How to force rpm-ostree to remove/overlay protected packages

I want to remove at least sudo, but I get a message that it’s protected. With dnf I can do dnf remove --setopt protected_packages= but I can’t find similar options with rpm-ostree. Is it not possible to remove protected packages with rpm-ostree yet?

1 Like

Why would you wish to remove sudo???

That allows a standard user to perform admin tasks without logging in as root and is a necessary part of the system administration.

In general the protected packages are ‘protected’ for a reason. The system needs them to remain intact for normal operation. Removing or corrupting them is likely to totally break ones system.

Because it’s security theater and extra overhead my users don’t need. If I need to perform root operations I will switch to vt. Sudo seems too controversial, what about gnome-shell then? It shouldn’t matter.

And despite that, I’ve been able to remove protected packages with careful excludes and noautoremove without issue on normal Fedora.

You can remove it by editing or removing the associated files in /etc/dnf/protected.d

You will also have to remove sudo-python-plugin

I was able to do this in a Silverblue VM, but did not do a lot of testing afterwards so I’m not 100% sure it does not break anything else.

1 Like


Removing sudo likely breaks the system, and opendoas may have undiscovered security vulnerabilities.

I am experimenting with the same currently. I will replace sudo with opendoas, but in general I have alias sudo=pkexec in my shell RC to experiment.

This should do it.

# alias in various shells
echo "alias sudo=pkexec" >> ~/.bashrc
echo "abbr sudo pkexec" >> ~/.config/fish/
echo "alias sudo=pkexec" >> ~/.zshrc

# do a backup! no backup no mercy
pkexec ostree admin pin 0

# rename the protected file to disable it
pkexec mv /etc/dnf/protected.d/sudo.conf /etc/dnf/protected.d/sudo.conf.disabled

# do the replacements
rpm-ostree override remove sudo sudo-python-plugin --install opendoas

# some PAM configurations are also missing

I could not find a replacement python plugin for doas or polkit, do you know if there is one that needs packaging?

Just found out, polkit is 16 years old… damn linux changes so slowly.

Warning, dont do this (currently)

This broke shutdown for me shutdown binary could not be executed.

Without quite some changes in fedoras internals, removing sudo will result in breakages. If we can find all of them, that would be great.