FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 11-20-2011, 01:44 PM
Luca Capello
 
Default Bug#649385: policykit-1: pkexec can not open display for GUI programs

Package: policykit-1
Version: 0.102-1
Severity: important
Usertags: pca-authentication

Hi there!

The discussion started at:

<http://lists.debian.org/4EB2E161.2000209%40debian.org>

On Thu, 03 Nov 2011 19:45:53 +0100, Michael Biebl wrote:
> Am 03.11.2011 19:28, schrieb Luk Claes:
>> On 11/03/2011 07:20 AM, Christian PERRIER wrote:
>> It seems many uses of su-to-root could be replaced by pkexec (package
>> policykit-1), no?
>>
>> Or is there something wrong with that approach?
>
> Ideally, applications should support policykit natively and split the
> part which requires admin privileges in a small, separate helper binary,
> which controlls the access to it via policykit.
>
> pkexec, similar to gksudo, will run the full application with root
> privileges.
> pkexec has native GUI implementations (providing the authentication
> dialogs) for KDE, gnome-shell and a GTK based interface.
> It also works on the command line.
> pkexec also supports "sudo" mode, i.e. if you add users to the sudo
> group, they will be prompted for their own password instead of the root
> password.
> So it can be considered as a replacement for both gksudo and gksu (and
> all the other su and sudo frontends).

I would say that this is not true ATM, for at least the following
reasons (I will clone this bug for wishlist points 2 and 3 later on):

1) on a up-to-date sid, both from GNOME or SSH sessions and with the
user in the sudo group, pkexec always fails with "Cannot open
display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
iceweasel). Both gksudo and gksu work with no problem.

2) AFAIK pkexec does not have any time option like sudo.

3) while if you are in the sudo group everything will work as expected,
gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a
showstopper for pkexec to be a *real* gksudo replacement.

Thx, bye,
Gismo / Luca

-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages policykit-1 depends on:
ii consolekit 0.4.5-1
ii dbus 1.4.16-1
ii libc6 2.13-21
ii libexpat1 2.0.1-7.2
ii libglib2.0-0 2.30.2-4
ii libpam0g 1.1.3-6
ii libpolkit-agent-1-0 0.102-1
ii libpolkit-backend-1-0 0.102-1
ii libpolkit-gobject-1-0 0.102-1

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information
 
Old 11-20-2011, 03:36 PM
Michael Biebl
 
Default Bug#649385: policykit-1: pkexec can not open display for GUI programs

On 20.11.2011 15:44, Luca Capello wrote:

> 1) on a up-to-date sid, both from GNOME or SSH sessions and with the
> user in the sudo group, pkexec always fails with "Cannot open
> display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
> iceweasel). Both gksudo and gksu work with no problem.

pkexec does not allow arbitrary X programs to be run as root, you need
to enable that explicitly, which is not a problem for packages which use
gksudo in their desktop file, They just need to ship a corresponding
policy file.
See gnome-system-log, how it is implemented there.
I would call, not allowing iceweasel to be run as root by default as a
feature, tbh.

> 2) AFAIK pkexec does not have any time option like sudo.

polkit authorizations are either one-time or valid for the life time of
the session.

> 3) while if you are in the sudo group everything will work as expected,
> gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a
> showstopper for pkexec to be a *real* gksudo replacement.

The interface we decided on was to use group sudo for this purpose.
policykit is not sudo, so it should not start parsing sudoers(.d).
That said, if you don't want the sudo group for this, you can define
your own groups/users, via a configuration snippet like
[Configuration]
AdminIdentities=unix-user:XXX;unix-group:XXX

Imho not a showstopper.

It's about the usage of gksu(do) in desktop/menu file and not about
generally replacing sudo with policykit.
And for this particular purpose it is actually good if we can make
certain assumptions.

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
 

Thread Tools




All times are GMT. The time now is 08:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org