Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   Bug#649385: policykit-1: pkexec can not open display for GUI programs (http://www.linux-archive.org/debian-development/600588-bug-649385-policykit-1-pkexec-can-not-open-display-gui-programs.html)

Luca Capello 11-20-2011 05:30 PM

Bug#649385: policykit-1: pkexec can not open display for GUI programs
 
Hi there!

I would have preferred to continue the discussions on the single bugs,
so it was documented in the BTS once and for all. Cc:ing #649385, the
first reported bug.

On Sun, 20 Nov 2011 17:36:57 +0100, Michael Biebl wrote:
> On 20.11.2011 15:44, Luca Capello wrote:
>
>> 1) on a up-to-date sid, both from GNOME or SSH sessions and with the
>> user in the sudo group, pkexec always fails with "Cannot open
>> display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
>> iceweasel). Both gksudo and gksu work with no problem.
>
> pkexec does not allow arbitrary X programs to be run as root, you need
> to enable that explicitly, which is not a problem for packages which use
> gksudo in their desktop file, They just need to ship a corresponding
> policy file.
> See gnome-system-log, how it is implemented there.

Thank you for the explanation, but this means that for each and every
package that wants to use pkexec in a gksu(do)-like mode you need to
provide an extra configuration file.

> I would call, not allowing iceweasel to be run as root by default as a
> feature, tbh.

I have never wrote I want to run iceweasel as root nor that it is a
feature or a bug, I just pointed out another example for the same error,
but with a different output.

>> 2) AFAIK pkexec does not have any time option like sudo.
>
> polkit authorizations are either one-time or valid for the life time of
> the session.

Again, this is different than with gksudo (even for desktop/menu files),
which is why I reported the three bugs considering what you wrote in the
end at:

<http://lists.debian.org/4EB2E161.2000209%40debian.org>

FWIW, this has been reported as #649386.

>> 3) while if you are in the sudo group everything will work as expected,
>> gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a
>> showstopper for pkexec to be a *real* gksudo replacement.
>
> The interface we decided on was to use group sudo for this purpose.

There is a difference here: with group sudo, you are granting more
access than the ones you get parsing /etc/sudoers* (read below).

FWIW, this has been reported as #649387.

> policykit is not sudo, so it should not start parsing sudoers(.d).

Perfectly fine for me, but IMHO policykit is abusing sudo, given that
with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec
grants any privilege to members in the sudo group *without* checking if
this group is actually allowed in /etc/sudoers* (this *is* a bug):
=====
rescue@gismo-sid:~$ groups
rescue cdrom floppy sudo audio dip video plugdev scanner netdev bluetooth

rescue@gismo-sid:~$ sudo ls /
[sudo] password for rescue:
rescue is not in the sudoers file. This incident will be reported.

rescue@gismo-sid:~$ pkexec ls /
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/ls' as the super user
Authenticating as: rescue,,, (rescue)
Password:
==== AUTHENTICATION COMPLETE ===
bin dev initrd.img lib32 media proc sbin sys var
boot etc initrd.img.old lib64 mnt root selinux tmp vmlinuz
core home lib lost+found opt run srv usr vmlinuz.old

rescue@gismo-sid:~$
=====

> That said, if you don't want the sudo group for this,

It is not about what I do or do not want, sudo != administrator, as
explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
also #600700 for the current real situation):

sudo

Members of this group do not need to type their password when using sudo.
See /usr/share/doc/sudo/OPTIONS.

> It's about the usage of gksu(do) in desktop/menu file and not about
> generally replacing sudo with policykit.

Again, perfectly fine for me: I am sorry if I have misread your words
and I admit I should have used better titles for the bugs. I was
(mainly) interested in using pkexec as a replacement for su-to-root in
an environment which is not a DE, but still imitates how Debian's DEs
work.

Thx, bye,
Gismo / Luca

Michael Biebl 11-20-2011 07:01 PM

Bug#649385: policykit-1: pkexec can not open display for GUI programs
 
On 20.11.2011 19:30, Luca Capello wrote:
> Perfectly fine for me, but IMHO policykit is abusing sudo, given that
> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec
> grants any privilege to members in the sudo group *without* checking if
> this group is actually allowed in /etc/sudoers* (this *is* a bug):

..


> It is not about what I do or do not want, sudo != administrator, as
> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
> also #600700 for the current real situation):

This was discussed before the squeeze release. We were looking for a
mechanism how we could grant administrative privileges to users (eg. if
installed with a disabled root account).
We decided to use a group for this purpose. I personally favored to use
group "admin", but due to various reasons (similarity to adm, etc) we
finally agreed to use group sudo for that. We, that included the sudo
maintainer.

So, I fail to see how you consider this abusing sudo.

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Josselin Mouette 11-20-2011 09:10 PM

Bug#649385: policykit-1: pkexec can not open display for GUI programs
 
Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit :
> > polkit authorizations are either one-time or valid for the life time of
> > the session.
>
> Again, this is different than with gksudo (even for desktop/menu files),
> which is why I reported the three bugs considering what you wrote in the
> end at:
>
> <http://lists.debian.org/4EB2E161.2000209%40debian.org>
>
> FWIW, this has been reported as #649386.

