gksu deprecated

News and discussion about development of the Debian OS itself

gksu deprecated

Postby 4D696B65 » 2018-04-22 23:28

User avatar
4D696B65
 
Posts: 2438
Joined: 2009-06-28 06:09

Re: gksu deprecated

Postby Bulkley » 2018-04-23 02:08

This is unfortunate. pkexec is a horror show to configure. I don't like the sudo process at all. What I want is a popup box asking for my root password when I need to run programs such as Synaptic. It has to be something simple to use in a menu.

Did Red Hat cook up this stuff?
Bulkley
 
Posts: 5845
Joined: 2006-02-11 18:35

Re: gksu deprecated

Postby Head_on_a_Stick » 2018-04-23 05:32

Bulkley wrote:pkexec is a horror show to configure [...] What I want is a popup box asking for my root password when I need to run programs such as Synaptic

Good news: the synaptic package supplies a pkexec configuration file and also a wrapper script to launch it :)

Add this to your menu:
Code: Select all
synaptic-pkexec

Note though that you will need to have a graphical polkit authentication agent running to supply the password pop-up box — all of the desktop environments do this automatically but simple window manager desktops (such as openbox) will need to have the agent added to their autostart scripts.
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10607
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: gksu deprecated

Postby roseway » 2018-04-23 05:46

It seems that kdesu is still alive.
Eric
User avatar
roseway
 
Posts: 1511
Joined: 2007-12-31 22:50
Location: Kent, UK

Re: gksu deprecated

Postby Bulkley » 2018-04-23 14:32

Head_on_a_Stick wrote: . . . the synaptic package supplies a pkexec configuration file and also a wrapper script to launch it :)

Add this to your menu:
Code: Select all
synaptic-pkexec

Note though that you will need to have a graphical polkit authentication agent running to supply the password pop-up box — all of the desktop environments do this automatically but simple window manager desktops (such as openbox) will need to have the agent added to their autostart scripts.


And another for gnome-disks and another for system-config-printer, etc. One might as well configure sudo.

I notice that gksu is in Sid. I read somewhere that a new version is in the works. Have you seen anything about that?

Yes, I'm being stubborn because gksu -g is so easy to use in Obmenu.

Head_on_a_Stick, thanks for your suggestion. This happens in terminal.

Code: Select all
~$ synaptic-pkexec
==== AUTHENTICATING FOR com.ubuntu.pkexec.synaptic ===
Authentication is required to run the Synaptic Package Manager
Authenticating as: root
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.
Bulkley
 
Posts: 5845
Joined: 2006-02-11 18:35

Re: gksu deprecated

Postby Head_on_a_Stick » 2018-04-23 17:04

Bulkley wrote:And another for gnome-disks and another for system-config-printer, etc

No, just a single authentication agent running in the background will accept all requests from any programs.

And you only need it running if you want to be authenticated — I don't run anything as root on my desktop so I deliberately don't run the authentication agent.

One might as well configure sudo

Sorry to disappoint the rabid conspiracy theorists out there but this isn't a Red Hat plot to dominate Linux[1] but rather a determined and serious effort to improve the piss-poor security of the GNU/Linux desktop[2] — gksu was a significant improvement over plain sudo in respect of granting permissions to GUI applications and pkexec does better again.

This happens in terminal

As I explained, you need to start a polkit authentication agent and have it running in the background in order for a pasword dialogue box to be shown and the request to be accepted.

Add this line to ~/.config/openbox/autostart:
Code: Select all
/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 &

https://packages.debian.org/stretch/policykit-1-gnome

Then save the file, log out & back in again and `synaptic-pkexec` should now work ;)

[1] They do that through kernel contributions :mrgreen:

[2] https://scarybeastsecurity.blogspot.co. ... sktop.html
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10607
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: gksu deprecated

Postby Bulkley » 2018-04-23 21:16

Head_on_a_Stick wrote:Add this line to ~/.config/openbox/autostart:
Code: Select all
/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 &


Thanks. That works. Your script was better than mine. I had entered only "policykit-1-gnome" and froze my screen.
Bulkley
 
Posts: 5845
Joined: 2006-02-11 18:35

Re: gksu deprecated

Postby Head_on_a_Stick » 2018-04-24 04:57

Bulkley wrote:Thanks. That works.

Awesome! You're welcome, glad you got it working :)

Your script

It's not mine actually — I stole it from BunsenLabs :twisted:

EDIT: and yes, it is a weird thing to have to call :?
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10607
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: gksu deprecated

Postby Bulkley » 2018-04-24 15:45

Like you, I don't like root privileges running on my desktop. Being old school, I do most package management in a term, major upgrades in a console with X shutdown. However, there are a few programs that are useless without root privileges, Synaptic being one of them. (Synaptic is a great package browser.) Now one can do
Code: Select all
$ su -c synaptic
in any term or use
Code: Select all
gksu -g synaptic
in a menu. Both are rather simple. When working properly, closing the program also closes root privileges. On the other hand, pkexec requires convoluted script. What you showed me how to do for Synaptic does not work for gnome-disks.
Code: Select all
$ gnome-disks-pkexec
bash: gnome-disks-pkexec: command not found
Doing
Code: Select all
$ pkexec gnome-disks
Unable to init server: Could not connect: Connection refused
brings up a password box but ultimately fails. Essentially, pkexec does not translate easily from one program to another.
Bulkley
 
Posts: 5845
Joined: 2006-02-11 18:35

Re: gksu deprecated

Postby Head_on_a_Stick » 2018-04-24 16:05

Bulkley wrote:What you showed me how to do for Synaptic does not work for gnome-disks.

That's by design — the GNOME devs do not believe that pkexec is secure enough and so they do not supply a .policy file for the program, this is needed for pkexec to work.

You could try adding one yourself by creating a file at /usr/share/polkit-1/actions/com.ubuntu.pkexec.gnomedisks.policy with content based on
/usr/share/polkit-1/actions/com.ubuntu.pkexec.synaptic.policy, I suppose.

It's probably best to use gparted instead because that package includes /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy and so will allow pkexec to work.
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10607
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: gksu deprecated

Postby Innovate » 2018-04-29 08:59

Thx for inform I'll check those app package that require gksu & clear them out.
Lucky thunar, unetbootin support those pk exec I don't have to worry these.
Innovate
 
Posts: 188
Joined: 2015-12-27 01:28
Location: /dev/urandom

Re: gksu deprecated

Postby Deb-fan » 2019-02-13 19:18

Personally will just keep using gksu till it fails to work. From what I'd read about the vulnerability present in it, really isnt much of an issue anyway. As with almost everything gnu/Linux are other options too. Have installed and played with lxqt-sudo works just as gksu. Haven't bothered applying any themes for it, so at the moment it's butt ugly, works fine though and it's just a box to enter a password into occasionally so don't much care if it isn't beautiful. Available in the stock repository. On a minimal net install of Debian 9.7, installing lxqt-sudo pulled in 9 packages.
Deb-fan
 
Posts: 445
Joined: 2012-08-14 12:27

Re: gksu deprecated

Postby pylkko » 2019-02-14 04:27

I personally never use synaptic, would never ever even touch unetbootin. I think that if this is what it comes down to then there is no problem as those can be replaced by better alternatives.
User avatar
pylkko
 
Posts: 1586
Joined: 2014-11-06 19:02


Return to Debian Development

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable