Debian User Forums

Posted: **2019-10-31 01:35**

Here, here NFT5 !

For real, it's your OS, we're all free to setup and config in a way that works best for each of us. One of the many great things about Debian and gnu/Linux period. How many years did all these people who are flipping out and self righteously strutting around shaking fingers at people use gksu/do ? How many times did it blow up their computer(s) or kill them etc ?

Like I said some folks here clearly need to get over themselves. Don't remember any vote in which any of these dudes were elected the grand imperial poobah or high mucky muck over anyone else on this forum.

Also just for the record Bulkley and NFT5, what Wizard10k if referring too is the fact that every display manager other than GDM = (gnome display manager of course)starts the X process as root. Pop open a terminal on your system and watch in "top". It'll show who owns the process, if its root, it'll say it.

Note: I know lightdm does, I don't even have a DM anyway, really don't care if the X process is running as root regardless. Though w/o a DM, the Xorg process is running under my user. It's been awhile so not 100% all DM's other than GDM do so either. Oh well, life goes on fellow nixers.

Posted: **2019-10-31 04:02**

pcalvert wrote:What about using su-to-root instead of gksu, like this?:
Code: Select all
su-to-root -X -c <application>

Nope.

Code: Select all

chris@BOSSDESK:~$ su-to-root -X -c dolphin
kdesu(13194)/kdesu (kdelibs) KDESu::PtyProcess::exec: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/process.cpp : 293 ]  Running "/usr/bin/su"
kdesu(13194)/kdesu (kdelibs) KDESu::SuProcess::ConverseSU: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/su.cpp : 259 ]  Read line "Password: "
kdesu(13194)/kdesu (kdelibs) KDESu::PtyProcess::exec: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/process.cpp : 293 ]  Running "/usr/bin/su"
kdesu(13194)/kdesu (kdelibs) KDESu::SuProcess::ConverseSU: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/su.cpp : 259 ]  Read line "Password: "
kdesu(13194)/kdesu (kdelibs) KDESu::PtyProcess::WaitSlave: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/process.cpp : 379 ]  Child pid 13199
kdesu(13194)/kdesu (kdelibs) KDESu::SuProcess::ConverseSU: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/su.cpp : 259 ]  Read line ""
kdesu(13194)/kdesu (kdelibs) KDESu::SuProcess::ConverseSU: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/su.cpp : 259 ]  Read line "kdesu_stub"
kdesu(13194)/kdesu (kdelibs) KDESu::PtyProcess::exec: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/process.cpp : 293 ]  Running "/usr/bin/su"
kdesu(13194)/kdesu (kdelibs) KDESu::SuProcess::ConverseSU: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/su.cpp : 259 ]  Read line "Password: "
kdesu(13194)/kdesu (kdelibs) KDESu::PtyProcess::WaitSlave: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/process.cpp : 379 ]  Child pid 13202
kdesu(13194)/kdesu (kdelibs) KDESu::SuProcess::ConverseSU: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/su.cpp : 259 ]  Read line ""
kdesu(13194)/kdesu (kdelibs) KDESu::SuProcess::ConverseSU: [ /build/kde4libs-5CvfXW/kde4libs-4.14.38/kdesu/su.cpp : 259 ]  Read line "kdesu_stub"

Posted: **2019-10-31 04:23**

Public apology, sorry Sunrat, have no idea why I read what you'd said and interpreted it so harshly. What you'd typed was nowhere near as big a reprimand as I was taking it to be and so ended up lashing out. Sorry fellow nixer ...

Had just gotten done successfully following a tute to do something I was wanting and was popping in to report it and share a link about it. Seen this thread and went cyber berserk ! Though do stand by some of what I'd typed, not directed @ you/Sunrat. Some folks do come off as pretty friggin arrogant in how they treat others, it's belittling in the way they seem to assume oh you're new, therefor you're stupid, can't read, couldn't possibly know how to do competent research etc etc etc. So you just be a good widdle dumbarse and don't touch anything or push any buttons kay ?

It's friggin software, wish life were like gnu/Linux, take a few precautions, enter a few commands and it's fresh start, do over. Not like the world hangs in the balance if someone newbish to gnu/Nix breaks an install. Personally think breaking stuff can be a great learning tool. Though saving time and CYB = covering your butt by learning a working backup/restore method can definitely help. You get to break more stuff, in less time thataway.

Posted: **2019-10-31 07:21**

Apology accepted.
Over the years we've had possibly hundreds of posts where people have added the wrong repos and hacked things they shouldn't have hacked. It's very hard to support and best not to encourage it.

