pkexec on Wayland

Head_on_a_Stick · 2025-05-22 16:15:53

Yes, the application has to run as root. My point was that the Debian gparted package already works just fine under Wayland, so there's no need to use pkexec or similar, /usr/sbin/gparted will launch from a normal user's terminal even without sudo.

johnraff · 2025-05-23 06:00:42

A Debian bug was raised in 2017 about gparted's use of xhost:
https://bugs.debian.org/cgi-bin/bugrepo … bug=883812
It was supposed to have been removed in 2020, but the gparted wrapper script that ships with 1.6.0-1 in Trixie is still referencing it (although disabled):

#!/bin/sh
#     Name:  gparted
#  Purpose:  Perform appropriate startup of GParted executable gpartedbin.
#
#            The purpose of these startup methods is to prevent
#            devices from being automounted, and to ensure only one
#            instance of GParted is running.  File system problems can
#            occur if devices are mounted prior to the completion of
#            GParted's operations, or if multiple partition editing
#            tools are in use concurrently.
#
# Copyright (C) 2008, 2009, 2010, 2013, 2015 Curtis Gedak
#
#  This file is part of GParted.
#
#  GParted is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  GParted is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with GParted.  If not, see <http://www.gnu.org/licenses/>.
#

#
#  Only permit one instance of GParted to execute at a time
#
if pidof gpartedbin 1> /dev/null; then
	echo "The process gpartedbin is already running."
	echo "Only one gpartedbin process is permitted."
	exit 1
fi

#
#  Define base command for executing GParted
#
BASE_CMD="/usr/libexec/gpartedbin $*"

#
#  For non-root users try to get authorisation to run GParted as root.
#
if test "x`id -u`" != "x0"; then
	#
	#  If there is no configured SU program run gpartedbin as
	#  non-root to display the graphical error about needing root
	#  privileges.
	#
	if test "xpkexec --disable-internal-agent" = "x"; then
		echo "Root privileges are required for running gparted."
		$BASE_CMD
		exit 1
	fi

	#
	# Interim workaround to allow GParted run by root access to the
	# X11 display server under Wayland.  If configured with
	# './configure --enable-xhost-root', the xhost command is
	# available and root has not been granted access to the X11
	# display via xhost, then grant access.
	#
	ENABLE_XHOST_ROOT=no
	GRANTED_XHOST_ROOT=no
	if test "x$ENABLE_XHOST_ROOT" = 'xyes' && xhost 1> /dev/null 2>&1; then
		if ! xhost | grep -qi 'SI:localuser:root$'; then
			xhost +SI:localuser:root
			GRANTED_XHOST_ROOT=yes
		fi
	fi

	#
	# Run gparted as root.
	#
	pkexec --disable-internal-agent '/usr/sbin/gparted' "$@"
	status=$?

	#
	# Revoke root access to the X11 display, only if we granted it.
	#
	if test "x$GRANTED_XHOST_ROOT" = 'xyes'; then
		xhost -SI:localuser:root
	fi
	exit $status
fi

#
#  Search PATH to determine if systemctl program can be found
#  and if appropriate daemon is running.
#
HAVE_SYSTEMCTL=no
for k in '' `echo "$PATH" | sed 's,:, ,g'`; do
	if test -x "$k/systemctl"; then
		if pidof systemd 1> /dev/null; then
			HAVE_SYSTEMCTL=yes
			break
		fi
	fi
done

#
#  Check if udisks2-inhibit exists in a known location
#  and if appropriate daemon is running.
#
HAVE_UDISKS2_INHIBIT=no
for k in /usr/libexec/udisks2/udisks2-inhibit \
         /usr/lib/udisks2/udisks2-inhibit; do
	if test -x $k; then
		if pidof udisksd 1> /dev/null; then
			HAVE_UDISKS2_INHIBIT=yes
			UDISKS2_INHIBIT_BIN=$k
			break
		fi
	fi
done

#
#  Search PATH to determine if udisks program can be found
#  and if appropriate daemon is running.
#
HAVE_UDISKS=no
for k in '' `echo "$PATH" | sed 's,:, ,g'`; do
	if test -x "$k/udisks"; then
		if pidof udisks-daemon 1> /dev/null; then
			HAVE_UDISKS=yes
			break
		fi
	fi
done

#
#  Search PATH to determine if hal-lock program can be found
#  and if appropriate daemon is running.
#
HAVE_HAL_LOCK=no
for k in '' `echo "$PATH" | sed 's,:, ,g'`; do
	if test -x "$k/hal-lock"; then
		if pidof hald 1> /dev/null; then
			HAVE_HAL_LOCK=yes
			break
		fi
	fi
done

#
#  Use systemctl to prevent automount by masking currently unmasked mount points
#
MOUNTLIST=''
if test "x$HAVE_SYSTEMCTL" = "xyes"; then
	MOUNTLIST=`systemctl show --all --property=Where,What,Id,LoadState '*.mount' | \
	awk '
	function clear_properties() {
		where = ""; what = ""; id = ""; loadstate = ""
	}
	function process_unit() {
		if (substr(what,1,5) == "/dev/"     &&
		    loadstate        != "masked"    &&
		    what             != "/dev/fuse" &&
		    where            != "/"         &&
		    ! (substr(what,1,9) == "/dev/loop" && substr(where,1,6) == "/snap/"))
		{
			print id
		}
		clear_properties()
	}
	/^Where=/     { where     = substr($0,7) }
	/^What=/      { what      = substr($0,6) }
	/^Id=/        { id        = substr($0,4) }
	/^LoadState=/ { loadstate = substr($0,11) }
	/^$/          { process_unit() }
	END           { process_unit() }
	'`
	if test "x$MOUNTLIST" != "x"; then
		systemctl --runtime mask --quiet -- $MOUNTLIST
	fi
fi

#
# Create temporary blank overrides for all udev rules which automatically
# start Linux Software RAID array members and Bcache devices.
#
# Udev stores volatile / temporary runtime rules in directory /run/udev/rules.d.
# Volatile / temporary rules are used to override system default rules from
# /lib/udev/rules.d and/or /usr/lib/udev/rules.d (depending on udev
# configuration).  (Permanent local administrative rules in directory
# /etc/udev/rules.d override all others).  See udev(7) manual page for details.
#
# Default udev rules containing mdadm to incrementally start array members are
# found in 64-md-raid.rules and/or 65-md-incremental.rules, depending on the
# distribution and age.  The rules may be commented out or not exist at all.
#
UDEV_TEMP_RULES=''  # List of temporary override rules files.
if test -d /run/udev; then
	test ! -d /run/udev/rules.d && mkdir /run/udev/rules.d
	UDEV_TEMP_RULES=`for udev_default_rules_dir in /lib/udev/rules.d /usr/lib/udev/rules.d
	do
		test -d $udev_default_rules_dir || continue
		egrep -l '^[^#].*mdadm (-I|--incremental)' $udev_default_rules_dir/*.rules 2> /dev/null
		ls $udev_default_rules_dir/*bcache*.rules 2> /dev/null
	done | sed 's,.*/lib/udev,/run/udev,g' | sort -u`
fi
for rule in $UDEV_TEMP_RULES; do
	touch "$rule"
done

#
#  Use udisks2-inhibit if udisks2-inhibit exists and deamon running.
#  Else use both udisks and hal-lock for invocation if both binaries exist and both
#  daemons are running.
#  Else use udisks if binary exists and daemon is running.
#  Otherwise use hal-lock for invocation if binary exists and daemon is running.
#  If the above checks fail then simply run gpartedbin.
#
if test "x$HAVE_UDISKS2_INHIBIT" = "xyes"; then
	$UDISKS2_INHIBIT_BIN $BASE_CMD
elif test "x$HAVE_UDISKS" = "xyes" && test "x$HAVE_HAL_LOCK" = "xyes"; then
	udisks --inhibit -- \
		hal-lock --interface org.freedesktop.Hal.Device.Storage --exclusive \
			--run "$BASE_CMD"
elif test "x$HAVE_UDISKS" = "xyes"; then
	udisks --inhibit -- $BASE_CMD
elif test "x$HAVE_HAL_LOCK" = "xyes"; then
	hal-lock --interface org.freedesktop.Hal.Device.Storage --exclusive \
		--run "$BASE_CMD"
else
	$BASE_CMD
fi
status=$?

#
# Clear any temporary override udev rules used to stop udev automatically
# starting Linux Software RAID array members and Bcache devices.
#
for rule in $UDEV_TEMP_RULES; do
	rm -f "$rule"
done

#
#  Use systemctl to unmask those mount points masked above
#
if test "x$HAVE_SYSTEMCTL" = "xyes" && test "x$MOUNTLIST" != "x"; then
	systemctl --runtime unmask --quiet -- $MOUNTLIST 2> /dev/null || \
	{
		cd /run/systemd/system  &&
		rm -f -- $MOUNTLIST     &&
		systemctl daemon-reload
	}
fi

exit $status

This pkexec test looks totally broken though:

	if test "xpkexec --disable-internal-agent" = "x"; then
		echo "Root privileges are required for running gparted."
		$BASE_CMD
		exit 1
	fi

That comparison of two strings is always going to fail!
But anyway, here's what actually happens on my Trixie VM (X11 session) when running gparted, up to the point where the authorization window appears:

john@trixie-tester:~$ bash -x /usr/sbin/gparted
+ pidof gpartedbin
+ BASE_CMD='/usr/libexec/gpartedbin '
++ id -u
+ test x1000 '!=' x0
+ test 'xpkexec --disable-internal-agent' = x
+ ENABLE_XHOST_ROOT=no
+ GRANTED_XHOST_ROOT=no
+ test xno = xyes
+ pkexec --disable-internal-agent /usr/sbin/gparted

No invocation of xhost, just a regular pkexec call. So gparted is using pkexec under the hood.
I can't test it on Wayland atm though because I don't have enough free time to fix what got broken in my session last month.

@HoaS I wonder if you could run 'bash -x /usr/sbin/gparted' on your Wayland session for us?

Last edited by johnraff (2025-05-23 06:03:17)

Head_on_a_Stick · 2025-05-23 06:59:35

This is from Chimera Linux but the launch script is identical except for the path change and a lack of support for LVM groups:

~$ bash -x /usr/bin/gparted                                           
+ pidof gpartedbin
+ BASE_CMD='/usr/libexec/gpartedbin '
++ id -u
+ test x1000 '!=' x0
+ test 'xpkexec --disable-internal-agent' = x
+ ENABLE_XHOST_ROOT=no
+ GRANTED_XHOST_ROOT=no
+ test xno = xyes
+ pkexec --disable-internal-agent /usr/bin/gparted
GParted 1.7.0
configuration --enable-libparted-dmraid
libparted 3.6
+ status=0
+ test xno = xyes
+ exit 0
~$

Side note: I hate the way GNU puts "x" in front of all the tests, it hasn't been needed for a very long time now, just quote the damn variable

johnraff · 2025-05-23 07:26:30

^And gparted comes up on Wayland when launched via that script?
(agreed about the x)

I found another Trixie Wayland VM I had forgotten, upgraded it and tried the same.
The wrapper script fails at the point where pkexec is run and password entered.
However this works (as suggested in the OP):

pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 gparted

micko01 · 2025-05-24 00:18:10

Head_on_a_Stick wrote:

This is from Chimera Linux but the launch script is identical except for the path change and a lack of support for LVM groups:
~$ bash -x /usr/bin/gparted                                           
+ pidof gpartedbin
+ BASE_CMD='/usr/libexec/gpartedbin '
++ id -u
+ test x1000 '!=' x0
+ test 'xpkexec --disable-internal-agent' = x
+ ENABLE_XHOST_ROOT=no
+ GRANTED_XHOST_ROOT=no
+ test xno = xyes
+ pkexec --disable-internal-agent /usr/bin/gparted
GParted 1.7.0
configuration --enable-libparted-dmraid
libparted 3.6
+ status=0
+ test xno = xyes
+ exit 0
~$
Side note: I hate the way GNU puts "x" in front of all the tests, it hasn't been needed for a very long time now, just quote the damn variable

Agreed on the "x" thing too

A detail:

GParted 1.7.0

So fixed upstream but still broken in trixie, so I wrote my own wrapper:

#!/bin/sh
pidof gpartedbin 1> /dev/null && echo "already running" && exit 1
ENABLE_XHOST_ROOT=yes
GRANTED_XHOST_ROOT=no
if [ "$ENABLE_XHOST_ROOT" = 'yes' ] && xhost 1> /dev/null 2>&1; then
  if ! xhost | grep -qi 'SI:localuser:root$'; then
    xhost +SI:localuser:root
    GRANTED_XHOST_ROOT=yes
  fi
fi
/usr/sbin/gparted "$@"
status=$?
# Revoke root access to the X11 display, only if we granted it.
if [ "$GRANTED_XHOST_ROOT" = 'yes' ]; then
  echo $GRANTED_XHOST_ROOT
  xhost -SI:localuser:root
fi
exit $status

That works but there is an anomoly with gparted/thunar in wayland at least. After closing gparted via the 'X' button thunar proceeds to mount all partitions! If closed via the menu this doesn't happen. I'll try it in sway (wait - sway doesn't have window buttons!) openbox to see what happens.

EDIT:
Was worse in Openbox, but anyway not allowing thunar to auto open seems a reasonable setting for me.

Last edited by micko01 (2025-05-24 00:46:41)

johnraff · 2025-05-24 04:47:53

johnraff wrote:

Head_on_a_Stick wrote:
For the text editor I think this approach is better:
SUDO_EDITOR=bl-text-editor sudoedit $file
I agree. But that command requires a terminal window - we need something that can be launched from a menu. Again, more investigation...

I did some more investigation.

