Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

My solution to gksu being deprecated/Buster.

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: My solution to gksu being deprecated/Buster.

#41 Post by Head_on_a_Stick »

Deb-fan wrote:
^ That will open a copy of the file in gedit as your normal user and only invoke root (via gvfs) to save the file.
Keep having to ask myself, what the hades am I missing here ?!?!?
Using a graphical editor with sudo, gksu{,do} or su-to-root runs the whole application with root privileges for the entire time it is open, that's why it's such a bad idea. Any bugs in the program or the underlying graphics stack will be exposed with elevated permissions.
deadbang

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#42 Post by Deb-fan »

^ Don't get me wrong I get that, that aspect of it is perfectly clear. Still don't really see much of a benefit and plenty of possible gotcha's and doors left open regardless of what they try to implement. Folks can still run anything as root, truth be told using sudo seldom caused any issues when was new to gnu/Nix and never would if someone used the right flags, at least I don't think it would.

The couple times I did end up messing up file ownership, took all of 20mins to learn what the problem was and the simple fix of chown'ing it back. Another reason newbish folks may want to keep a root account around. Obviously I've elected to keep using gksu, thing will likely remain working fine for the life of Buster if I want to use it and for now I do. Mentioned in previous posts, I've used the dang thing for 8 or so years now without problems. Figure doing so awhile longer isn't going to cause harm. :)

More pointless observations about this nonsense: How long do people tend to leave file-managers running as root normally ? I mean generally if I've launched thunar/etc with priv's it means I'm actively doing something which requires priv's to get done. Not like people just leave one running 24/7 and if they do that's their preference and risk. Though keeping it real, someone could easily enough set things up to login as root or visudo blahblah all commands no password if they please. Which of course was the bane of window$ for a long time, nixers can still do so in mere minutes if that's their decision. Edit: Goes without saying it'd be a bad decision though, shrugs.
Most powerful FREE tech-support tool on the planet * HERE. *

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: My solution to gksu being deprecated/Buster.

#43 Post by pcalvert »

wizard10000 wrote: Are you running X using a display manager that's not GDM? If so, X is running under the root account.
Who the heck thought that was a good idea? It looks like I'll be dumping LightDM soon and going back to using xinit.

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#44 Post by Deb-fan »

Lol ... this thread, as pretty much every gnu/Linux forum thread ... EVER, has jumped the topic track and headed off into let's talk about anything/everything territory. :D Also as usual I contributed more than my share of off-topicness too. :D

So shall continue, I speculate and wonder, with X running under a user process, not as root, is Xorg no longer vulnerable to the processes snooping on each that I've read about ? I mean user processes likely still but could they snoop on root ones too ? Yeppers xinit = startx, don't have a display manager either. Shameless self promotion goes > here. The snippet about using the .profile file in your users home directory automatically runs startx for someone. Though the stuff for that used in Head_on's tute appears better than what I used for it. Still have it setup the way it is in my stupe tute but meaning to getting around to using his for it (.profile edit.) :)
Edit: @Bulkley what isn't working under Buster ? Method for autologin + startx w/o display manager linked above is confirmed working in Buster. Also 100% sure Head_on's will too, guy knows his gnu/Nix. Of course like my way of doing it, well not so much mine ... Was just grabbed from varied info online but has been very well tested on Stretch, using it in Buster too.
Most powerful FREE tech-support tool on the planet * HERE. *

User avatar
wizard10000
Global Moderator
Global Moderator
Posts: 557
Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 76 times
Been thanked: 85 times

Re: My solution to gksu being deprecated/Buster.

#45 Post by wizard10000 »

pcalvert wrote:Who the heck thought that was a good idea? It looks like I'll be dumping LightDM soon and going back to using xinit.
Quite a few people aren't going to be able to do this as X without a display manager requires a modesetting video driver. root has to launch the driver if the kernel can't.

GDM starts X as root and then passes ownership to the user who just logged in.
we see things not as they are, but as we are.
-- anais nin

trinidad
Posts: 290
Joined: 2016-08-04 14:58
Been thanked: 14 times

Re: My solution to gksu being deprecated/Buster.

#46 Post by trinidad »

Using a graphical editor with sudo, gksu{,do} or su-to-root runs the whole application with root privileges for the entire time it is open, that's why it's such a bad idea. Any bugs in the program or the underlying graphics stack will be exposed with elevated permissions
It was never acceptable, rootless X is a major improvement
Two good answers. As far as GDM it is very configurable, and coupled with rootless X it also makes the installation of badly supported video cards and chips easier to get to. When I do new installs on newer hardware by default GDM loads but pauses at the cursor prompt during boot. This allows ctrl+alt+F2 to console and login from either root or user. GDM is well thought out and designed for the adoption of but not forced usage of wayland. You can start whichever you like with or without the GUI. I think Buster has done a good job with GDM for going forward toward modern hardwares where support can be sketchy. This is not to say that old timey desktop users are going to be happy with it. I have never used GKSU (though I was using SUSE enterprise until Jesse came out) and on my personl Stretches I use gnome-commander. I have one Buster configured and running now and it was selectively installed from the CLI with no problems at all other than normal firefox glitches. I use SSH X11 forwarding a lot and so far it transitions from wayland to X without a puff of smoke. I think Debian has done a nice bit of work with Buster and widened the playing field, rather than shrunk it. Where I live every couple of years they change the routes and numbers of major highways, so much so that GPSs and OnStar can't keep up. I travel a lot so I keep an old state map in the glovebox just in case. Combining new and old is sometimes neccessary, but actually ill advised for GKSU.

TC
You can't believe your eyes if your imagination is out of focus.

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: My solution to gksu being deprecated/Buster.

#47 Post by None1975 »

wizard10000 wrote: Wonder how many folks here are running X as root?:D
Maybe they came from windows word?
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#48 Post by Deb-fan »

Hey Trinidad no worries is good to hear people's opinions. Mine here is obvious though will eventually very likely embrace polkit and policy files but for now gksu/do suits me. Mentioned it was used forever without problems. The lack of maintenance and any security issues were present for quite awhile without any incident. Still can't discount them as trivial and will have to find a better and more approved of practice after while. Until then am fine with gksu and any risk use of it entails, shrugs.

HOWEVER ... AM NOT SAYING ANYONE ELSE SHOULD DO THIS. Was never the intent of starting the thread, only wanted to share some info about it being possible and an option for those who might feel the same as myself about graphical apps + privs. :)
Most powerful FREE tech-support tool on the planet * HERE. *

printereverbd
Posts: 1
Joined: 2020-02-28 08:13

Re: My solution to gksu being deprecated/Buster.

#49 Post by printereverbd »

Thanks for sharing this

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#50 Post by Deb-fan »

Welcome, of course still working fine in Buster, no reason it shouldn't. Not like gksu/do hadn't forever. Still believe many of these changes are aimed at enterprise gnu/nix applications rather than overly relevant to avg desktop nixer's. Not griping, have to be grateful for access to all this open source kickbuttness. Still just haven't gotten around to messing with policy files, still will and may as well. Clearly staying current and using what's considered best practice, is the best practice, shrugs. Though this isn't a have to do right now, this very instant type of thing. Despite whatever upstream changes come down I'm still going to pick and choose as I deem fit. If want to continue using Xorg long after Wayland goes default, then I will. End of story.

Edit: Still don't overly care or see the harm in the X process running as root. I don't bother using a display manager because it's unneeded, too many ways to select whichever or combo of de's/wm's on a system and switch between them w/o a DM. In a shared hardware + multi-user environment, yeah more so cause for concern. Only don't care all that much on a trusted user personal system. Anyone care to elaborate or link as to why having the X process running as root is practically certain doom? :)

HEY I GOT IT! Let's cgroup all hades out of root, then even root can't run as root. Bulletproof security, I'mma friggin genius! :P Root user goes to do anything some mystical algo considers shady, msg pops up, "permission denied ... please contact the system administrator." I AM THE SYSTEM ADMIN YOU PIECE OF *CENSORED*!!!
Most powerful FREE tech-support tool on the planet * HERE. *

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#51 Post by Deb-fan »

One can never be too secure afterall. So came up with another monumental leap forward in security. How about a systemd timer unit or crontab ? Admin is logged in, ... Popup or text on screen ... It's been detected that you're using the admin account. This is bad security practice, please validate user access rights. Enter authorization code ?

*Scratches head, hmmmmm ... when did this thing happen ? Maybe that last upgrade pulled this in. Errrrrr ... didn't know we had this. *Enters password ...

Incorrect: Please enter authorization code ?

Hmmmm, maybe mistyped it ... * Tries again.

Incorrect: Please enter code ? Locking system in 10, 9, 8 ...

Chit, wth ?!?! * Tries again ...

3 failed attempts at authorization, you're being reported to the system administrator, locking system.

I AM THE SYS ADMIN YOU PIECE OF *CENSORED*!!!! :D

For real again this stuff is clearly retarded no matter how you look at it. Sighs ... like people can't just abuse sudo, like people long haven't been doing so anyway. With proper use as long as roots path is used and users file permissions in home don't get screwed up, wouldn't even cause the slightest issue anyway and fixing it even then is all of one command. Still not really seeing how this policy files nonsense can possibly be of much use. Not at all on a personal computer (desktop nix) extremely limited even on shared hardware + unknown users too. If folks on those VM's or whatever are logged in as root or running apps with sudo or etc. Processes are running with priv's nonetheless. Folks who have important stuff setup and running well have been known not to bother with this type of tardation for longgggg periods of time regardless. To me .. it's just mostly useless and also fairly tarded change for the sake of it.
Most powerful FREE tech-support tool on the planet * HERE. *

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#52 Post by Deb-fan »

Yet more brilliance, we'll have gnu/nix untouchable by end of business day!

How about, triple confirmation dialogues?! Edit a system file, go to save, cancel-no-yes, hit yes ... Another popup, are you really sure you want to save? Cancel-no-yes, ... yes + enter. Really, really sure you want to save? OMG ... kill me! Somebody please just kill me and yeah I'm sure! :P
Most powerful FREE tech-support tool on the planet * HERE. *

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: My solution to gksu being deprecated/Buster.

#53 Post by CwF »

I started the gksu purge halfway through Stretch xfce, only scarfed the root terminal icon.
Using pkexec I have both direct launchers for passwordless terminal, synaptic, thunar and whatever, but also a user thunar with many root right custom actions. That is simple open in root thunar, edit as root in mousepad, and the like. More complex I have many actions available in a user thunar to manipulate disk images and such, mount things to a vm, a loop, etc., all needing root, or maybe libvirt rights. Don't forget groups.

I think this is all that is required in buster with xfce:
libpolkit-backend-1-0
libpolkit-agent-1-0
libpolkit-gobject-1-0
The action files are more complete now and we can make our own. I go months without typing a password. I favor 'you can't get there from here' and 'I have the keyboard' security models.

I avoid the polkit#metoo.debs so don't know how other desktops work.

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#54 Post by Deb-fan »

^What you (CwF)post makes it plain you're big time into IT, clearly know what you're doing. If were talking about forward facing, mission critical, production would go ahead and use this asap. I mean it's clear processes running for a minimum of time with privs has to mean less potential it can be hijacked I guess. You've no doubt got apparmor or SElinux already down pat or could if desired. Still know too much about penntesting to consider this much value in that role either really. Just one more thing which depending should prove easy enough to get around anyway. Only in the context of avg desktop gnu/nix, this kind of thing is fairly well worthless. Not like it's all that big a deal though. Can be reconfig'ed, are others similar to gksu which aren't deprecated too. Actually would think at least its best to consider them or embrace this newer arrangement.

Ah ... still see it as mostly pointless in terms of enhancing security for desktop nixer's though. Sheesh ran windows for years on end under admin acct w/o issue. This thing isn't really going to do much for users. Common sense is by far the best computer security, folks who run around installing software from questionable sources, running open ports and services without knowing what they're doing etc. Really think this was some knee jerk reaction to the side-channel junk. Ah time to shut it, honestly do just need to bite bullet and get familiar with this policy files thing. Even if don't really think it has merit for desktop gnu/Linux. More inconvenience, than any practical benefit. Really don't consider side-channel all that big a deal for desktop nixer's, shared hardware multi-user un(or)known. Someone gets root, they've got it. Too many ways to do that to see much value in that context with these policy files either. Whatever.

This is still on topic (as security is an integral part of this topic in general.) so yeah. Really don't believe much of the side-channel stupidness is all that relevant to desktop users. Though with considerations, for browsers have long, long quit using any java plugin's in a web browser (or used any JRE's), same for flashplayers and also use Noscript with Firefox to prevent javascripts from running on every website in the world. Unless specifically cleared to do so. Many don't even need be allowed to work just fine regardless. Still think it's (side-channel)mostly smoke and FUD in terms of desktop users but any kind of client-side things still have to be considered more closely in my opinion no matter what.
Most powerful FREE tech-support tool on the planet * HERE. *

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#55 Post by Deb-fan »

That junk above was more some funny snarks aimed at the faction of gnu/nix users who are constantly harping on sec, sec, SECURITY !!! Privacy, OMG, OMG. Constantly giving other users the impression many things on this platform and using their OS is like handling unstable nitroglycerin, when it's not ... not at all. Oh NO ! Never do that, oh ... don't even ever have a root account (NOOOOO, don't use sudo either!!!), no, no, no ... that's terrible the world shall surely end if you do that !! Think because it is inherently more secure gnu/Linux attracts more than it's share of users with either borderline or full blown schizophrenia and paranoia. A user could leave a file-manager and text editor running with priv's 24/7 in the taskbar and not have the slightest issue. As long as they're using common sense and not engaging in (or neglecting considering) the stupid behavior outlined in former posts. Which if someone is doing those types of things, all the default security in the world isn't going to help them if they have root/sudo access anyway.

