Bug 343522

Summary: polkit-kde-authentication-agent-1 ignores rootpw setting in /etc/sudoers
Product: [Plasma] policykit-kde-agent-1 Reporter: onitake
Component: polkit-kde-authentication-agent-1Assignee: Jaroslav Reznik <jreznik>
Status: RESOLVED NOT A BUG    
Severity: grave CC: emrecio, kde
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Debian testing   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description onitake 2015-01-29 14:13:13 UTC 
This affects version 0.99.1 of the package, and probably previous versions as well.

When a KDE program asks for root permissions via the polkit-kde-authentication-agent-1 dialog, it will always ask for the user password, even if "Defaults rootpw" is set in /etc/sudoers.

Having sudo ask for the root password instead can improve security and help prevent accidentally elevating privileges. These benefits are lost if any authentication dialog does not honor the respective setting, however.

As I understand, the dialog will ask for the root password if it cannot find sudo installed on the system, but using su exclusively has certain drawbacks. sudo with the rootpw option is much more versatile.

Please fix the authentication dialog (or policykit) in a way that it respects "Defaults rootpw".
Comment 1 David Edmundson 2015-08-05 12:57:44 UTC 
polkit isn't anything to do with sudo.
Comment 2 onitake 2015-08-05 13:07:56 UTC 
If that is the case, then please explain to me why the authentication agent is asking for my user password when sudo is installed and in use. If sudo is not available, the KDE auth agent will request the superuser password instead.

Perhaps this is Debian specific and handled by PAM or something else, but as far as my preferences are concerned, the KDE polkit auth agent is doing the wrong thing, and this is a security issue.

Is there a way to instruct the agent to always ask for the root password?
Comment 3 David Edmundson 2015-08-05 13:14:24 UTC 
>Is there a way to instruct the agent to always ask for the root password?

Sure. 

https://wiki.archlinux.org/index.php/Polkit#Ask_for_root_password
^obviously that's Arch, but it applies nonetheless.

Polkit is a "replacement" for sudo, it doesn't use sudo anywhere.

Default is all users typing their own password if they're in the admin/wheel group which is the same default as sudo.
Comment 4 onitake 2015-08-05 13:41:32 UTC 
> https://wiki.archlinux.org/index.php/Polkit#Ask_for_root_password

Thank you!

> Polkit is a "replacement" for sudo, it doesn't use sudo anywhere.
> 
> Default is all users typing their own password if they're in the admin/wheel
> group which is the same default as sudo.

Ah, _that_ explains it. Installing sudo and setting it up will have the effect that at least one user is in the wheel group. Oh well.
Comment 5 EMR_Kde 2016-03-12 06:35:42 UTC 
I did an xprop on the window, then manually ran "kdesu ls" kdesu ran as expected, and ran as expected with native sudo.

However the window that showed up when I attempted to change my network settings REQUIRED root instead of [kde]sudo even after the setting in kdesurc. 

From xprop (on the window after attempting to delete a network connection):

WM_NAME(COMPOUND_TEXT) = "System policy prevents modification of network settings for all users – PolicyKit1-KDE"
WM_LOCALE_NAME(STRING) = "en_US.UTF-8"
WM_CLASS(STRING) = "polkit-kde-authentication-agent-1", "Polkit-kde-authentication-agent-1"
WM_HINTS(WM_HINTS):
                Client accepts input or input focus: True
                Initial state is Normal State.
                bitmap id # to use for icon: 0x120001e
                window id # of group leader: 0x1200004
WM_NORMAL_HINTS(WM_SIZE_HINTS):
                program specified minimum size: 423 by 283
                window gravity: NorthWest
WM_CLIENT_MACHINE(STRING) = "ePaq.polywog.org"
WM_COMMAND(STRING) = { "/usr/lib64/kde4/libexec/polkit-kde-authentication-agent-1" }