On Thu, 03 Nov 2011 19:45:53 +0100, Michael Biebl wrote:
> Am 03.11.2011 19:28, schrieb Luk Claes:
>> On 11/03/2011 07:20 AM, Christian PERRIER wrote:
>> It seems many uses of su-to-root could be replaced by pkexec (package
>> policykit-1), no?
>> Or is there something wrong with that approach?
> Ideally, applications should support policykit natively and split the
> part which requires admin privileges in a small, separate helper binary,
> which controlls the access to it via policykit.
> pkexec, similar to gksudo, will run the full application with root
> pkexec has native GUI implementations (providing the authentication
> dialogs) for KDE, gnome-shell and a GTK based interface.
> It also works on the command line.
> pkexec also supports "sudo" mode, i.e. if you add users to the sudo
> group, they will be prompted for their own password instead of the root
> So it can be considered as a replacement for both gksudo and gksu (and
> all the other su and sudo frontends).
I would say that this is not true ATM, for at least the following
reasons (I will clone this bug for wishlist points 2 and 3 later on):
1) on a up-to-date sid, both from GNOME or SSH sessions and with the
user in the sudo group, pkexec always fails with "Cannot open
display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
iceweasel). Both gksudo and gksu work with no problem.
2) AFAIK pkexec does not have any time option like sudo.
3) while if you are in the sudo group everything will work as expected,
gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a
showstopper for pkexec to be a *real* gksudo replacement.
Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages policykit-1 depends on:
ii consolekit 0.4.5-1
ii dbus 1.4.16-1
ii libc6 2.13-21
ii libexpat1 2.0.1-7.2
ii libglib2.0-0 2.30.2-4
ii libpam0g 1.1.3-6
ii libpolkit-agent-1-0 0.102-1
ii libpolkit-backend-1-0 0.102-1
ii libpolkit-gobject-1-0 0.102-1
policykit-1 recommends no packages.
policykit-1 suggests no packages.
-- no debconf information
11-20-2011, 04:36 PM
Bug#649385: policykit-1: pkexec can not open display for GUI programs
On 20.11.2011 15:44, Luca Capello wrote:
> 1) on a up-to-date sid, both from GNOME or SSH sessions and with the
> user in the sudo group, pkexec always fails with "Cannot open
> display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
> iceweasel). Both gksudo and gksu work with no problem.
pkexec does not allow arbitrary X programs to be run as root, you need
to enable that explicitly, which is not a problem for packages which use
gksudo in their desktop file, They just need to ship a corresponding
See gnome-system-log, how it is implemented there.
I would call, not allowing iceweasel to be run as root by default as a
> 2) AFAIK pkexec does not have any time option like sudo.
polkit authorizations are either one-time or valid for the life time of
> 3) while if you are in the sudo group everything will work as expected,
> gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a
> showstopper for pkexec to be a *real* gksudo replacement.
The interface we decided on was to use group sudo for this purpose.
policykit is not sudo, so it should not start parsing sudoers(.d).
That said, if you don't want the sudo group for this, you can define
your own groups/users, via a configuration snippet like
Imho not a showstopper.
It's about the usage of gksu(do) in desktop/menu file and not about
generally replacing sudo with policykit.
And for this particular purpose it is actually good if we can make
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?