Posted: **2019-10-31 07:38**

^ Nn worries definitely see where you're coming from fellow nixer. The gnu/Nix gawds punished me for being an overly sensitive ahole, the project I'd thought had succeeded, while works is not right. So it's back to the drawing board. Dratz ! Running on coffee fumes here.

Posted: **2019-10-31 09:48**

Bulkley wrote:Not me. I don't even use sudo. I still use su (although I have added the -) when I need to use access root.

Are you running X using a display manager that's not GDM? If so, X is running under the root account. This is the reason I quit using display managers

Posted: **2019-10-31 12:44**

wizard10000 wrote:
... If so, X is running under the root account. This is the reason I quit using display managers

Why is that so 'wrong' now in buster, but was perfectly acceptable in all previous Debian releases?

Posted: **2019-10-31 15:04**

wizard10000 wrote:Are you running X using a display manager that's not GDM? If so, X is running under the root account. This is the reason I quit using display managers

I don't use a display manager. I log in with sx (alias for startx). That's one more thing I haven't been able to do with Buster.

BTW, I use Openbox with Tint2 and keep this thing as simple as possible. I get to listen to music or radio, watch video, play games and do any office stuff I need. It all works so I see no pressing need to change it. I suppose this is the good enough syndrome that frustrates those who make new stuff.

Posted: **2019-10-31 15:42**

Bulkley wrote:BTW, I use Openbox with Tint2 and keep this thing as simple as possible.

Same. openbox just works

Posted: **2019-10-31 17:05**

anticapitalista wrote:
wizard10000 wrote:
... If so, X is running under the root account. This is the reason I quit using display managers
Why is that so 'wrong' now in buster, but was perfectly acceptable in all previous Debian releases?

It was never acceptable, rootless X is a major improvement.

Posted: **2019-10-31 17:13**

Deb-fan wrote:
^ That will open a copy of the file in gedit as your normal user and only invoke root (via gvfs) to save the file.
Keep having to ask myself, what the hades am I missing here ?!?!?

Using a graphical editor with sudo, gksu{,do} or su-to-root runs the whole application with root privileges for the entire time it is open, that's why it's such a bad idea. Any bugs in the program or the underlying graphics stack will be exposed with elevated permissions.

Posted: **2019-10-31 23:26**

^ Don't get me wrong I get that, that aspect of it is perfectly clear. Still don't really see much of a benefit and plenty of possible gotcha's and doors left open regardless of what they try to implement. Folks can still run anything as root, truth be told using sudo seldom caused any issues when was new to gnu/Nix and never would if someone used the right flags, at least I don't think it would.

The couple times I did end up messing up file ownership, took all of 20mins to learn what the problem was and the simple fix of chown'ing it back. Another reason newbish folks may want to keep a root account around. Obviously I've elected to keep using gksu, thing will likely remain working fine for the life of Buster if I want to use it and for now I do. Mentioned in previous posts, I've used the dang thing for 8 or so years now without problems. Figure doing so awhile longer isn't going to cause harm.

More pointless observations about this nonsense: How long do people tend to leave file-managers running as root normally ? I mean generally if I've launched thunar/etc with priv's it means I'm actively doing something which requires priv's to get done. Not like people just leave one running 24/7 and if they do that's their preference and risk. Though keeping it real, someone could easily enough set things up to login as root or visudo blahblah all commands no password if they please. Which of course was the bane of window$ for a long time, nixers can still do so in mere minutes if that's their decision. Edit: Goes without saying it'd be a bad decision though, shrugs.

Posted: **2019-11-01 02:21**

wizard10000 wrote: Are you running X using a display manager that's not GDM? If so, X is running under the root account.

Who the heck thought that was a good idea? It looks like I'll be dumping LightDM soon and going back to using xinit.

Phil

Posted: **2019-11-01 02:29**

Lol ... this thread, as pretty much every gnu/Linux forum thread ... EVER, has jumped the topic track and headed off into let's talk about anything/everything territory.

Also as usual I contributed more than my share of off-topicness too.

So shall continue, I speculate and wonder, with X running under a user process, not as root, is Xorg no longer vulnerable to the processes snooping on each that I've read about ? I mean user processes likely still but could they snoop on root ones too ? Yeppers xinit = startx, don't have a display manager either. Shameless self promotion goes > here. The snippet about using the .profile file in your users home directory automatically runs startx for someone. Though the stuff for that used in Head_on's tute appears better than what I used for it. Still have it setup the way it is in my stupe tute but meaning to getting around to using his for it (.profile edit.)

