[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo in X-environment -- polkit solution

On Sun, May 4, 2014 at 11:08 AM, Osamu Aoki <osamu@debian.org> wrote:
> On Sat, May 03, 2014 at 12:43:17PM +0200, Ralf Mardorf wrote:
>> On Sat, 2014-05-03 at 06:29 -0400, Tom H wrote:


> I am wondering why you even need to use wrapper explicitly?

That's why I've said that I consider using a wrapper for gksu/gksudo a bug.


>>> Thanks. As I said earlier, I consider this a bug. What's the point of
>>> using gksu/gksudo if you have do use a wrapper that you could use
>>> around su/sudo?
>
> If I type "system-config-printer" to my user shell, I get GUI running
> with root privilege :-)

Sure. But that's because dbus and polkit are doing all the work for
you in the background. :)


>>> Maybe pkexec is the solution?
>
> Yes.

I was just trying to nudge Ralf in the right direction. :)

There are many people who doubt sudo and even more who doubt pkexec/polkit...


> Did you add yourself as a member of "sudo" group?
> https://www.debian.org/doc/manuals/debian-reference/ch04.en.html#_policykit
> 4.6.2. PolicyKit
>
> PolicyKit is an operating system component for controlling system-wide
> privileges in Unix-like operating systems.
>
> Newer GUI applications are not designed to run as privileged processes.
> They talk to privileged processes via PolicyKit to perform
> administrative operations.
>
> PolicyKit limits such operations to user accounts belonging to the sudo
> group on the Debian system.
>
> I think this is helping me :-)

It is in general, but not in the system-config-printer case. AIUI,
dbus and policykit allow anyone to launch the app. I don't have a
printer to test whether an unprivileged user can set up and use it.


> (The above text may be obsoleted soon by logind.)

AFAIK systemd's replaced consolekit but isn't encroaching on policykit
territory.
Reply to: