Inconsistent permissions for dnf install

Question

Why do I not need to install as root when the shell "guesses" the package I need to execute a command?

For example:

(cseymour) : ~ $ dnf install rogue
Error: This command has to be run under the root user.
(cseymour) : ~ $ rogue
bash: rogue: command not found...
Install package 'rogue' to provide command 'rogue'? [N/y] y


 * Waiting in queue... 
The following packages have to be installed:
 rogue-5.4.5-19.fc24.x86_64 The original graphical adventure game
Proceed with changes? [N/y] y


 * Waiting in queue... 
 * Waiting for authentication... 
 * Waiting in queue... 
 * Downloading packages... 
 * Requesting data... 
 * Testing changes... 
 * Installing packages...

and so on, successfully installing the package without requiring root password.

score 2 · Accepted Answer · answered Nov 01 '16 at 19:56

2

There is small package PackageKit-command-not-found installed in Fedora, that makes this happen. The policy is configured in /etc/PackageKit/CommandNotFound.conf.

The authentication is done using PolicyKit (over D-bus), where you already granted installation of new package using PackageKit GUI. The respective file is usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules allowing to install packages for locally logged in users in wheel group:

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.packagekit.package-install" &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }
});

If you are not satisfied with this behaviour, you can always uninstall this package (dnf remove PackageKit-command-not-found) and the packages will not get installed automatically.

answered Nov 01 '16 at 19:56

Jakuje

10,032
5
33
34

Thanks so much! Given this is installed by default, why is it that dnf deems to use a password request rather than something similar? Are these differing behaviours intentional? – csey Nov 01 '16 at 20:22
Because `dnf` is not `PackageKit` and the rule above is only for PackageKit. DNF is standard command-line tool, that needs `root` privileges, but PackageKit is using authentication using D-Bus and *some* backend already running as a root. – Jakuje Nov 01 '16 at 20:24
1

@csey I agree that it's inconsistent. You can also install software without a password using the GNOME Software GUI tool. I think it's mostly just that the behavior which we decided is okay for command-not-found and GUI installs is to install packages from already-configured repos. Since Fedora in general avoids activating services simply on installation, the risk of this is fairly low. On the other hand, DNF can do a lot of other things, many of them dangerous. – mattdm Nov 02 '16 at 18:54
@mattdm thank you for the addition and background, which I was missing (still only few years around Fedora). I will add it to the answer or you can edit it in, since it can be interesting also for others. – Jakuje Nov 02 '16 at 18:57

Inconsistent permissions for dnf install

1 Answers1