Bug#649385: policykit-1: pkexec can not open display for GUI programs
Hi there!
I would have preferred to continue the discussions on the single bugs, so it was documented in the BTS once and for all. Cc:ing #649385, the first reported bug. On Sun, 20 Nov 2011 17:36:57 +0100, Michael Biebl wrote: > On 20.11.2011 15:44, Luca Capello wrote: > >> 1) on a up-to-date sid, both from GNOME or SSH sessions and with the >> user in the sudo group, pkexec always fails with "Cannot open >> display:" (e.g. for gedit) or "Error: no display specified" (e.g. for >> iceweasel). Both gksudo and gksu work with no problem. > > pkexec does not allow arbitrary X programs to be run as root, you need > to enable that explicitly, which is not a problem for packages which use > gksudo in their desktop file, They just need to ship a corresponding > policy file. > See gnome-system-log, how it is implemented there. Thank you for the explanation, but this means that for each and every package that wants to use pkexec in a gksu(do)-like mode you need to provide an extra configuration file. > I would call, not allowing iceweasel to be run as root by default as a > feature, tbh. I have never wrote I want to run iceweasel as root nor that it is a feature or a bug, I just pointed out another example for the same error, but with a different output. >> 2) AFAIK pkexec does not have any time option like sudo. > > polkit authorizations are either one-time or valid for the life time of > the session. Again, this is different than with gksudo (even for desktop/menu files), which is why I reported the three bugs considering what you wrote in the end at: <http://lists.debian.org/4EB2E161.2000209%40debian.org> FWIW, this has been reported as #649386. >> 3) while if you are in the sudo group everything will work as expected, >> gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a >> showstopper for pkexec to be a *real* gksudo replacement. > > The interface we decided on was to use group sudo for this purpose. There is a difference here: with group sudo, you are granting more access than the ones you get parsing /etc/sudoers* (read below). FWIW, this has been reported as #649387. > policykit is not sudo, so it should not start parsing sudoers(.d). Perfectly fine for me, but IMHO policykit is abusing sudo, given that with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec grants any privilege to members in the sudo group *without* checking if this group is actually allowed in /etc/sudoers* (this *is* a bug): ===== rescue@gismo-sid:~$ groups rescue cdrom floppy sudo audio dip video plugdev scanner netdev bluetooth rescue@gismo-sid:~$ sudo ls / [sudo] password for rescue: rescue is not in the sudoers file. This incident will be reported. rescue@gismo-sid:~$ pkexec ls / ==== AUTHENTICATING FOR org.freedesktop.policykit.exec === Authentication is needed to run `/bin/ls' as the super user Authenticating as: rescue,,, (rescue) Password: ==== AUTHENTICATION COMPLETE === bin dev initrd.img lib32 media proc sbin sys var boot etc initrd.img.old lib64 mnt root selinux tmp vmlinuz core home lib lost+found opt run srv usr vmlinuz.old rescue@gismo-sid:~$ ===== > That said, if you don't want the sudo group for this, It is not about what I do or do not want, sudo != administrator, as explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see also #600700 for the current real situation): sudo Members of this group do not need to type their password when using sudo. See /usr/share/doc/sudo/OPTIONS. > It's about the usage of gksu(do) in desktop/menu file and not about > generally replacing sudo with policykit. Again, perfectly fine for me: I am sorry if I have misread your words and I admit I should have used better titles for the bugs. I was (mainly) interested in using pkexec as a replacement for su-to-root in an environment which is not a DE, but still imitates how Debian's DEs work. Thx, bye, Gismo / Luca |
Bug#649385: policykit-1: pkexec can not open display for GUI programs
On 20.11.2011 19:30, Luca Capello wrote:
> Perfectly fine for me, but IMHO policykit is abusing sudo, given that > with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec > grants any privilege to members in the sudo group *without* checking if > this group is actually allowed in /etc/sudoers* (this *is* a bug): .. > It is not about what I do or do not want, sudo != administrator, as > explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see > also #600700 for the current real situation): This was discussed before the squeeze release. We were looking for a mechanism how we could grant administrative privileges to users (eg. if installed with a disabled root account). We decided to use a group for this purpose. I personally favored to use group "admin", but due to various reasons (similarity to adm, etc) we finally agreed to use group sudo for that. We, that included the sudo maintainer. So, I fail to see how you consider this abusing sudo. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? |
Bug#649385: policykit-1: pkexec can not open display for GUI programs
Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit :
> > polkit authorizations are either one-time or valid for the life time of > > the session. > > Again, this is different than with gksudo (even for desktop/menu files), > which is why I reported the three bugs considering what you wrote in the > end at: > > <http://lists.debian.org/4EB2E161.2000209%40debian.org> > > FWIW, this has been reported as #649386. Not being sudo is not a bug. Will you report bugs against sudo for not having all PolicyKit features? > > The interface we decided on was to use group sudo for this purpose. > > There is a difference here: with group sudo, you are granting more > access than the ones you get parsing /etc/sudoers* (read below). > > FWIW, this has been reported as #649387. Not parsing the sudo configuration file for a program which is not sudo is not a bug. > It is not about what I do or do not want, sudo != administrator, as > explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see > also #600700 for the current real situation): > > sudo > > Members of this group do not need to type their password when using sudo. > See /usr/share/doc/sudo/OPTIONS. Obviously this documentation is incorrect and needs fixing. Could you file a bug about this? -- .'`. Josselin Mouette : :' : `. `' `- |
Bug#649385: policykit-1: pkexec can not open display for GUI programs
Hi there!
On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote: > Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit : >> > polkit authorizations are either one-time or valid for the life time of >> > the session. >> >> Again, this is different than with gksudo (even for desktop/menu files), >> which is why I reported the three bugs considering what you wrote in the >> end at: >> >> <http://lists.debian.org/4EB2E161.2000209%40debian.org> >> >> FWIW, this has been reported as #649386. > > Not being sudo is not a bug. Will you report bugs against sudo for not > having all PolicyKit features? No, because I was considering PolicyKit as a replacement for gksu(do), at least in desktop/menu files, as Michael corrected me. >> > The interface we decided on was to use group sudo for this purpose. >> >> There is a difference here: with group sudo, you are granting more >> access than the ones you get parsing /etc/sudoers* (read below). >> >> FWIW, this has been reported as #649387. > > Not parsing the sudo configuration file for a program which is not sudo > is not a bug. You are right, but still read below my reply to Michael. >> It is not about what I do or do not want, sudo != administrator, as >> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see >> also #600700 for the current real situation): >> >> sudo >> >> Members of this group do not need to type their password when using sudo. >> See /usr/share/doc/sudo/OPTIONS. > > Obviously this documentation is incorrect and needs fixing. Could you > file a bug about this? First, have you checked #600700, as I suggested? And if the current sudo behavior below WRT PolicyKit is correct (as it seems, I am the only one complaining), yes, I will be glad to file a bug against base-passwd. On Sun, 20 Nov 2011 21:01:33 +0100, Michael Biebl wrote: > On 20.11.2011 19:30, Luca Capello wrote: >> Perfectly fine for me, but IMHO policykit is abusing sudo, given that >> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec >> grants any privilege to members in the sudo group *without* checking if >> this group is actually allowed in /etc/sudoers* (this *is* a bug): [...] >> It is not about what I do or do not want, sudo != administrator, as >> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see >> also #600700 for the current real situation): > > This was discussed before the squeeze release. We were looking for a > mechanism how we could grant administrative privileges to users (eg. if > installed with a disabled root account). > We decided to use a group for this purpose. I personally favored to use > group "admin", but due to various reasons (similarity to adm, etc) we > finally agreed to use group sudo for that. We, that included the sudo > maintainer. > > So, I fail to see how you consider this abusing sudo. Because if a user is in group 'sudo', even if there is no more sudo package installed, PolicyKit will still grant all permissions to that user. Which means that I do not consider using a group to grant administrative privileges to user as abusing sudo, but how PolicyKit exploits this situation. Thx, bye, Gismo / Luca |
Bug#649385: policykit-1: pkexec can not open display for GUI programs
On 21.11.2011 00:29, Luca Capello wrote:
> Because if a user is in group 'sudo', even if there is no more sudo > package installed, PolicyKit will still grant all permissions to that > user. Which means that I do not consider using a group to grant > administrative privileges to user as abusing sudo, but how PolicyKit > exploits this situation. Sorry, but you are not making sense. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? |
Bug#649385: policykit-1: pkexec can not open display for GUI programs
Hi there!
On Mon, 21 Nov 2011 00:29:06 +0100, Luca Capello wrote: > On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote: >> Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit : >>> It is not about what I do or do not want, sudo != administrator, as >>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see >>> also #600700 for the current real situation): >>> >>> sudo >>> >>> Members of this group do not need to type their password when using sudo. >>> See /usr/share/doc/sudo/OPTIONS. >> >> Obviously this documentation is incorrect and needs fixing. Could you >> file a bug about this? > > First, have you checked #600700, as I suggested? And if the current > sudo behavior below WRT PolicyKit is correct (as it seems, I am the only > one complaining), yes, I will be glad to file a bug against base-passwd. Done as #650553. Thx, bye, Gismo / Luca |
| All times are GMT. The time now is 12:26 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.