Not being sudo is not a bug. Will you report bugs against sudo for not
having all PolicyKit features?

> > The interface we decided on was to use group sudo for this purpose.
>
> There is a difference here: with group sudo, you are granting more
> access than the ones you get parsing /etc/sudoers* (read below).
>
> FWIW, this has been reported as #649387.

Not parsing the sudo configuration file for a program which is not sudo
is not a bug.

> It is not about what I do or do not want, sudo != administrator, as
> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
> also #600700 for the current real situation):
>
> sudo
>
> Members of this group do not need to type their password when using sudo.
> See /usr/share/doc/sudo/OPTIONS.

Obviously this documentation is incorrect and needs fixing. Could you
file a bug about this?

--
.'`. Josselin Mouette
: :' :
`. `'
`-

Luca Capello 11-20-2011 10:29 PM

Bug#649385: policykit-1: pkexec can not open display for GUI programs
 
Hi there!

On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote:
> Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit :
>> > polkit authorizations are either one-time or valid for the life time of
>> > the session.
>>
>> Again, this is different than with gksudo (even for desktop/menu files),
>> which is why I reported the three bugs considering what you wrote in the
>> end at:
>>
>> <http://lists.debian.org/4EB2E161.2000209%40debian.org>
>>
>> FWIW, this has been reported as #649386.
>
> Not being sudo is not a bug. Will you report bugs against sudo for not
> having all PolicyKit features?

No, because I was considering PolicyKit as a replacement for gksu(do),
at least in desktop/menu files, as Michael corrected me.

>> > The interface we decided on was to use group sudo for this purpose.
>>
>> There is a difference here: with group sudo, you are granting more
>> access than the ones you get parsing /etc/sudoers* (read below).
>>
>> FWIW, this has been reported as #649387.
>
> Not parsing the sudo configuration file for a program which is not sudo
> is not a bug.

You are right, but still read below my reply to Michael.

>> It is not about what I do or do not want, sudo != administrator, as
>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
>> also #600700 for the current real situation):
>>
>> sudo
>>
>> Members of this group do not need to type their password when using sudo.
>> See /usr/share/doc/sudo/OPTIONS.
>
> Obviously this documentation is incorrect and needs fixing. Could you
> file a bug about this?

First, have you checked #600700, as I suggested? And if the current
sudo behavior below WRT PolicyKit is correct (as it seems, I am the only
one complaining), yes, I will be glad to file a bug against base-passwd.

On Sun, 20 Nov 2011 21:01:33 +0100, Michael Biebl wrote:
> On 20.11.2011 19:30, Luca Capello wrote:
>> Perfectly fine for me, but IMHO policykit is abusing sudo, given that
>> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec
>> grants any privilege to members in the sudo group *without* checking if
>> this group is actually allowed in /etc/sudoers* (this *is* a bug):
[...]
>> It is not about what I do or do not want, sudo != administrator, as
>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
>> also #600700 for the current real situation):
>
> This was discussed before the squeeze release. We were looking for a
> mechanism how we could grant administrative privileges to users (eg. if
> installed with a disabled root account).
> We decided to use a group for this purpose. I personally favored to use
> group "admin", but due to various reasons (similarity to adm, etc) we
> finally agreed to use group sudo for that. We, that included the sudo
> maintainer.
>
> So, I fail to see how you consider this abusing sudo.

Because if a user is in group 'sudo', even if there is no more sudo
package installed, PolicyKit will still grant all permissions to that
user. Which means that I do not consider using a group to grant
administrative privileges to user as abusing sudo, but how PolicyKit
exploits this situation.

Thx, bye,
Gismo / Luca

Michael Biebl 11-20-2011 10:54 PM

Bug#649385: policykit-1: pkexec can not open display for GUI programs
 
On 21.11.2011 00:29, Luca Capello wrote:
> Because if a user is in group 'sudo', even if there is no more sudo
> package installed, PolicyKit will still grant all permissions to that
> user. Which means that I do not consider using a group to grant
> administrative privileges to user as abusing sudo, but how PolicyKit
> exploits this situation.

Sorry, but you are not making sense.


--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Luca Capello 11-30-2011 07:16 PM

Bug#649385: policykit-1: pkexec can not open display for GUI programs
 
Hi there!

On Mon, 21 Nov 2011 00:29:06 +0100, Luca Capello wrote:
> On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote:
>> Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit :
>>> It is not about what I do or do not want, sudo != administrator, as
>>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
>>> also #600700 for the current real situation):
>>>
>>> sudo
>>>
>>> Members of this group do not need to type their password when using sudo.
>>> See /usr/share/doc/sudo/OPTIONS.
>>
>> Obviously this documentation is incorrect and needs fixing. Could you
>> file a bug about this?
>
> First, have you checked #600700, as I suggested? And if the current
> sudo behavior below WRT PolicyKit is correct (as it seems, I am the only
> one complaining), yes, I will be glad to file a bug against base-passwd.

Done as #650553.

Thx, bye,
Gismo / Luca


All times are GMT. The time now is 07:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.