Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1151869 - yumex 3.0.16 requires administrative authentication to start.
Summary: yumex 3.0.16 requires administrative authentication to start.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: yumex
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Tim Lauridsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-12 21:16 UTC by Woi
Modified: 2015-05-08 16:42 UTC (History)
4 users (show)

Fixed In Version: yumex-3.0.17-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-26 12:44:41 UTC
Type: Bug


Attachments (Terms of Use)

Description Woi 2014-10-12 21:16:47 UTC
Description of problem:
Since yumex update from 3.0.15 to 3.0.16 yumex requires administrative authentication to start. Before administrative authentication was only necessary to install and update packages.

Version-Release number of selected component (if applicable):
3.0.16 on Fedora 20

How reproducible:
always 

Steps to Reproduce:
0. With an user in group wheel:
1. Update yumex to 3.0.16
2. Start yumex
3. Notice request for password

Actual results:
yumex requires an password to start 

Expected results:
Administrative authentication is only required to make changes to the system. 

Additional info:
I use yumex for update notifications on XFCE Desktops to allow non-technical users to update their systems on their own.
I use a .desktop file in /etc/xdg/autostart/yumex-update.desktop with the following content:
[...]
Exec=/usr/bin/yumex --start-hidden --update-only --yes
[...]
This is a workaround since the XFCE spin doesn't provide an update notification any more (Because of Fedora moving from Gnome 2 to Gnome 3?)

Comment 1 Tim Lauridsen 2014-10-13 06:51:20 UTC
It is by design, It give a lot of issues to running the yumex backend as non root

if the user cancel a transaction, all selection & pending actions are lot, because we restarted the backend as root, so every thing we done is lost, same issue if there is a problem in the transaction, you could not just deselect the packages with problems and apply again.
You also have to download repository metadata 2 times, one in non-root mode and one in root-mode.
The next generation for yumex based on dnf, also require root access
So I deceided to always start the backend in root mode for solve all these issues.

yumex 4.x will have standalone notification icon, there can check for updates an alert the user without needing to start the yumex gui.

Comment 2 Raphael Groner 2014-10-13 09:42:39 UTC
I can confirm the described behaviour change. Someone suggested in IRC to use a PolicyKit rule to allow general root access for Yumex.

Comment 3 Tim Lauridsen 2014-10-13 12:53:32 UTC
(In reply to Raphael Groner from comment #2)
> I can confirm the described behaviour change. Someone suggested in IRC to
> use a PolicyKit rule to allow general root access for Yumex.

Yes, there are multiple ways to make it possible for a user to run yumex, without 
typing a password.

1. making a Policykit rule
2. using sudo

http://www.yumex.dk/2012/05/running-yumex-without-typing-password.html

warning the PolicyKit rule described in this blog, do not work any longer, because
PolicyKit has change to using JS rules.

Comment 4 Tim Lauridsen 2014-10-13 12:57:01 UTC
this show an exsample of how to do it using the current version of PolicyKit

https://lists.fedoraproject.org/pipermail/users/2013-August/440106.html

Comment 5 Tim Lauridsen 2014-10-13 14:16:15 UTC
I have made this document on how to setup yumex to run without the user is asked for a password.

http://www.yumex.dk/p/yumex-without-password.html

Comment 6 Raphael Groner 2014-10-13 15:38:48 UTC
You could provide the rule file within the yumex package as well as create the (initially empty) yumex group, so that all that is installed by default. The user would have to configure only by simply adding herself to the yumex group, if root password dialog is not wished.

Alternatively, how is it possible to run yumex as a special yumex user that is only allowed to start this foreground yumex process? Not sure if that would again increase any security.

Comment 7 Wolfgang Ulbrich 2014-10-13 15:49:21 UTC
That a unpriveleged user can search for packages but isn't allow to install a package is complete useless and not fair to him.
Also, downloading double yum cache makes old version of yumex complete slow, and it's cost power and time.
In a green world we should save server power.
Think about.......

Comment 8 Tim Lauridsen 2014-10-14 17:57:08 UTC
(In reply to Raphael Groner from comment #6)
> You could provide the rule file within the yumex package as well as create
> the (initially empty) yumex group, so that all that is installed by default.
> The user would have to configure only by simply adding herself to the yumex
> group, if root password dialog is not wished.
> 

Good idea, I have added that upstream.

https://github.com/timlau/yumex/commit/f0c8ef8264c691f31c56d138afbf6782d85fa3c7

Comment 9 Lukas Middendorf 2014-10-16 06:46:09 UTC
Being able to optionally run without root as an ordinary user is useful for systems where the user is not the admin of the system but wants to ask the admin to install a specific package. That way he can search in the repos using yumex and afterwards give the admin specific package names.
Ideally that would also include some easy export of selected package names for sending via email.

Comment 10 Tim Lauridsen 2014-10-16 07:21:40 UTC
(In reply to Lukas Middendorf from comment #9)
> Being able to optionally run without root as an ordinary user is useful for
> systems where the user is not the admin of the system but wants to ask the
> admin to install a specific package. That way he can search in the repos
> using yumex and afterwards give the admin specific package names.
> Ideally that would also include some easy export of selected package names
> for sending via email.

This is not the kind of use yumex is intented for, I was for security reason that yumex was not asking for root access before it was really needed, not to work with a user with limitted rights. It was introduced in yumex 3.0.11, but it introduced a lot of issues, therefor i switch back to the old way of asking for root access from the start. Next release will solve the issues with the user have to enter password to use yumex. 
You use case, running in readonly mode, will need a lot of work, by hidding features there need root access, they should not be show to a user if he cant perform them.
yumex 3.0.x is in bug fix mode only, new features will mostly be done in yumex 4.0.x based on dnf.

You can create an issue for your usecase here:
https://github.com/timlau/yumex-dnf

An I will consider to implement it in a future yumex 4.0.x release.

Comment 11 Wolfgang Ulbrich 2014-10-16 11:55:04 UTC
(In reply to Lukas Middendorf from comment #9)
> Being able to optionally run without root as an ordinary user is useful for
> systems where the user is not the admin of the system but wants to ask the
> admin to install a specific package. That way he can search in the repos
> using yumex and afterwards give the admin specific package names.
> Ideally that would also include some easy export of selected package names
> for sending via email.

For this case a normal user can run 'yum list *<expression-to-search>*' in a terminal. So this function in yumex isn't really needed for this special case.
I mean we are on linux and using a terminal command is not the badest ;)

Comment 12 Lukas Middendorf 2014-10-16 18:47:32 UTC
(In reply to Wolfgang Ulbrich from comment #11)
> For this case a normal user can run 'yum list *<expression-to-search>*' in a
> terminal. So this function in yumex isn't really needed for this special
> case.
> I mean we are on linux and using a terminal command is not the badest ;)

I think the comfortable search for packages (and then displaying the description and content of some of them) is the main advantage of yumex over yum. If that is irrelevant, let's stop development of yumex and drop it from fedora repos. We can all use yum directly instead.

Comment 13 Woi 2014-10-26 13:18:12 UTC
Thx for the answers, especially Raphael and Tim for suggesting and upstreaming a sustainable solution. I wasn't aware of the issues with the backend running as non-root. Getting rid of this issues ads some extra value for me, too. All in all the policykit solution works better for me than before. How ever I prefer users to re-enter their password before changing system settings to make them aware of it. It also adds some security. I'm very happy to hear yumex 4 will fix the backend issues, indicates available updates for normal users and requires a password to apply these updates all at once :)
Is there already a plan when a rpm containing the policykit rule will hit the update-testing repo? I could provide some feedback after installing it of course.
Last but not least in addition to the --update-only option I'd love to see a command line option to preselect all updates. Is this already covered by yumex 4 or do you like me to write an feature request for for this?

Comment 14 Raphael Groner 2014-10-26 14:27:48 UTC
(In reply to Woi from comment #13)
> Thx for the answers, …

I am happy to can help. No problem, you're welcome.

> Is there already a plan when a rpm containing the policykit rule will hit
> the update-testing repo? I could provide some feedback after installing it
> of course.
> Last but not least in addition to the --update-only option I'd love to see a
> command line option to preselect all updates. Is this already covered by
> yumex 4 or do you like me to write an feature request for for this?

You should open another bug report for this feature request. It does not seem to have any relation to the password dialog thingy, does it?

Comment 15 Fedora Update System 2015-04-21 05:27:54 UTC
yumex-3.0.17-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/yumex-3.0.17-1.fc22

Comment 16 Fedora Update System 2015-04-21 05:28:08 UTC
yumex-3.0.17-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/yumex-3.0.17-1.fc21

Comment 17 Fedora Update System 2015-04-21 05:28:15 UTC
yumex-3.0.17-1.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/yumex-3.0.17-1.el7

Comment 18 Wolfgang Ulbrich 2015-04-21 08:07:15 UTC
Beside that yumex-dnf is now in f22, does normal yumex use dnf too in f22 with the redirector package dnf-yum?

Comment 19 Fedora Update System 2015-04-22 05:08:39 UTC
Package yumex-3.0.17-1.el7:
* should fix your issue,
* was pushed to the Fedora EPEL 7 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing yumex-3.0.17-1.el7'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-5908/yumex-3.0.17-1.el7
then log in and leave karma (feedback).

Comment 20 Tim Lauridsen 2015-04-22 05:21:07 UTC
(In reply to Wolfgang Ulbrich from comment #18)
> Beside that yumex-dnf is now in f22, does normal yumex use dnf too in f22
> with the redirector package dnf-yum?

No, yumex uses the yum python api, it is not affected by the changes to the yum cli tool there has been renamed to yum-deprecated.

yumex, will proberly get retired in f23 or f24 an only yumex-dnf will live on

Comment 21 Fedora Update System 2015-04-26 12:44:41 UTC
yumex-3.0.17-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2015-05-01 16:53:09 UTC
yumex-3.0.17-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2015-05-08 16:42:10 UTC
yumex-3.0.17-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.