I’ve been loving the fact that if I’m at the terminal and type a command that’s not installed, it offers to install it for me, and then runs my command!
It’s very impressive and a real timesaver on a fresh install.
But I’ve noticed that I’m never asked to authenticate to get these installs done(!) How is that working? And is it using dnf or flatpak or…?
You might have typed in the missing program already with sudo?
Or you added the option installing without password to the /etc/sudoers file or into the folder /etc/sudoers.d/ like this:
sudo cat /etc/sudoers.d/ilikelinux
ilikelinux ALL=(ALL) NOPASSWD: /usr/bin/dnf, /usr/bin/dnf5
@ilikelinux nope:
~% sudo -K # make sure sudo isn't ready
~% mu # try running a command I don't have installed
zsh: mu: command not found...
Install package 'maildir-utils' to provide command 'mu'? [N/y] y
* Waiting in queue...
* Loading list of packages....
The following packages have to be installed:
gmime30-3.2.7-8.fc38.x86_64 Library for creating and parsing MIME messages
guile22-2.2.7-7.fc38.x86_64 A GNU implementation of Scheme for application extensibility
maildir-utils-1.8.11-1.fc38.x86_64 A command-line mail organization utility
xapian-core-1.4.22-1.fc38.x86_64 The Xapian Probabilistic Information Retrieval Library
xapian-core-libs-1.4.22-1.fc38.x86_64 Xapian search engine libraries
Proceed with changes? [N/y] y
* Waiting in queue...
* Waiting for authentication...
* Waiting in queue...
* Downloading packages...
* Requesting data...
* Testing changes...
* Installing packages...
usage:
mu help <command>
Help Options:
-h, --help Show help options
Application Options:
-d, --debug print debug output to standard error (false)
-q, --quiet don't give any progress information (false)
-V, --version display version and copyright information (false)
--muhome=<dir> specify an alternative mu directory
--log-stderr log to standard error (false)
--nocolor don't use ANSI-colors in output (false)
-v, --verbose verbose output (false)
mu help is the mu command to get help about <command>, where <command>
is one of:
add - add message to database
cfind - find a contact
extract - extract parts/attachments from messages
fields - show table of all query fields and flags
find - query the message database
help - get help
index - index messages
init - init the mu database
mkdir - create a maildir
remove - remove a message from the database
script - run a script (available only when mu was built with guile-support)
server - start mu server
verify - verify signatures of a message
view - view a specific message
This feature is from PackageKit-command-not-found.
The authentication is done using polkit (the same mechanism that allows you to use flatpak to install system-wide apps without sudo).
You should be able to find the policy for pk-command-not-found in the files from PackageKit:
$ rpm -ql PackageKit | grep polkit
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
/usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules
(I don’t have it installed so can’t tell you exactly)
Thanks so much!
So my /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules contains:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.packagekit.package-install" ||
action.id == "org.freedesktop.packagekit.package-remove") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
Which to my untrained eye looks like it lets local active users in the ‘wheel’ group to run those two actions. My user is in the wheel group.
Then /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy contains:
<action id="org.freedesktop.packagekit.package-install">
<!-- SECURITY:
- Normal users need authentication to install signed packages
from signed repositories, because otherwise the system is
only as secure as the least-secure package available in the
repositories.
-->
<description>Install signed package</description>
<message>Authentication is required to install software</message>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
I think this is declaring an ‘action’ with that long id that normally (<defaults>) requires authentication, but that the rules file overrides those defaults allowing users in wheel to run that action.
Sound about right?