remote invocation via SSH

[peter-gsellmann]

i do ssh -X fedora29machine dnfdragora and select one or more packages to install.
When i 'apply', the transaction preview pops up, then 'ok', but nothing is installed.

When i do the same on the local screen, a login-prompt pops up and the transaction succeeds.
This login-prompt is missed in the remote usecase.

When i do ssh fedora29machine dnf -y install popt-devel it succeeds, because i am in the wheel-group with NOPASSWD set.

The old yumex-dnf had an option 'run backend with sudo' so i can do
ssh -X oldmachine yumex and install packages as i want.

Is it planned so this usecase is also possible with dnfdragora ?

Addendum 2019-02-12:
The following comes from stdout/stderr:

not in cache
User pressed cancel button in policykit window
dnfdaemon client AccessDeniedError: Session is not authorized (36) 

is there any env-variable i can set to get more detailed output?

[anaselli]

it should be related to dnfdaemon iirc, @Conan-Kudo what do you think?

[Conan-Kudo]

I don't know how yumex-dnf enabled that model, but at least from the dnfdaemon side, it should be possible, provided you have a working CLI polkit agent. From the output shown here, it sounds like you don't?

[anaselli]

Just a question, with ssh -X ... did you run dndragora using X (so Qt or Gtk?) or the ncurses one?

[peter-gsellmann]

Just a question, with ssh -X ... did you run dndragora using X (so Qt or Gtk?) or the ncurses one?

invoking dnfdragora without options --qt --gtk --ncurses does the same as ssh -X fedora29machine dnfdragora --qt
For some unknown reason, ssh -X fedora29machine dnfdragora --gtk opens its main window somewhere i cannot see it. (it is not shown on my local screen)
Invoking ssh -X fedora29machine dnfdragora --ncurses also cannot apply any change.

[blackcrack]

note:
( normally should you use also ip numbers .. and .. ssh xforwarding should also enabled so do you need only start a ssh connection to the engine and the x-forwarding should be included .. (i don't like the sudo-thing.. bah..) and from there can you use "screen" for a multitask-sh/bash
and by the way, ncurses.. therefor have you dnf for working with the packages ..
the dnfdrake ehh dnfdragora is just only a Gui for it ..
best regards
Blacky )
did i told to be just a note ? *s*

and by the way.. @anaselli i wish for the Christmas a sambaconfig *looking like a cat/dog/Guinea pig with big eyes* pleeeeeaaasseee

[peter-gsellmann]

I don't know how yumex-dnf enabled that model, but at least from the dnfdaemon side, it should be possible, provided you have a working CLI polkit agent. From the output shown here, it sounds like you don't?

I have no idea what a 'CLI polkit agent' is for. Is this another layer of authentication on top of the usual sudo/sudoers/wheel method ?

If yes, i would like to get rid of it

[anaselli]

invoking dnfdragora without options --qt --gtk --ncurses does the same as ssh -X fedora29machine dnfdragora --qt

yes usually Qt is the default, but it depends on display availability (I mean X). Honestly i haven't found that is issue by using X forwarding... but only using ncurses, that's why rights escalation is granted by an extra dialog (for user or root password) that cannot run over the ncurses main one (i.e. dnfdragora)

Invoking ssh -X fedora29machine dnfdragora --ncurses also cannot apply any change.

The reason why i said above.
If you're often use dnfdragora through ssh, maybe you can add a polkit configuration for dnfdragora command, so that is run as root those cases, or just ssh and then run it with sudo... but as said it should be for ncurses, dno't know why also for Qt and Gtk... i need to test it maybe using fedora this time to investigate better...

[blackcrack]

@peter-gsellmann, this is something like a command line (cli) policy kit, something like a "firewall" for internal files..
so Doubly coupled in view of safety and security in the operating system .. to outside.. or so.. if i am right.. where i have open an port have i also enabled this port by cli polkit or something to be works..
if i am right .. had this to make at fedora .. i guess the ssl port for apache or so.. was a wile ago but i have do this maybe in the next time too.. if i go away from openmandriva.. :\ (no draktools.. terrible this.. :\ )
and yes, ssh is better, with x-forwarting.. and if you add a "&" behind the command have you the possible to work further in the commandprompt.. behind opened dnfdragora
so :|| dnfdragora& [enter/return]

by "sudo passwd root" can you set a rootpassword, later can you go in as root with this:
"su -" the "-" tell, make it with all variables from root, without "-" it's only the command prompt without variables of root ..
and "su" username or "su - username" can you use the users cmd-prompt
as root do you not need to insert the password of the users .. ;)
so, have fun..

best
Blacky

[peter-gsellmann]

If you're often use dnfdragora through ssh, maybe you can add a polkit configuration for dnfdragora command, so that...

Are we approaching a solution?
How does a 'polkit configuration' for this usecase looks like?

[peter-gsellmann]

With the hint to the 'polkit'-demon i was able to find the solution:

on target system create file /etc/polkit-1/rules.d/49-nopasswd_global.rules with the following content:

/* Allow members of the wheel group to execute any actions
 * without password authentication, similar to "sudo NOPASSWD:"
 */
polkit.addRule(function(action, subject) {
    if (subject.isInGroup("wheel")) {
        return polkit.Result.YES;
    }
});

copied from: ArchWiki

It would be very helpful if this or a more specific file could be included in the RPM

[Conan-Kudo]

For security reasons, this will not be included in the package, but you are free to configure your system accordingly.