Mentioned ran Windows, more than one release years and years under the admin account, didn't bother having 16 anti-spy, anti-malware, anti-virus etc progs running 24/7 on them either, didn't want them eating up resources. Had devoted time to learning about what mattered in security in windows though. Knew it wasn't "best practice", still never had problems and eventually did start keeping a separate user/admin acct and using that majority of time. Was just a simple, may as well do the proper thing situation. That's in Window$, they want you (help you along in it) to get your boxen so infected and crapped-up, you just go out and buy another pc, more money for them. Since M$ defaulted to setting up that separate user acct, that simple thing is one HUGE jump forward in making it a much more secure out-of-box platform as with gnu/Linux. Honestly still think this policy files thing is tarded. Still going to hold off even messing with it. In my view it even promotes worse practices, people used to one thing and then what worked changes, esp newer nixers are subject to quickly whip out that big hammer = sudo, in a situation like this or just as likely use some really dirty hacks.

Though again, still isn't really a big deal, misuse of sudo, fix is one command to chown back user ownership of the directories/files in their home. Proper use of sudo, would never even cause any issues at all. Even if for me (polkit + policy files)is just copying over two files here. Am not pressed to bother with it and will do so on my time table. That's all I need, the only graphical apps ever run with priv's, file manager, simple text editor sometimes. Guessing with the dang X process running under root(users mostly using a display manager), this thing is some kind of mitigation for it and with Wayland and the better process isolation/sec, it's supposed to bring, it'll be less of a concern. Though still don't overly care about X process = root, doesn't do so here though cause I don't need a DM anyway. Surely there's a fix for getting X under something other than root even with a one though ? Gdm does it, clearly every other very likely can as well.

Ahhhh, getting on my own nerves, though all these NOOOOO, never, ever, NOT EVER do x-simple everyday computing thing. Unless you've got your last will and testament updated and a blast shield in front of your keyboard !!! People, gimme a break. It's not that damn serious. Get real ... :)

Wonder how many among the tinfoil hat nixer crowd would consider the jokes above as features. Would be cool and some nixer probably already has made something that will popup when installing outside trusted sources? Dialogue ... you sure about this bud? Yes/no ... Yes ... ok dude, good luck. :)
Most powerful FREE tech-support tool on the planet * HERE. *

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: My solution to gksu being deprecated/Buster.

#56 Post by Deb-fan »

Oops also use gparted at times, both it and thunar already came with default polkit policy files from the folks at freedesktop anyway. Apparently the file as regards gparted is exempt, polkit doesn't bother interfering when it's launched with gksu/do. However the case with thunar wasn't the same, custom actions such as "edit as root" for files etc ceased working with gksu under it's supervision. Was just working around it(open terminal here), knew where to look and these policy files things and polkit are fairly easy to understand with minimal effort. However again ... wanted my custom actions to work as they have formerly. Again just MY solution, removed thunar's policy file from the relevant directory so that polkit need no longer concern itself with what thunar's doing. Whamo ... custom actions restored to the file manager.

Absolutely it's important to use effective security and/or privacy in whichever and any OS's people use. To me this is still just tarded, really doesn't do anything possibly useful and just adds a layer of security which is useless to me on desktop. As is the prospect of ever bothering to setup apparmor on a personal system. Not like for anyone with the know-how and desire, apparmor wasn't already easily available to them anyway. Though that's cleary a pointless nit pick regardless. If things were so delicate security-wise for this to even matter(they're not), OMG a given process must only be granted priv's for a mere milisecond, or all is lost, we're all pooched anyway. Someone can log in as root all day long (clearly shouldn't), leave processes running with priv's all dy long(also shouldn't), never have an issue. As for the uber-paranoid, OMG never do anything without first doing 35 (mostly pointless)things which impair user convenience, and/or enjoyment, possibly performance of using a given OS.

Again ... are many obvious things to me, they're overlooking or have zero control over anyway. Use of proprietary drivers, firmware, other software etc etc, much other stuff. I know these folks are in many ways totally clueless and out of touch with reality in what they think/advise and they still sometimes get me feeling edgy or second guessing(overthinking) silly junk while using my OS's-tech. Can only imagine with how often this type of thing is shouted, parroted and preached to newer nixers. They must sometimes feel like their OS is going to reach out at any moment and rip their faces off. NOTHING LIKE THE REAL SITUATION. So no need to go running off and getting fitted for any tinfoil head-wear and besides everybody knows aluminum is much superior vs tin in blocking out mind-probes, sheesh. :)
Most powerful FREE tech-support tool on the planet * HERE. *

Post Reply