Add polkit support with pkexec and xhost ?

[osamuaoki]

As I started from GUI desktop icon from the user GUI session on recent testing distribution of Debian running GNOME on Wayland, snapper-gui didn't list all the snapshots. To see the problem, I did following from terminal emulator.

$ snapper-gui
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/snappergui/mainWindow.py", line 203, in on_main_destroy
    for snapshot in snapper.ListSnapshots(config[0]):
  File "/usr/lib/python3/dist-packages/dbus/proxies.py", line 141, in __call__
    return self._connection.call_blocking(self._named_service,
  File "/usr/lib/python3/dist-packages/dbus/connection.py", line 652, in call_blocking
    reply_message = self.send_message_with_reply_and_block(
dbus.exceptions.DBusException: error.no_permissions: org.freedesktop.DBus.Error.Failed
$

Looks like permission issue here. So I tried it with sudo and works fine.

$ sudo snapper-gui
$

I am not sure if this is expected behavior or Debian package issue.

But it will be nice snapper-gui as upstream does the similar trick as gparted did with GParted 0.30.0 (2017-10-10):

  This release provides an interim workaround to allow GParted to run
  under Wayland by using xhost to grant and revoke root access to the
  X11 display.  This must be enabled while building the software with:

      ./configure --enable-xhost-root

  Pkexec from polkit has been made the first choice graphical SU
  program as all the desktops have settled on using polkit as the
  privileged access mechanism.  See "Installing polkit's Action File"
  section in the README file for when an additional installation step
  may be needed.

  Also changed is that execution of the graphical SU program has been
  moved from gparted.desktop to the gparted shell wrapper.  Therefore
  gparted can be run either by an unprivileged user or by root and as
  such is installed in $prefix/bin rather than $prefix/sbin.  This
  additionally means distributions can drop their pkexec scripts used
  to launch gparted.

Source is at https://gitlab.gnome.org/GNOME/gparted/

[imthenachoman]

I agree. I think it would be rocking if snapper-gui came with a polkit policy to run as root.

[rickysarraf]

You should not run it as root. snapper-gui talks to the snapper daemon. And the snapper daemon has it all for what a normal user would need. Check the user acl section in snapper

[imthenachoman]

Hurmph. This didn't work for me which is why I thought I still needed to run as root. Let me debug.

[pmorch]

Thanks. After messing with this a little, snapper-gui indeed does work as my non-root user peter.

http://snapper.io/manpages/snapper.html#permissions could be a little clearer...

I first made sure to set up ALLOW_USERS and SYNC_ACL

$ sudo egrep '^(ALLOW_USERS|SYNC)' /etc/snapper/configs/*

/etc/snapper/configs/home:ALLOW_USERS="peter"
/etc/snapper/configs/home:SYNC_ACL="yes"
/etc/snapper/configs/root:ALLOW_USERS="peter"
/etc/snapper/configs/root:SYNC_ACL="yes"

then allow access to the snapshot directories:

$ sudo chmod a+rx /home/.snapshots /.snapshots

That did it for me. (I don't remember if I had to run snapper one last time as root)

The + after the permissions are extended permissions or ACLs and were created by snapper after the first snapper operation:

$ ls -ld /.snapshots /home/.snapshots 

drwxr-xr-x+ 1 root root 118 Sep 10 08:00 /home/.snapshots
drwxr-xr-x+ 1 root root 148 Sep 10 08:00 /.snapshots

(I think) that if these commands work as non-root, snapper-gui will too:

$ snapper -c root ls
$ snapper -c home ls