I installed Debian 12 and defined a user. Now I would like to install other packages as that user. As with Debian 11, a synaptic popup asks for the super user password, but after entering root password I get "Authentification failure". This worked on Debian 11.

I click on "details" but all I see is "Action: com.ubuntu.pkexec.synaptic".

Is there some way on Debian 12 of authorising regular users to use synaptic (provided they know the root password)?

Any hint or suggestion would be very welcome. Roger

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6 Oct 2024 10:47 +0200, from roger@rogerprice.org (Roger Price):

I installed Debian 12 and defined a user. Now I would like to install other packages as that user. As with Debian 11, a synaptic popup asks for the super user password, but after entering root password I get
"Authentification failure". This worked on Debian 11.

The two obvious things I can think of off the top of my head:

(1) Is your regular user able to sudo? If you're unsure, try something
like `sudo ls /root` in a terminal.

(2) Is it _actually_ asking for the root password? (Sometimes things
want the root password for elevating privileges; sometimes they want
the password of the user taking the action...)

--
Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 6 Oct 2024 10:11:00 +0100
Brad Rogers <brad@fineby.me.uk> wrote:

On Sun, 6 Oct 2024 10:47:05 +0200 (CEST)
Roger Price <roger@rogerprice.org> wrote:

Hello Roger,

I click on "details" but all I see is "Action:
com.ubuntu.pkexec.synaptic".

PolicyKit is installed: you must use the user's password.

My graphical menu calls synaptic-pkexec, and it definitely wants the
root password, and it says so explicitly.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 6 Oct 2024 10:47:05 +0200 (CEST)
Roger Price <roger@rogerprice.org> wrote:

I installed Debian 12 and defined a user. Now I would like to
install other packages as that user. As with Debian 11, a synaptic
popup asks for the super user password, but after entering root
password I get "Authentification failure". This worked on Debian 11.

I click on "details" but all I see is "Action:
com.ubuntu.pkexec.synaptic".

Is there some way on Debian 12 of authorising regular users to use
synaptic (provided they know the root password)?

Any hint or suggestion would be very welcome. Roger

It does work, you have a problem somewhere. I have Debian 12 and
unstable installations, and while I don't use Synaptic generally, I do
know that it works on both systems.

I find Synaptic useful for searching for types of application, and also
on unstable for clearing large dependency problems. But if I know what
package I want installed, or for upgrading, I use apt from a terminal,
which works with sudo credentials whereas Synaptic requires the root
password, as generally does any graphical application needing root
privileges, such as Gparted.

At the moment, assuming you have tested the root password in other
situations and you know it works, I can't help. The default with a
Debian installation is not to permit root login, I don't know how that
affects anything else, but it would be daft to install graphical
software and then not permit root use of it.

One test to try is to open a terminal, issue the su command and give
the root password, and if that is accepted, to give the command /usr/sbin/synaptic to see what happens, and what error messages you get.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 6 Oct 2024 11:24:03 +0100
Brad Rogers <brad@fineby.me.uk> wrote:

On Sun, 6 Oct 2024 10:47:24 +0100
Joe <joe@jretrading.com> wrote:

Hello Joe,

My graphical menu calls synaptic-pkexec, and it definitely wants the

As does mine.

root password, and it says so explicitly.

Here, I get a different result. The requester asks for authentication
but does not specify root password. In fact, using the root password
fails (with the exact same details as Roger described), I *must* use
the user password.

Strange.

Admittedly, I'm on testing, but even when I was using testing before
Debian 12 (Bookworm) was released, I had the same results. That is, I
*had* to enter the user password.

I have the same on bookworm and sid: "Authentication as the super-user
is required to perform this action." And then "Password for root:" to
the left of the text box. Same box for GParted.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Oct 06, 2024 at 11:24:03AM +0100, Brad Rogers wrote:

On Sun, 6 Oct 2024 10:47:24 +0100
Joe <joe@jretrading.com> wrote:

Hello Joe,

My graphical menu calls synaptic-pkexec, and it definitely wants the

As does mine.

root password, and it says so explicitly.

Here, I get a different result. The requester asks for authentication
but does not specify root password. In fact, using the root password
fails (with the exact same details as Roger described), I *must* use the
user password.

Strange.

Not at all. Most probably synaptic is being run via pkexec, part of
PolicyKit.

I ran away from that Rube Goldberg dystopia years ago, so I can't
give a recipe, but at least some hints.

One of the things this Policy Kit does "for" you might be to see
whether you are in the sudoers group, then it might (given some
other details) use sudo to escalate your rights (thus asking you
for your user password) or have to use su (thus asking for the
root password).

There are, of course, many and diverse other ways to configure
Policy Kit, so some investigation will be needed.