Edit: @Bulkley what isn't working under Buster ? Method for autologin + startx w/o display manager linked above is confirmed working in Buster. Also 100% sure Head_on's will too, guy knows his gnu/Nix. Of course like my way of doing it, well not so much mine ... Was just grabbed from varied info online but has been very well tested on Stretch, using it in Buster too.

Posted: **2019-11-01 09:59**

pcalvert wrote:Who the heck thought that was a good idea? It looks like I'll be dumping LightDM soon and going back to using xinit.

Quite a few people aren't going to be able to do this as X without a display manager requires a modesetting video driver. root has to launch the driver if the kernel can't.

GDM starts X as root and then passes ownership to the user who just logged in.

Posted: **2019-11-01 13:46**

Using a graphical editor with sudo, gksu{,do} or su-to-root runs the whole application with root privileges for the entire time it is open, that's why it's such a bad idea. Any bugs in the program or the underlying graphics stack will be exposed with elevated permissions

It was never acceptable, rootless X is a major improvement

Two good answers. As far as GDM it is very configurable, and coupled with rootless X it also makes the installation of badly supported video cards and chips easier to get to. When I do new installs on newer hardware by default GDM loads but pauses at the cursor prompt during boot. This allows ctrl+alt+F2 to console and login from either root or user. GDM is well thought out and designed for the adoption of but not forced usage of wayland. You can start whichever you like with or without the GUI. I think Buster has done a good job with GDM for going forward toward modern hardwares where support can be sketchy. This is not to say that old timey desktop users are going to be happy with it. I have never used GKSU (though I was using SUSE enterprise until Jesse came out) and on my personl Stretches I use gnome-commander. I have one Buster configured and running now and it was selectively installed from the CLI with no problems at all other than normal firefox glitches. I use SSH X11 forwarding a lot and so far it transitions from wayland to X without a puff of smoke. I think Debian has done a nice bit of work with Buster and widened the playing field, rather than shrunk it. Where I live every couple of years they change the routes and numbers of major highways, so much so that GPSs and OnStar can't keep up. I travel a lot so I keep an old state map in the glovebox just in case. Combining new and old is sometimes neccessary, but actually ill advised for GKSU.

TC

Posted: **2019-11-01 13:51**

wizard10000 wrote: Wonder how many folks here are running X as root?:D

Maybe they came from windows word?

Posted: **2019-11-01 14:02**

Hey Trinidad no worries is good to hear people's opinions. Mine here is obvious though will eventually very likely embrace polkit and policy files but for now gksu/do suits me. Mentioned it was used forever without problems. The lack of maintenance and any security issues were present for quite awhile without any incident. Still can't discount them as trivial and will have to find a better and more approved of practice after while. Until then am fine with gksu and any risk use of it entails, shrugs.

HOWEVER ... AM NOT SAYING ANYONE ELSE SHOULD DO THIS. Was never the intent of starting the thread, only wanted to share some info about it being possible and an option for those who might feel the same as myself about graphical apps + privs.

Posted: **2020-02-28 08:15**

Thanks for sharing this

Posted: **2020-02-28 09:56**

Welcome, of course still working fine in Buster, no reason it shouldn't. Not like gksu/do hadn't forever. Still believe many of these changes are aimed at enterprise gnu/nix applications rather than overly relevant to avg desktop nixer's. Not griping, have to be grateful for access to all this open source kickbuttness. Still just haven't gotten around to messing with policy files, still will and may as well. Clearly staying current and using what's considered best practice, is the best practice, shrugs. Though this isn't a have to do right now, this very instant type of thing. Despite whatever upstream changes come down I'm still going to pick and choose as I deem fit. If want to continue using Xorg long after Wayland goes default, then I will. End of story.

Edit: Still don't overly care or see the harm in the X process running as root. I don't bother using a display manager because it's unneeded, too many ways to select whichever or combo of de's/wm's on a system and switch between them w/o a DM. In a shared hardware + multi-user environment, yeah more so cause for concern. Only don't care all that much on a trusted user personal system. Anyone care to elaborate or link as to why having the X process running as root is practically certain doom?

HEY I GOT IT! Let's cgroup all hades out of root, then even root can't run as root. Bulletproof security, I'mma friggin genius!

Root user goes to do anything some mystical algo considers shady, msg pops up, "permission denied ... please contact the system administrator." I AM THE SYSTEM ADMIN YOU PIECE OF *CENSORED*!!!

Debian User Forums

My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.

Re: My solution to gksu being deprecated/Buster.