On 20.11.2011 15:44, Luca Capello wrote: > 1) on a up-to-date sid, both from GNOME or SSH sessions and with the > user in the sudo group, pkexec always fails with "Cannot open > display:" (e.g. for gedit) or "Error: no display specified" (e.g. for > iceweasel). Both gksudo and gksu work with no problem. pkexec does not allow arbitrary X programs to be run as root, you need to enable that explicitly, which is not a problem for packages which use gksudo in their desktop file, They just need to ship a corresponding policy file. See gnome-system-log, how it is implemented there. I would call, not allowing iceweasel to be run as root by default as a feature, tbh. > 2) AFAIK pkexec does not have any time option like sudo. polkit authorizations are either one-time or valid for the life time of the session. > 3) while if you are in the sudo group everything will work as expected, > gksudo honors /etc/sudoers*, while pkexec does not. This is IMHO a > showstopper for pkexec to be a *real* gksudo replacement. The interface we decided on was to use group sudo for this purpose. policykit is not sudo, so it should not start parsing sudoers(.d). That said, if you don't want the sudo group for this, you can define your own groups/users, via a configuration snippet like [Configuration] AdminIdentities=unix-user:XXX;unix-group:XXX Imho not a showstopper. It's about the usage of gksu(do) in desktop/menu file and not about generally replacing sudo with policykit. And for this particular purpose it is actually good if we can make certain assumptions. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Attachment:
signature.asc
Description: OpenPGP digital signature