no root term after upgrade deb 9-10

Kernels & Hardware, configuring network, installing services

Re: no root term after upgrade deb 9-10

Postby Head_on_a_Stick » 2019-08-07 19:36

L_V wrote:No, because not "all" programs need a polkit rule.

Well this thread is about "root terminals" and gnome-terminal (for example) doesn't supply a polkit rule so your suggestion wouldn't work.
User avatar
Head_on_a_Stick
 
Posts: 10321
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: no root term after upgrade deb 9-10

Postby L_V » 2019-08-07 19:38

..... read again ... and may be simply try. Just be curious.
If it works for me and others, no reason it does work for you.
L_V
 
Posts: 1032
Joined: 2007-03-19 09:04

Re: no root term after upgrade deb 9-10

Postby CwF » 2019-08-07 20:04

It started right before the freeze, the root permissions mess. For awhile we needed the gnome-admin helper thingie to make the few polkit compliant things work. Many only had the right packages in what is now bullseye. One by one the issues got corrected and a non-gnome desktop now doesn't need the gnome helper. By release it seems all were fixed.

Sometimes, passwords just suck...I prefer 'possession of the keyboard security'
Code: Select all
    <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>yes</allow_active>
    </defaults>

The working things now that just open from the menu when I click, like I own the damn system...

com.ubuntu.pkexec.gdebi-gtk.policy
com.ubuntu.pkexec.synaptic.policy
org.bleachbit.policy
org.freedesktop.pkexec.usbview.policy
org.gnome.gparted.policy
org.xfce.thunar.policy
org.xfce.xfce4-terminal.policy
CwF
 
Posts: 386
Joined: 2018-06-20 15:16

Re: no root term after upgrade deb 9-10

Postby L_V » 2019-08-07 20:32

There is nothing new with Policykit already available in Jessie and even before.
The purpose is to embed the permission policy rule directly in the program package.
It is impossible for visudo to manage program permission with the granularity of Policykit, and visudo is then untouched when a program is installed.

In summary, visudo manages the permissions at low level (user/groups permission policy).
Policykit is more dedicated to graphical applications, with some fine-tuning for each desktop environment.
L_V
 
Posts: 1032
Joined: 2007-03-19 09:04

Re: no root term after upgrade deb 9-10

Postby CwF » 2019-08-07 21:01

L_V wrote:There is nothing new with Policykit already available in Jessie and even before.

...that's nice. That list came about, to fruition, during buster and not before.
CwF
 
Posts: 386
Joined: 2018-06-20 15:16

Re: no root term after upgrade deb 9-10

Postby L_V » 2019-08-07 21:09

Not sure if the program rules directory has not been changed over the time since Jessie.
https://packages.debian.org/jessie/policykit-1

Even a GUI tool was available in KDE to manage policykit rules, and has been removed later.
Polkit-kde => https://packages.debian.org/jessie/polkit-kde-1 (became doc only).
L_V
 
Posts: 1032
Joined: 2007-03-19 09:04

Re: no root term after upgrade deb 9-10

Postby djk44883 » 2019-08-07 22:16

L_V wrote:Not sure if the program rules directory has not been changed over the time since Jessie.
https://packages.debian.org/jessie/policykit-1


:|Really? With all the answers, you can't click

[list of files] https://packages.debian.org/jessie/amd6 ... 1/filelist
[list of files] https://packages.debian.org/bullseye/am ... 1/filelist

and just swap between tabs :?: ...
djk44883
 
Posts: 61
Joined: 2010-12-11 13:14

Re: no root term after upgrade deb 9-10

Postby L_V » 2019-08-09 15:56

djk44883 wrote:and just swap between tabs ...

Listing polkit files will not give you any information of the environement used by Polkit to find program policies.
Policykit-1 is used by Debian since something about 2009 (version 0.95-1)
https://lists.debian.org/debian-testing ... 00019.html

Examples of policies placement:
---------------
policykit-1: /usr/share/polkit-1/actions/org.freedesktop.policykit.policy

kdelibs5-data: /usr/share/kde4/apps/kjava/kjava.policy
freeplane: /usr/share/freeplane/freeplane.policy

isakmpd: /etc/isakmpd/isakmpd.policy
openjdk-11-jre-headless: /etc/java-11-openjdk/security/java.policy
tomcat9: /etc/tomcat9/policy.d/01system.policy
---------------
An interesting one to understand Policykit is udisks2, which policy is at /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
Mounting a disk partition in a terminal requires root permission.
But in a desktop environment, a user can plug a USB key, mount it and use it.
The USB key will be mounted at /media/$USER/$DISK_LABEL, without requesting any root permission.

The disk partitions visible in a file manager can be mounted by a user, if allowed at visudo level, but a password will be requested.
Policykit is managing these permission mechanisms at higher level, making the bridge with visudo.

Only programs used in a desktop environment really requiring specific permissions have Polkit policies.
Others do not have any Polkit policies, because not needed, not necessary.

A terminal does not need any Polkit policies.
But if a user for unclear justification insists to open a terminal in a root graphic environment, and not his own user environment, he normally can with pkexec.
Code: Select all
pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY xterm

It works for me, in a KDE environment. It does not work apparently for others. Don't know why, but as it is not necessary and not recommended, it does not seem to be a real issue.
It seems that Polkit problems are more concentrated on gnome. I've seen in this forum a user who had problems to mount disk partition in "thunar" where I never had in Dolphin.

Code: Select all
# pkexec env

SHELL=/bin/bash
PATH=/usr/sbin:/usr/bin:/sbin:/bin:/root/bin
LOGNAME=root
USER=root
HOME=/root
PKEXEC_UID=1000
L_V
 
Posts: 1032
Joined: 2007-03-19 09:04

Re: no root term after upgrade deb 9-10

Postby djk44883 » 2019-08-09 18:53

L_V wrote:Listing polkit files will not give you any information of the environement used by Polkit to find program policies.


I certainly don't mean to discount any of your useful information - thanks!

Not sure if the program rules directory has not been changed over the time since Jessie.


I was commenting about changes to the directories for polkit not the environment used to find policies.
djk44883
 
Posts: 61
Joined: 2010-12-11 13:14

Previous

Return to System configuration

Who is online

Users browsing this forum: cooler01, ruwolf and 7 guests

fashionable