Allow user certain tasks

[boredsquirrel]

Lets collect tasks where you shouldnt need sudo for here:

• virt-manager
• mounting LUKS drives
• changing the sddm theme when sddm2rpm themes are installed

Virt-manager because virtualization should be an easy tool on this System.

Mounting LUKS drives requires sudo too, which can be avoided

Adding this script makes future mods easier:

wget https://github.com/trytomakeyouprivate/Polkit-helper/raw/main/create-polkit-rule -P ~/.local/bin/ && chmod +x ~/.local/bin/create-polkit-rule && echo "Polkit rule helper installed."

[boredsquirrel]

Virt-manager:

sudo usermod -a -G libvirt $(whoami)

sudo sed -i 's/#unix_sock_group = "libvirt"/unix_sock_group = "libvirt"/g' /etc/libvirt/libvirtd.conf
sudo sed -i 's/#unix_sock_ro_perms = "0777"/unix_sock_ro_perms = "0777"/g' /etc/libvirt/libvirtd.conf

sudo systemctl restart libvirtd.service

systemctl status libvirtd.service  

source

Add Polkit rule:

printf """polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage" && subject.local && subject.active && subject.isInGroup("wheel")) {
      return polkit.Result.YES;
  }
});""" | sudo tee /etc/polkit-1/rules.d/80-libvirt-manage.rules

Now it works. I actually dont know the polkit details, maybe the first codeblock is not needed. I can try to redo the changes and see if it works just with Polkit, as just the first changes didnt work.

[boredsquirrel]

Polkit changes for allowing to open Luks drives (KDE team will fix the unnessecary password prompt)

printf """polkit.addRule(function(action, subject) {
  if (action.id == "org.freedesktop.udisks2.encrypted-unlock-system" && subject.local && subject.active && subject.isInGroup("wheel")) {
      return polkit.Result.YES;
  }
});
""" | sudo tee /etc/polkit-1/rules.d/80-udisks2-encrypted-unlock.rules

printf """polkit.addRule(function(action, subject) {
  if (action.id == "org.freedesktop.udisks2.filesystem-mount-system" && subject.local && subject.active && subject.isInGroup("wheel")) {
      return polkit.Result.YES;
  }
});
""" | sudo tee /etc/polkit-1/rules.d/80-udisks2-mount.rules

I cant believe it works!

The current rules only apply to wheel users, but I think this is also the norm. Non-sudoers should maybe not be allowed to do these tasks, I dont know children or something?

It doesnt feel like a good protection, for example having secret stuff in a VM or on a LUKS drive, and the only thing hindering your child or anyone from accessing it is the sudoers password.

[boredsquirrel]

sddm themes:

printf """polkit.addRule(function(action, subject) {
  if (action.id == org.kde.kcontrol.kcmsddm.save && subject.local && subject.active && subject.isInGroup(wheel)) {
      return polkit.Result.YES;
  }
});""" | sudo tee /etc/polkit-1/rules.d/80-sddm-kcm-allow.rules

[iaacornus]

what about the mounting of luks drives?

[boredsquirrel]

i have another drive that is encrypted. When you save the password in KWallet (password manager) mounting should work automatically, but it does not because polkit wants authentification for udisks2. This can be turned to "always yes"