[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#649385: policykit-1: pkexec can not open display for GUI programs

On 20.11.2011 15:44, Luca Capello wrote:

> 1) on a up-to-date sid, both from GNOME or SSH sessions and with the
>    user in the sudo group, pkexec always fails with "Cannot open
>    display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
>    iceweasel).  Both gksudo and gksu work with no problem.

pkexec does not allow arbitrary X programs to be run as root, you need
to enable that explicitly, which is not a problem for packages which use
gksudo in their desktop file, They just need to ship a corresponding
policy file.
See gnome-system-log, how it is implemented there.
I would call, not allowing iceweasel to be run as root by default as a
feature, tbh.

> 2) AFAIK pkexec does not have any time option like sudo.

polkit authorizations are either one-time or valid for the life time of
the session.

> 3) while if you are in the sudo group everything will work as expected,
>    gksudo honors /etc/sudoers*, while pkexec does not.  This is IMHO a
>    showstopper for pkexec to be a *real* gksudo replacement.

The interface we decided on was to use group sudo for this purpose.
policykit is not sudo, so it should not start parsing sudoers(.d).
That said, if you don't want the sudo group for this, you can define
your own groups/users, via a configuration snippet like

Imho not a showstopper.

It's about the usage of gksu(do) in desktop/menu file and not about
generally replacing sudo with policykit.
And for this particular purpose it is actually good if we can make
certain assumptions.

Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: