[Pkg-utopia-maintainers] Bug#649385: policykit-1: pkexec can not open display for GUI programs

Luca Capello luca at pca.it
Sun Nov 20 18:30:18 UTC 2011 

Hi there!

I would have preferred to continue the discussions on the single bugs,
so it was documented in the BTS once and for all.  Cc:ing #649385, the
first reported bug.

On Sun, 20 Nov 2011 17:36:57 +0100, Michael Biebl wrote:
> On 20.11.2011 15:44, Luca Capello wrote:
>
>> 1) on a up-to-date sid, both from GNOME or SSH sessions and with the
>>    user in the sudo group, pkexec always fails with "Cannot open
>>    display:" (e.g. for gedit) or "Error: no display specified" (e.g. for
>>    iceweasel).  Both gksudo and gksu work with no problem.
>
> pkexec does not allow arbitrary X programs to be run as root, you need
> to enable that explicitly, which is not a problem for packages which use
> gksudo in their desktop file, They just need to ship a corresponding
> policy file.
> See gnome-system-log, how it is implemented there.

Thank you for the explanation, but this means that for each and every
package that wants to use pkexec in a gksu(do)-like mode you need to
provide an extra configuration file.

> I would call, not allowing iceweasel to be run as root by default as a
> feature, tbh.

I have never wrote I want to run iceweasel as root nor that it is a
feature or a bug, I just pointed out another example for the same error,
but with a different output.

>> 2) AFAIK pkexec does not have any time option like sudo.
>
> polkit authorizations are either one-time or valid for the life time of
> the session.

Again, this is different than with gksudo (even for desktop/menu files),
which is why I reported the three bugs considering what you wrote in the
end at:

  <http://lists.debian.org/4EB2E161.2000209%40debian.org>

FWIW, this has been reported as #649386.

>> 3) while if you are in the sudo group everything will work as expected,
>>    gksudo honors /etc/sudoers*, while pkexec does not.  This is IMHO a
>>    showstopper for pkexec to be a *real* gksudo replacement.
>
> The interface we decided on was to use group sudo for this purpose.

There is a difference here: with group sudo, you are granting more
access than the ones you get parsing /etc/sudoers* (read below).

FWIW, this has been reported as #649387.

> policykit is not sudo, so it should not start parsing sudoers(.d).

Perfectly fine for me, but IMHO policykit is abusing sudo, given that
with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec
grants any privilege to members in the sudo group *without* checking if
this group is actually allowed in /etc/sudoers* (this *is* a bug):
=====
rescue at gismo-sid:~$ groups
rescue cdrom floppy sudo audio dip video plugdev scanner netdev bluetooth

rescue at gismo-sid:~$ sudo ls /
[sudo] password for rescue:
rescue is not in the sudoers file.  This incident will be reported.

rescue at gismo-sid:~$ pkexec ls /
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/ls' as the super user
Authenticating as: rescue,,, (rescue)
Password:
==== AUTHENTICATION COMPLETE ===
bin   dev   initrd.img      lib32       media  proc   sbin     sys  var
boot  etc   initrd.img.old  lib64       mnt    root   selinux  tmp  vmlinuz
core  home  lib             lost+found  opt    run    srv      usr  vmlinuz.old

rescue at gismo-sid:~$
=====

> That said, if you don't want the sudo group for this,

It is not about what I do or do not want, sudo != administrator, as
explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
also #600700 for the current real situation):

  sudo

    Members of this group do not need to type their password when using sudo.
    See /usr/share/doc/sudo/OPTIONS.

> It's about the usage of gksu(do) in desktop/menu file and not about
> generally replacing sudo with policykit.

Again, perfectly fine for me: I am sorry if I have misread your words
and I admit I should have used better titles for the bugs.  I was
(mainly) interested in using pkexec as a replacement for su-to-root in
an environment which is not a DE, but still imitates how Debian's DEs
work.

Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20111120/bc76e58e/attachment.pgp>

More information about the Pkg-utopia-maintainers mailing list