This affects version 0.99.1 of the package, and probably previous versions as well. When a KDE program asks for root permissions via the polkit-kde-authentication-agent-1 dialog, it will always ask for the user password, even if "Defaults rootpw" is set in /etc/sudoers. Having sudo ask for the root password instead can improve security and help prevent accidentally elevating privileges. These benefits are lost if any authentication dialog does not honor the respective setting, however. As I understand, the dialog will ask for the root password if it cannot find sudo installed on the system, but using su exclusively has certain drawbacks. sudo with the rootpw option is much more versatile. Please fix the authentication dialog (or policykit) in a way that it respects "Defaults rootpw".
polkit isn't anything to do with sudo.
If that is the case, then please explain to me why the authentication agent is asking for my user password when sudo is installed and in use. If sudo is not available, the KDE auth agent will request the superuser password instead. Perhaps this is Debian specific and handled by PAM or something else, but as far as my preferences are concerned, the KDE polkit auth agent is doing the wrong thing, and this is a security issue. Is there a way to instruct the agent to always ask for the root password?
>Is there a way to instruct the agent to always ask for the root password? Sure. https://wiki.archlinux.org/index.php/Polkit#Ask_for_root_password ^obviously that's Arch, but it applies nonetheless. Polkit is a "replacement" for sudo, it doesn't use sudo anywhere. Default is all users typing their own password if they're in the admin/wheel group which is the same default as sudo.
> https://wiki.archlinux.org/index.php/Polkit#Ask_for_root_password Thank you! > Polkit is a "replacement" for sudo, it doesn't use sudo anywhere. > > Default is all users typing their own password if they're in the admin/wheel > group which is the same default as sudo. Ah, _that_ explains it. Installing sudo and setting it up will have the effect that at least one user is in the wheel group. Oh well.
I did an xprop on the window, then manually ran "kdesu ls" kdesu ran as expected, and ran as expected with native sudo. However the window that showed up when I attempted to change my network settings REQUIRED root instead of [kde]sudo even after the setting in kdesurc. From xprop (on the window after attempting to delete a network connection): WM_NAME(COMPOUND_TEXT) = "System policy prevents modification of network settings for all users – PolicyKit1-KDE" WM_LOCALE_NAME(STRING) = "en_US.UTF-8" WM_CLASS(STRING) = "polkit-kde-authentication-agent-1", "Polkit-kde-authentication-agent-1" WM_HINTS(WM_HINTS): Client accepts input or input focus: True Initial state is Normal State. bitmap id # to use for icon: 0x120001e window id # of group leader: 0x1200004 WM_NORMAL_HINTS(WM_SIZE_HINTS): program specified minimum size: 423 by 283 window gravity: NorthWest WM_CLIENT_MACHINE(STRING) = "ePaq.polywog.org" WM_COMMAND(STRING) = { "/usr/lib64/kde4/libexec/polkit-kde-authentication-agent-1" }