no root term after upgrade deb 9-10

[L_V]

It seems clear that people having headache with all "su/sudo" stories are those trying to open graphic applications as root user.
Graphic application permissions are managed by Polkit (policykit), then to be open with pkexec

Code: Select all

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY <my_app>

+

Code: Select all

alias pkexec='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY'

to be inserted in ~/.bash_aliases

[Head_on_a_Stick]

Graphic application permissions are managed by Polkit (policykit), then to be open with pkexec

That requires a polkit configuration file for the application and also for the program to be able to take advantage of polkit.

[L_V]

No, if a policykit rule is already available, just "pkexec <command>" will be enough.

[Head_on_a_Stick]

if a policykit rule is already available

That's my point: not all programs supply a policykit rule.

[L_V]

No, because not "all" programs need a polkit rule.
I personally do not have any need for this, and even don't understand all these permanent requests to open a program in a graphical "root" environment.
Total mystery / wrong practice.
I just say, for those who insist, there is a technical solution.

[Head_on_a_Stick]

No, because not "all" programs need a polkit rule.

Well this thread is about "root terminals" and gnome-terminal (for example) doesn't supply a polkit rule so your suggestion wouldn't work.

[L_V]

..... read again ... and may be simply try. Just be curious.
If it works for me and others, no reason it does work for you.

[CwF]

It started right before the freeze, the root permissions mess. For awhile we needed the gnome-admin helper thingie to make the few polkit compliant things work. Many only had the right packages in what is now bullseye. One by one the issues got corrected and a non-gnome desktop now doesn't need the gnome helper. By release it seems all were fixed.

Sometimes, passwords just suck...I prefer 'possession of the keyboard security'

Code: Select all

    <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>yes</allow_active>
    </defaults>

The working things now that just open from the menu when I click, like I own the damn system...

com.ubuntu.pkexec.gdebi-gtk.policy
com.ubuntu.pkexec.synaptic.policy
org.bleachbit.policy
org.freedesktop.pkexec.usbview.policy
org.gnome.gparted.policy
org.xfce.thunar.policy
org.xfce.xfce4-terminal.policy

[L_V]

There is nothing new with Policykit already available in Jessie and even before.
The purpose is to embed the permission policy rule directly in the program package.
It is impossible for visudo to manage program permission with the granularity of Policykit, and visudo is then untouched when a program is installed.

In summary, visudo manages the permissions at low level (user/groups permission policy).
Policykit is more dedicated to graphical applications, with some fine-tuning for each desktop environment.

[CwF]

There is nothing new with Policykit already available in Jessie and even before.

...that's nice. That list came about, to fruition, during buster and not before.

[L_V]

Not sure if the program rules directory has not been changed over the time since Jessie.
https://packages.debian.org/jessie/policykit-1

Even a GUI tool was available in KDE to manage policykit rules, and has been removed later.
Polkit-kde => https://packages.debian.org/jessie/polkit-kde-1 (became doc only).

[djk44883]

Not sure if the program rules directory has not been changed over the time since Jessie.
https://packages.debian.org/jessie/policykit-1

:|Really? With all the answers, you can't click

• https://packages.debian.org/jessie/amd6 ... 1/filelist
  • https://packages.debian.org/bullseye/am ... 1/filelist
    
    and just swap between tabs ...

[L_V]

and just swap between tabs ...

Listing polkit files will not give you any information of the environement used by Polkit to find program policies.
Policykit-1 is used by Debian since something about 2009 (version 0.95-1)
https://lists.debian.org/debian-testing ... 00019.html

Examples of policies placement:
---------------
policykit-1: /usr/share/polkit-1/actions/org.freedesktop.policykit.policy

kdelibs5-data: /usr/share/kde4/apps/kjava/kjava.policy
freeplane: /usr/share/freeplane/freeplane.policy

isakmpd: /etc/isakmpd/isakmpd.policy
openjdk-11-jre-headless: /etc/java-11-openjdk/security/java.policy
tomcat9: /etc/tomcat9/policy.d/01system.policy
---------------
An interesting one to understand Policykit is udisks2, which policy is at /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
Mounting a disk partition in a terminal requires root permission.
But in a desktop environment, a user can plug a USB key, mount it and use it.
The USB key will be mounted at /media/$USER/$DISK_LABEL, without requesting any root permission.

The disk partitions visible in a file manager can be mounted by a user, if allowed at visudo level, but a password will be requested.
Policykit is managing these permission mechanisms at higher level, making the bridge with visudo.

Only programs used in a desktop environment really requiring specific permissions have Polkit policies.
Others do not have any Polkit policies, because not needed, not necessary.

A terminal does not need any Polkit policies.
But if a user for unclear justification insists to open a terminal in a root graphic environment, and not his own user environment, he normally can with pkexec.

Code: Select all

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY xterm

It works for me, in a KDE environment. It does not work apparently for others. Don't know why, but as it is not necessary and not recommended, it does not seem to be a real issue.
It seems that Polkit problems are more concentrated on gnome. I've seen in this forum a user who had problems to mount disk partition in "thunar" where I never had in Dolphin.

Code: Select all

# pkexec env

SHELL=/bin/bash
PATH=/usr/sbin:/usr/bin:/sbin:/bin:/root/bin
LOGNAME=root
USER=root
HOME=/root
PKEXEC_UID=1000

[djk44883]

Listing polkit files will not give you any information of the environement used by Polkit to find program policies.

I certainly don't mean to discount any of your useful information - thanks!

Not sure if the program rules directory has not been changed over the time since Jessie.

I was commenting about changes to the directories for polkit not the environment used to find policies.

[Head_on_a_Stick]

OK, the "root terminal" menu entry is provided by gksu.desktop, which is part of the gksu package and has been removed for Debian 10.

Here's a "safer" alternative: https://forum.mxlinux.org/viewtopic.php ... 34#p521734 ← see the bit after the EDIT.