ALL=(ALL) NOPASSWD: ALL
which is already shown in /etc/sudoers as an example alternate to the default
%wheel ALL=(ALL) ALL
Note that (for the way you made that entry) if the NOPASSWD is not set for the wheel group and the group permissions are checked first then a password would be required. If the username permissions are checked first then the password would not be required.
What I did was make the file /etc/sudoers/wheel-nopasswd with the content %wheel ALL=(ALL) NOPASSWD: ALL and it works very well for members of the wheel group.
If the user is unprivileged (not part of the wheel group) then your polkit policy does not apply to them.
OK, but this is not the case. I checked /etc/group and also sudo works without password.
@computersavvy Interesting. I have to think about that and read a bit more. But, as I just stated, sudo works without password, so I think my current configuration is fine. I will look into your improvement suggestions, though.
However please keep in mind that my main question is: Why do I get this password-prompt when switching sessions?
The drop -in just works if you have the second line below in the /etc/sudoers file.
And probably you just made the changes there in the old fassion sudoers file.
/etc/sudoers
...
#Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
polkit does not look at the sudoers config.
I deleted /var/lib/polkit-1/localauthority/50-local.d/disable-passwords.pkla and added a file named /etc/polkit-1/rules.d/49-nopasswd_global.rules with this content:
/* Allow members of the wheel group to execute any actions
* without password authentication, similar to "sudo NOPASSWD:"
*/
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
and I think it works.
Some thoughts:
/etc/polkit-1/ is a better directory than /var/lib/polkit-1/ for this kind of config.So, I think it is solved.