Page 4 of 4

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2019-11-01 13:46
by trinidad
Using a graphical editor with sudo, gksu{,do} or su-to-root runs the whole application with root privileges for the entire time it is open, that's why it's such a bad idea. Any bugs in the program or the underlying graphics stack will be exposed with elevated permissions


It was never acceptable, rootless X is a major improvement


Two good answers. As far as GDM it is very configurable, and coupled with rootless X it also makes the installation of badly supported video cards and chips easier to get to. When I do new installs on newer hardware by default GDM loads but pauses at the cursor prompt during boot. This allows ctrl+alt+F2 to console and login from either root or user. GDM is well thought out and designed for the adoption of but not forced usage of wayland. You can start whichever you like with or without the GUI. I think Buster has done a good job with GDM for going forward toward modern hardwares where support can be sketchy. This is not to say that old timey desktop users are going to be happy with it. I have never used GKSU (though I was using SUSE enterprise until Jesse came out) and on my personl Stretches I use gnome-commander. I have one Buster configured and running now and it was selectively installed from the CLI with no problems at all other than normal firefox glitches. I use SSH X11 forwarding a lot and so far it transitions from wayland to X without a puff of smoke. I think Debian has done a nice bit of work with Buster and widened the playing field, rather than shrunk it. Where I live every couple of years they change the routes and numbers of major highways, so much so that GPSs and OnStar can't keep up. I travel a lot so I keep an old state map in the glovebox just in case. Combining new and old is sometimes neccessary, but actually ill advised for GKSU.

TC

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2019-11-01 13:51
by None1975
wizard10000 wrote: Wonder how many folks here are running X as root?:D

Maybe they came from windows word?

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2019-11-01 14:02
by Deb-fan
Hey Trinidad no worries is good to hear people's opinions. Mine here is obvious though will eventually very likely embrace polkit and policy files but for now gksu/do suits me. Mentioned it was used forever without problems. The lack of maintenance and any security issues were present for quite awhile without any incident. Still can't discount them as trivial and will have to find a better and more approved of practice after while. Until then am fine with gksu and any risk use of it entails, shrugs.

HOWEVER ... AM NOT SAYING ANYONE ELSE SHOULD DO THIS. Was never the intent of starting the thread, only wanted to share some info about it being possible and an option for those who might feel the same as myself about graphical apps + privs. :)

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-02-28 08:15
by printereverbd
Thanks for sharing this

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-02-28 09:56
by Deb-fan
Welcome, of course still working fine in Buster, no reason it shouldn't. Not like gksu/do hadn't forever. Still believe many of these changes are aimed at enterprise gnu/nix applications rather than overly relevant to avg desktop nixer's. Not griping, have to be grateful for access to all this open source kickbuttness. Still just haven't gotten around to messing with policy files, still will and may as well. Clearly staying current and using what's considered best practice, is the best practice, shrugs. Though this isn't a have to do right now, this very instant type of thing. Despite whatever upstream changes come down I'm still going to pick and choose as I deem fit. If want to continue using Xorg long after Wayland goes default, then I will. End of story.

Edit: Still don't overly care or see the harm in the X process running as root. I don't bother using a display manager because it's unneeded, too many ways to select whichever or combo of de's/wm's on a system and switch between them w/o a DM. In a shared hardware + multi-user environment, yeah more so cause for concern. Only don't care all that much on a trusted user personal system. Anyone care to elaborate or link as to why having the X process running as root is practically certain doom? :)

HEY I GOT IT! Let's cgroup all hades out of root, then even root can't run as root. Bulletproof security, I'mma friggin genius! :P Root user goes to do anything some mystical algo considers shady, msg pops up, "permission denied ... please contact the system administrator." I AM THE SYSTEM ADMIN YOU PIECE OF *CENSORED*!!!

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-02-28 12:47
by Deb-fan
One can never be too secure afterall. So came up with another monumental leap forward in security. How about a systemd timer unit or crontab ? Admin is logged in, ... Popup or text on screen ... It's been detected that you're using the admin account. This is bad security practice, please validate user access rights. Enter authorization code ?

*Scratches head, hmmmmm ... when did this thing happen ? Maybe that last upgrade pulled this in. Errrrrr ... didn't know we had this. *Enters password ...

Incorrect: Please enter authorization code ?

Hmmmm, maybe mistyped it ... * Tries again.

Incorrect: Please enter code ? Locking system in 10, 9, 8 ...

Chit, wth ?!?! * Tries again ...

3 failed attempts at authorization, you're being reported to the system administrator, locking system.

I AM THE SYS ADMIN YOU PIECE OF *CENSORED*!!!! :D

For real again this stuff is clearly retarded no matter how you look at it. Sighs ... like people can't just abuse sudo, like people long haven't been doing so anyway. With proper use as long as roots path is used and users file permissions in home don't get screwed up, wouldn't even cause the slightest issue anyway and fixing it even then is all of one command. Still not really seeing how this policy files nonsense can possibly be of much use. Not at all on a personal computer (desktop nix) extremely limited even on shared hardware + unknown users too. If folks on those VM's or whatever are logged in as root or running apps with sudo or etc. Processes are running with priv's nonetheless. Folks who have important stuff setup and running well have been known not to bother with this type of tardation for longgggg periods of time regardless. To me .. it's just mostly useless and also fairly tarded change for the sake of it.

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-02-28 16:32
by Deb-fan
Yet more brilliance, we'll have gnu/nix untouchable by end of business day!

How about, triple confirmation dialogues?! Edit a system file, go to save, cancel-no-yes, hit yes ... Another popup, are you really sure you want to save? Cancel-no-yes, ... yes + enter. Really, really sure you want to save? OMG ... kill me! Somebody please just kill me and yeah I'm sure! :P

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-02-28 17:02
by CwF
I started the gksu purge halfway through Stretch xfce, only scarfed the root terminal icon.
Using pkexec I have both direct launchers for passwordless terminal, synaptic, thunar and whatever, but also a user thunar with many root right custom actions. That is simple open in root thunar, edit as root in mousepad, and the like. More complex I have many actions available in a user thunar to manipulate disk images and such, mount things to a vm, a loop, etc., all needing root, or maybe libvirt rights. Don't forget groups.

I think this is all that is required in buster with xfce:
libpolkit-backend-1-0
libpolkit-agent-1-0
libpolkit-gobject-1-0
The action files are more complete now and we can make our own. I go months without typing a password. I favor 'you can't get there from here' and 'I have the keyboard' security models.

I avoid the polkit#metoo.debs so don't know how other desktops work.

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-02-28 18:04
by Deb-fan
^What you (CwF)post makes it plain you're big time into IT, clearly know what you're doing. If were talking about forward facing, mission critical, production would go ahead and use this asap. I mean it's clear processes running for a minimum of time with privs has to mean less potential it can be hijacked I guess. You've no doubt got apparmor or SElinux already down pat or could if desired. Still know too much about penntesting to consider this much value in that role either really. Just one more thing which depending should prove easy enough to get around anyway. Only in the context of avg desktop gnu/nix, this kind of thing is fairly well worthless. Not like it's all that big a deal though. Can be reconfig'ed, are others similar to gksu which aren't deprecated too. Actually would think at least its best to consider them or embrace this newer arrangement.

Ah ... still see it as mostly pointless in terms of enhancing security for desktop nixer's though. Sheesh ran windows for years on end under admin acct w/o issue. This thing isn't really going to do much for users. Common sense is by far the best computer security, folks who run around installing software from questionable sources, running open ports and services without knowing what they're doing etc. Really think this was some knee jerk reaction to the side-channel junk. Ah time to shut it, honestly do just need to bite bullet and get familiar with this policy files thing. Even if don't really think it has merit for desktop gnu/Linux. More inconvenience, than any practical benefit. Really don't consider side-channel all that big a deal for desktop nixer's, shared hardware multi-user un(or)known. Someone gets root, they've got it. Too many ways to do that to see much value in that context with these policy files either. Whatever.

This is still on topic (as security is an integral part of this topic in general.) so yeah. Really don't believe much of the side-channel stupidness is all that relevant to desktop users. Though with considerations, for browsers have long, long quit using any java plugin's in a web browser (or used any JRE's), same for flashplayers and also use Noscript with Firefox to prevent javascripts from running on every website in the world. Unless specifically cleared to do so. Many don't even need be allowed to work just fine regardless. Still think it's (side-channel)mostly smoke and FUD in terms of desktop users but any kind of client-side things still have to be considered more closely in my opinion no matter what.

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-02-29 04:12
by Deb-fan
That junk above was more some funny snarks aimed at the faction of gnu/nix users who are constantly harping on sec, sec, SECURITY !!! Privacy, OMG, OMG. Constantly giving other users the impression many things on this platform and using their OS is like handling unstable nitroglycerin, when it's not ... not at all. Oh NO ! Never do that, oh ... don't even ever have a root account (NOOOOO, don't use sudo either!!!), no, no, no ... that's terrible the world shall surely end if you do that !! Think because it is inherently more secure gnu/Linux attracts more than it's share of users with either borderline or full blown schizophrenia and paranoia. A user could leave a file-manager and text editor running with priv's 24/7 in the taskbar and not have the slightest issue. As long as they're using common sense and not engaging in (or neglecting considering) the stupid behavior outlined in former posts. Which if someone is doing those types of things, all the default security in the world isn't going to help them if they have root/sudo access anyway.

Mentioned ran Windows, more than one release years and years under the admin account, didn't bother having 16 anti-spy, anti-malware, anti-virus etc progs running 24/7 on them either, didn't want them eating up resources. Had devoted time to learning about what mattered in security in windows though. Knew it wasn't "best practice", still never had problems and eventually did start keeping a separate user/admin acct and using that majority of time. Was just a simple, may as well do the proper thing situation. That's in Window$, they want you (help you along in it) to get your boxen so infected and crapped-up, you just go out and buy another pc, more money for them. Since M$ defaulted to setting up that separate user acct, that simple thing is one HUGE jump forward in making it a much more secure out-of-box platform as with gnu/Linux. Honestly still think this policy files thing is tarded. Still going to hold off even messing with it. In my view it even promotes worse practices, people used to one thing and then what worked changes, esp newer nixers are subject to quickly whip out that big hammer = sudo, in a situation like this or just as likely use some really dirty hacks.

Though again, still isn't really a big deal, misuse of sudo, fix is one command to chown back user ownership of the directories/files in their home. Proper use of sudo, would never even cause any issues at all. Even if for me (polkit + policy files)is just copying over two files here. Am not pressed to bother with it and will do so on my time table. That's all I need, the only graphical apps ever run with priv's, file manager, simple text editor sometimes. Guessing with the dang X process running under root(users mostly using a display manager), this thing is some kind of mitigation for it and with Wayland and the better process isolation/sec, it's supposed to bring, it'll be less of a concern. Though still don't overly care about X process = root, doesn't do so here though cause I don't need a DM anyway. Surely there's a fix for getting X under something other than root even with a one though ? Gdm does it, clearly every other very likely can as well.

Ahhhh, getting on my own nerves, though all these NOOOOO, never, ever, NOT EVER do x-simple everyday computing thing. Unless you've got your last will and testament updated and a blast shield in front of your keyboard !!! People, gimme a break. It's not that damn serious. Get real ... :)

Wonder how many among the tinfoil hat nixer crowd would consider the jokes above as features. Would be cool and some nixer probably already has made something that will popup when installing outside trusted sources? Dialogue ... you sure about this bud? Yes/no ... Yes ... ok dude, good luck. :)

Re: My solution to gksu being deprecated/Buster.

PostPosted: 2020-03-01 02:47
by Deb-fan
Oops also use gparted at times, both it and thunar already came with default polkit policy files from the folks at freedesktop anyway. Apparently the file as regards gparted is exempt, polkit doesn't bother interfering when it's launched with gksu/do. However the case with thunar wasn't the same, custom actions such as "edit as root" for files etc ceased working with gksu under it's supervision. Was just working around it(open terminal here), knew where to look and these policy files things and polkit are fairly easy to understand with minimal effort. However again ... wanted my custom actions to work as they have formerly. Again just MY solution, removed thunar's policy file from the relevant directory so that polkit need no longer concern itself with what thunar's doing. Whamo ... custom actions restored to the file manager.

Absolutely it's important to use effective security and/or privacy in whichever and any OS's people use. To me this is still just tarded, really doesn't do anything possibly useful and just adds a layer of security which is useless to me on desktop. As is the prospect of ever bothering to setup apparmor on a personal system. Not like for anyone with the know-how and desire, apparmor wasn't already easily available to them anyway. Though that's cleary a pointless nit pick regardless. If things were so delicate security-wise for this to even matter(they're not), OMG a given process must only be granted priv's for a mere milisecond, or all is lost, we're all pooched anyway. Someone can log in as root all day long (clearly shouldn't), leave processes running with priv's all dy long(also shouldn't), never have an issue. As for the uber-paranoid, OMG never do anything without first doing 35 (mostly pointless)things which impair user convenience, and/or enjoyment, possibly performance of using a given OS.

Again ... are many obvious things to me, they're overlooking or have zero control over anyway. Use of proprietary drivers, firmware, other software etc etc, much other stuff. I know these folks are in many ways totally clueless and out of touch with reality in what they think/advise and they still sometimes get me feeling edgy or second guessing(overthinking) silly junk while using my OS's-tech. Can only imagine with how often this type of thing is shouted, parroted and preached to newer nixers. They must sometimes feel like their OS is going to reach out at any moment and rip their faces off. NOTHING LIKE THE REAL SITUATION. So no need to go running off and getting fitted for any tinfoil head-wear and besides everybody knows aluminum is much superior vs tin in blocking out mind-probes, sheesh. :)