[Pkg-utopia-maintainers] Bug#649385: policykit-1: pkexec can not open display for GUI programs

Luca Capello luca at pca.it
Sun Nov 20 14:44:32 UTC 2011 

Package: policykit-1
Version: 0.102-1
Severity: important
Usertags: pca-authentication

Hi there!

The discussion started at:

  <http://lists.debian.org/4EB2E161.2000209%40debian.org>

On Thu, 03 Nov 2011 19:45:53 +0100, Michael Biebl wrote:
> Am 03.11.2011 19:28, schrieb Luk Claes:
>> On 11/03/2011 07:20 AM, Christian PERRIER wrote:
>> It seems many uses of su-to-root could be replaced by pkexec (package
>> policykit-1), no?
>> 
>> Or is there something wrong with that approach?
>
> Ideally, applications should support policykit natively and split the
> part which requires admin privileges in a small, separate helper binary,
> which controlls the access to it via policykit.
>
> pkexec, similar to gksudo, will run the full application with root
> privileges.
> pkexec has native GUI implementations (providing the authentication
> dialogs) for KDE, gnome-shell and a GTK based interface.
> It also works on the command line.
> pkexec also supports "sudo" mode, i.e. if you add users to the sudo
> group, they will be prompted for their own password instead of the root
> password.
> So it can be considered as a replacement for both gksudo and gksu (and
> all the other su and sudo frontends).

I would say that this is not true ATM, for at least the following
reasons (I will clone this bug for wishlist points 2 and 3 later on):

1) on a up-to-date sid, both from GNOME or SSH sessions and with the
   user in the sudo group, pkexec always fails with "Cannot open
   display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
   iceweasel).  Both gksudo and gksu work with no problem.

2) AFAIK pkexec does not have any time option like sudo.

3) while if you are in the sudo group everything will work as expected,
   gksudo honors /etc/sudoers*, while pkexec does not.  This is IMHO a
   showstopper for pkexec to be a *real* gksudo replacement.

Thx, bye,
Gismo / Luca

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages policykit-1 depends on:
ii  consolekit             0.4.5-1  
ii  dbus                   1.4.16-1 
ii  libc6                  2.13-21  
ii  libexpat1              2.0.1-7.2
ii  libglib2.0-0           2.30.2-4 
ii  libpam0g               1.1.3-6  
ii  libpolkit-agent-1-0    0.102-1  
ii  libpolkit-backend-1-0  0.102-1  
ii  libpolkit-gobject-1-0  0.102-1  

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20111120/8b5da2fc/attachment.pgp>

More information about the Pkg-utopia-maintainers mailing list