How does automatic installation of CLI software without authentication work

I’ve been loving the fact that if I’m at the terminal and type a command that’s not installed, it offers to install it for me, and then runs my command!

It’s very impressive and a real timesaver on a fresh install.

But I’ve noticed that I’m never asked to authenticate to get these installs done(!) How is that working? And is it using dnf or flatpak or…?

1 Like

You might have typed in the missing program already with sudo?

Or you added the option installing without password to the /etc/sudoers file or into the folder /etc/sudoers.d/ like this:

sudo cat /etc/sudoers.d/ilikelinux
ilikelinux   ALL=(ALL) NOPASSWD: /usr/bin/dnf, /usr/bin/dnf5

@ilikelinux nope:

~% sudo -K  # make sure sudo isn't ready
~% mu    # try running a command I don't have installed
zsh: mu: command not found...
Install package 'maildir-utils' to provide command 'mu'? [N/y] y


 * Waiting in queue... 
 * Loading list of packages.... 
The following packages have to be installed:
 gmime30-3.2.7-8.fc38.x86_64	Library for creating and parsing MIME messages
 guile22-2.2.7-7.fc38.x86_64	A GNU implementation of Scheme for application extensibility
 maildir-utils-1.8.11-1.fc38.x86_64	A command-line mail organization utility
 xapian-core-1.4.22-1.fc38.x86_64	The Xapian Probabilistic Information Retrieval Library
 xapian-core-libs-1.4.22-1.fc38.x86_64	Xapian search engine libraries
Proceed with changes? [N/y] y


 * Waiting in queue... 
 * Waiting for authentication... 
 * Waiting in queue... 
 * Downloading packages... 
 * Requesting data... 
 * Testing changes... 
 * Installing packages... 
usage:
	mu help <command>

Help Options:
  -h, --help         Show help options

Application Options:
  -d, --debug        print debug output to standard error (false)
  -q, --quiet        don't give any progress information (false)
  -V, --version      display version and copyright information (false)
  --muhome=<dir>     specify an alternative mu directory
  --log-stderr       log to standard error (false)
  --nocolor          don't use ANSI-colors in output (false)
  -v, --verbose      verbose output (false)

mu help is the mu command to get help about <command>, where <command>
is one of:
  add     - add message to database
  cfind   - find a contact
  extract - extract parts/attachments from messages
  fields  - show table of all query fields and flags
  find    - query the message database
  help    - get help
  index   - index messages
  init    - init the mu database
  mkdir   - create a maildir
  remove  - remove a message from the database
  script  - run a script (available only when mu was built with guile-support)
  server  - start mu server
  verify  - verify signatures of a message
  view    - view a specific message

This feature is from PackageKit-command-not-found.

The authentication is done using polkit (the same mechanism that allows you to use flatpak to install system-wide apps without sudo).

You should be able to find the policy for pk-command-not-found in the files from PackageKit:

$ rpm -ql PackageKit | grep polkit
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
/usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules

(I don’t have it installed so can’t tell you exactly)

2 Likes

Thanks so much!

So my /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules contains:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.packagekit.package-install" ||
         action.id == "org.freedesktop.packagekit.package-remove") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

Which to my untrained eye looks like it lets local active users in the ‘wheel’ group to run those two actions. My user is in the wheel group.

Then /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy contains:

  <action id="org.freedesktop.packagekit.package-install">
    <!-- SECURITY:
          - Normal users need authentication to install signed packages
            from signed repositories, because otherwise the system is
            only as secure as the least-secure package available in the
            repositories.
     -->
    <description>Install signed package</description>
    <message>Authentication is required to install software</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
</action>

I think this is declaring an ‘action’ with that long id that normally (<defaults>) requires authentication, but that the rules file overrides those defaults allowing users in wheel to run that action.

Sound about right?