Hi there! I would have preferred to continue the discussions on the single bugs, so it was documented in the BTS once and for all. Cc:ing #649385, the first reported bug. On Sun, 20 Nov 2011 17:36:57 +0100, Michael Biebl wrote: > On 20.11.2011 15:44, Luca Capello wrote: > >> 1) on a up-to-date sid, both from GNOME or SSH sessions and with the >> user in the sudo group, pkexec always fails with "Cannot open >> display:" (e.g. for gedit) or "Error: no display specified" (e.g. for >> iceweasel). Both gksudo and gksu work with no problem. > > pkexec does not allow arbitrary X programs to be run as root, you need > to enable that explicitly, which is not a problem for packages which use > gksudo in their desktop file, They just need to ship a corresponding > policy file. > See gnome-system-log, how it is implemented there. Thank you for the explanation, but this means that for each and every package that wants to use pkexec in a gksu(do)-like mode you need to provide an extra configuration file. > I would call, not allowing iceweasel to be run as root by default as a > feature, tbh. I have never wrote I want to run iceweasel as root nor that it is a feature or a bug, I just pointed out another example for the same error, but with a different output. >> 2) AFAIK pkexec does not have any time option like sudo. > > polkit authorizations are either one-time or valid for the life time of > the session. Again, this is different than with gksudo (even for desktop/menu files), which is why I reported the three bugs considering what you wrote in the end at: <http://lists.debian.org/4EB2E161.2000209%40debian.org> FWIW, this has been reported as #649386. >> 3) while if you are in the sudo group everything will work as expected, >> gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a >> showstopper for pkexec to be a *real* gksudo replacement. > > The interface we decided on was to use group sudo for this purpose. There is a difference here: with group sudo, you are granting more access than the ones you get parsing /etc/sudoers* (read below). FWIW, this has been reported as #649387. > policykit is not sudo, so it should not start parsing sudoers(.d). Perfectly fine for me, but IMHO policykit is abusing sudo, given that with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec grants any privilege to members in the sudo group *without* checking if this group is actually allowed in /etc/sudoers* (this *is* a bug): ===== rescue@gismo-sid:~$ groups rescue cdrom floppy sudo audio dip video plugdev scanner netdev bluetooth rescue@gismo-sid:~$ sudo ls / [sudo] password for rescue: rescue is not in the sudoers file. This incident will be reported. rescue@gismo-sid:~$ pkexec ls / ==== AUTHENTICATING FOR org.freedesktop.policykit.exec === Authentication is needed to run `/bin/ls' as the super user Authenticating as: rescue,,, (rescue) Password: ==== AUTHENTICATION COMPLETE === bin dev initrd.img lib32 media proc sbin sys var boot etc initrd.img.old lib64 mnt root selinux tmp vmlinuz core home lib lost+found opt run srv usr vmlinuz.old rescue@gismo-sid:~$ ===== > That said, if you don't want the sudo group for this, It is not about what I do or do not want, sudo != administrator, as explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see also #600700 for the current real situation): sudo Members of this group do not need to type their password when using sudo. See /usr/share/doc/sudo/OPTIONS. > It's about the usage of gksu(do) in desktop/menu file and not about > generally replacing sudo with policykit. Again, perfectly fine for me: I am sorry if I have misread your words and I admit I should have used better titles for the bugs. I was (mainly) interested in using pkexec as a replacement for su-to-root in an environment which is not a DE, but still imitates how Debian's DEs work. Thx, bye, Gismo / Luca
Attachment:
pgpkWDeaN9NA2.pgp
Description: PGP signature