I installed Silverblue 37 and setup prompted me for user password, but not for root. I was able to update and remove packages via gnome-software and rpm-ostree without prompt for password. id showed that my unprivileged user was part of wheel group. When I removed the user from wheel I started getting access denied for command line rpm-ostree operations. I think gnome-software now gives an error when checking for updates. Is unprivileged user supposed to be able to do rpm-ostree without password prompt and if not what other things could be broken and insecure?
Gnome Workstation also not asks you for a root user. Your install user has sudo rights because it is by default in the wheel group.
You should not remove your selves from wheel group. If you want a user with less right just create a new one without wheel alias sudo rights.
Silverblue is an immutable OS. If you want to make changes just use the user you installed the system with.
Some additional info.
You should not remove your selves from wheel group. If you want a user with less right just create a new one without wheel alias sudo rights.
Why should I not remove self from wheel group?
Silverblue is an immutable OS. If you want to make changes just use the user you installed the system with.
And trust all the software and containers not to leak as well? By default? This seems backwards.
Gathering from this and other threads, it seems to be the case that there is no setup for root password by default (not to say root can login with no password) and user should be able to do do package operations and other without any prompt as they are part of wheel.
Although… Just to be clear we are talking about gui prompts right? I am part of wheel on standard fedora workstation (with xfce4 desktop) and I get permission denied in command line without explicit sudo and gui prompts for authentication unlike with silverblue.
Speaking for Workstation not Silverblue:
Because you lock you out if you just have a system account ID 1000 and you remove you from wheel.
You need, before you do so, set a root password with the ID 1000 account. Otherwise you are not able to run the recovery image and do so. There you need a valid root password.
For Silverblue alias “rpm-ostree install” you have to do it as @grumpey mentioned.
No it is not clear anymore, it seams you mixing up things a bit.
Your request was for Silverblue. Silverblue handles things different. Please read others links.
I already set root password so looks like I avoided that. I was just seeing if there were any other system ramifications (like rpm-ostree autoupdate and etc…) and it looks like there is none. Thank you for the responses.