[Pkg-utopia-maintainers] Bug#649385: Bug#649385: policykit-1: pkexec can not open display for GUI programs

Luca Capello luca at pca.it
Sun Nov 20 23:29:06 UTC 2011 

Hi there!

On Sun, 20 Nov 2011 23:10:17 +0100, Josselin Mouette wrote:
> Le dimanche 20 novembre 2011 à 19:30 +0100, Luca Capello a écrit : 
>> > polkit authorizations are either one-time or valid for the life time of
>> > the session.
>> 
>> Again, this is different than with gksudo (even for desktop/menu files),
>> which is why I reported the three bugs considering what you wrote in the
>> end at:
>> 
>>   <http://lists.debian.org/4EB2E161.2000209%40debian.org>
>> 
>> FWIW, this has been reported as #649386.
>
> Not being sudo is not a bug. Will you report bugs against sudo for not
> having all PolicyKit features?

No, because I was considering PolicyKit as a replacement for gksu(do),
at least in desktop/menu files, as Michael corrected me.

>> > The interface we decided on was to use group sudo for this purpose.
>> 
>> There is a difference here: with group sudo, you are granting more
>> access than the ones you get parsing /etc/sudoers* (read below).
>> 
>> FWIW, this has been reported as #649387.
>
> Not parsing the sudo configuration file for a program which is not sudo
> is not a bug.

You are right, but still read below my reply to Michael.

>> It is not about what I do or do not want, sudo != administrator, as
>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
>> also #600700 for the current real situation):
>> 
>>   sudo
>> 
>>     Members of this group do not need to type their password when using sudo.
>>     See /usr/share/doc/sudo/OPTIONS.
>
> Obviously this documentation is incorrect and needs fixing. Could you
> file a bug about this?

First, have you checked #600700, as I suggested?  And if the current
sudo behavior below WRT PolicyKit is correct (as it seems, I am the only
one complaining), yes, I will be glad to file a bug against base-passwd.

On Sun, 20 Nov 2011 21:01:33 +0100, Michael Biebl wrote:
> On 20.11.2011 19:30, Luca Capello wrote:
>> Perfectly fine for me, but IMHO policykit is abusing sudo, given that
>> with /etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf pkexec
>> grants any privilege to members in the sudo group *without* checking if
>> this group is actually allowed in /etc/sudoers* (this *is* a bug):
[...]
>> It is not about what I do or do not want, sudo != administrator, as
>> explained in /usr/share/doc/base-passwd/users-and-groups.txt.gz (but see
>> also #600700 for the current real situation):
>
> This was discussed before the squeeze release. We were looking for a
> mechanism how we could grant administrative privileges to users (eg. if
> installed with a disabled root account).
> We decided to use a group for this purpose. I personally favored to use
> group "admin", but due to various reasons (similarity to adm, etc) we
> finally agreed to use group sudo for that. We, that included the sudo
> maintainer.
>
> So, I fail to see how you consider this abusing sudo.

Because if a user is in group 'sudo', even if there is no more sudo
package installed, PolicyKit will still grant all permissions to that
user.  Which means that I do not consider using a group to grant
administrative privileges to user as abusing sudo, but how PolicyKit
exploits this situation.

Thx, bye,
Gismo / Luca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20111121/bce2cb3d/attachment-0001.pgp>

More information about the Pkg-utopia-maintainers mailing list