My take is that you usually don't make things more secure by making
them more complex. That's why I ran away.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZwJ41gAKCRAFyCz1etHa RvyQAJ4jXN8LW6t/ZxNObCI+qB3sldipPwCdGXCnNHbazd6uxElJTv3U1pUhDiY=
=jrvO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 6 Oct 2024, Joe wrote:

On Sun, 6 Oct 2024 10:47:05 +0200 (CEST)
Roger Price <roger@rogerprice.org> wrote:

... As with Debian 11, a synaptic
popup asks for the super user password, but after entering root
password I get "Authentification failure". This worked on Debian 11.

One test to try is to open a terminal, issue the su command and give
the root password, and if that is accepted, to give the command /usr/sbin/synaptic to see what happens, and what error messages you get.

Thanks for the hint. I tried "su -c /usr/sbin/synaptic", gave the root password,
and that works. To simplify things I put alias synaptic='su -c /usr/sbin/synaptic' in .bashrc .

I also tried to use sudo to call synaptic and failed:

rprice@maria ~ sudo /usr/sbin/synaptic
[sudo] password for rprice:
rprice is not in the sudoers file.

I see in /etc/sudoers

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

so as root I ran command "usermod -a -G sudo rprice" and checked that /etc/group
contained "sudo:x:27:rprice". I then tried again to call synaptic, with the same result:

rprice@maria ~ sudo /usr/sbin/synaptic
[sudo] password for rprice:
rprice is not in the sudoers file.

The %sudo line in /etc/sudoers has no effect. Is there some other incantation needed in /etc/sudoers ?

Roger

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Oct 06, 2024 at 13:34:01 +0200, Roger Price wrote:

I also tried to use sudo to call synaptic and failed:

rprice@maria ~ sudo /usr/sbin/synaptic
[sudo] password for rprice:
rprice is not in the sudoers file.

I see in /etc/sudoers

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

so as root I ran command "usermod -a -G sudo rprice" and checked that /etc/group contained "sudo:x:27:rprice". I then tried again to call synaptic, with the same result:

rprice@maria ~ sudo /usr/sbin/synaptic
[sudo] password for rprice:
rprice is not in the sudoers file.

The %sudo line in /etc/sudoers has no effect. Is there some other
incantation needed in /etc/sudoers ?

You need to log out and back in, or at least start a new authentication
session as yourself, to pick up the new group memberships.

Run the "id" command with no arguments to see your current group
memberships. You'll see that "sudo" is not one of them.

Now try "su - rprice" to open a new session as yourself, in the same
terminal. In this new session, if you run "id" with no arguments,
you should see the sudo group listed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 6 Oct 2024, Greg Wooledge wrote:

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

The %sudo line in /etc/sudoers has no effect. Is there some other
incantation needed in /etc/sudoers ?

You need to log out and back in, or at least start a new authentication session as yourself, to pick up the new group memberships.

I logged out and back in. Command "sudo /usr/sbin/synaptic" called for my own password, and now works correctly.

Run the "id" command with no arguments to see your current group memberships. You'll see that "sudo" is not one of them.

I found that if I then tried "id rprice" I could see "sudo".

Now try "su - rprice" to open a new session as yourself, in the same terminal. In this new session, if you run "id" with no arguments,
you should see the sudo group listed.

Confirmed!

Thanks, Roger

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Oct 06, 2024 at 15:50:59 +0200, Roger Price wrote:

On Sun, 6 Oct 2024, Greg Wooledge wrote:

Run the "id" command with no arguments to see your current group memberships. You'll see that "sudo" is not one of them.

I found that if I then tried "id rprice" I could see "sudo".

Yes. "id" with no arguments shows the privileges of the currently running process (whatever id inherits its privileges from, in this case a shell). Running id with a username argument shows the privileges a theoretical
login session opened for that user would have.

Both are useful, but you have to understand that they both exist and
have very different behaviors.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 07/10/2024 15:07, Bruno Schneider wrote:

On Sun, Oct 6, 2024 at 10:51 AM Roger Price wrote:

I logged out and back in. Command "sudo /usr/sbin/synaptic" called for my own
password, and now works correctly.

It is unclear if the Synaptic desktop icon is now working for you.

I'm using a recent install of Debian 13 (testing) and I remember that Synaptic would not start using the desktop icon. I remember changing something on /usr/share/applications/synaptic.desktop and it started
working. I think it was the Exec parameter. It is now
"Exec=synaptic-pkexec", and it's working.

It works for me using a VM Trixie under VirtualBox - with KDE as the
Desktop.

For information, Synaptic is a very slow starter (over 30 seconds) in
this environment.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

On Mon, 7 Oct 2024, Bruno Schneider wrote:

On Sun, Oct 6, 2024 at 10:51 AM Roger Price wrote:

I logged out and back in. Command "sudo /usr/sbin/synaptic" called for my own
password, and now works correctly.

It is unclear if the Synaptic desktop icon is now working for you.

The desktop icon now works for me as a simple user. I give my own password. Roger

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)