It would be nice if the same mate-polit (or whatever authentication agent we choose) window came up when launching sudoedit, but it doesn't seem possible. What is possible though is to add the -A option to sudoedit to invoke askpass. There are supposed to be various askpass apps available, but I could only find ssh-askpass, which was on my system already. (Does anybody know any others?) It looks horrible, but if you also install the quite small ssh-askpass-gnome the window becomes quite acceptable-looking.

For now, give this Proof Of Concept a try. This command could go in a menu or .desktop file:
( First install ssh-askpass-gnome )

sh -c "SUDO_ASKPASS=/usr/bin/ssh-askpass SUDO_EDITOR=bl-text-editor sudoedit -A  -p 'editing /etc/apt/sources.list' -- /etc/apt/sources.list"

NOTE for testing stuff that has to be able to run without a controlling terminal, gmrun is useful. On BL it's Alt+F2. Just paste the command there.

NOTE2 Here's an old bug report on sudoedit (now fixed) that explains the logic process quite well: https://www.sudo.ws/security/advisories/sudoedit_any/

NOTE3 If we go with this for Carbon then ssh-askpass-gnome will need to be added as a dependency (ssh-askpass not needed) but it's quite small.

Last edited by johnraff (2025-05-31 06:58:25)

johnraff · 2025-05-24 05:25:22

gparted on wayland

We seem to be rehashing some stuff that I thought had been discussed earlier in this thread.

1) Xhost - my impression is that is is pretty much deprecated, as those bug reports I posted (including in the OP) show.
The Debian build configs do not implement --enable-xhost-root and I don't think that's going to change in future releases. Until convinced otherwise, I still think thst the pkexec command which passes two environment variables is the best way on offer, and seems to work OK on Wayland.

2) Gparted's wrapper script. Two things:
a) I misunderstood the purpose of this apparently meaningless code:

if test "xpkexec --disable-internal-agent" = "x"; then

That pkexec stuff is filled in from the source code:

if test "x@gksuprog@" = "x"; then

So @gksuprog@ is dereferenced at build time. I still don't understand how the package build system could know what apps are available to the user, but anyway...

b) Since --enable-xhost-root is not set in the Debian build configs, xhost will never be invoked:

if test "x$ENABLE_XHOST_ROOT" = 'xyes'

But I thought we'd already established last November that gparted starts up OK on Wayland when invoked with:

/usr/bin/pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 gparted

@micko if you think we should rewrite the gparted wrapper itself, then maybe instead of invoking xhost we could edit the pkexec line:

pkexec --disable-internal-agent '/usr/sbin/gparted' "$@"

to

pkexec --disable-internal-agent env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 '/usr/sbin/gparted' "$@"

But if the whole script runs OK when passed the envvars from outside, then I'd just as soon use our pkexec.wrapper in the few places it will be needed and call the standard-issue gparted from that.

johnraff · 2025-05-24 05:34:26

Couple of things I don't understand:

Head_on_a_Stick wrote:

There doesn't seem to be a problem with running gparted under Wayland for Debian bookworm:
https://i.postimg.cc/Vrb2vMWG/Screenshot-From-2025-05-21-17-47-50.png
This is from Chimera Linux but the launch script is identical except for the path change and a lack of support for LVM groups

I haven't been able to run gparted on Wayland without passing those aforementioned envvars to pkexec. Are you sure you weren't running on X11 for that screenshot?

micko01 wrote:

A detail:
GParted 1.7.0
So fixed upstream but still broken in trixie...

So, what exactly is broken in Trixie?

...there is an anomoly with gparted/thunar in wayland at least. After closing gparted via the 'X' button thunar proceeds to mount all partitions!

I don't understand how Thunar has got involved in this.

I'll try it in sway (wait - sway doesn't have window buttons!) openbox to see what happens.

Openbox? Isn't this all happening in Wayland?

...but anyway not allowing thunar to auto open seems a reasonable setting for me.

What auto-open setting is this?

micko01 · 2025-05-24 06:44:58

johnraff wrote:

Couple of things I don't understand:
Head_on_a_Stick wrote:
There doesn't seem to be a problem with running gparted under Wayland for Debian bookworm:
https://i.postimg.cc/Vrb2vMWG/Screenshot-From-2025-05-21-17-47-50.png
This is from Chimera Linux but the launch script is identical except for the path change and a lack of support for LVM groups
I haven't been able to run gparted on Wayland without passing those aforementioned envvars to pkexec. Are you sure you weren't running on X11 for that screenshot?
micko01 wrote:
A detail:
GParted 1.7.0
So fixed upstream but still broken in trixie...
So, what exactly is broken in Trixie?

mick@dellhome:~$ sh -x /usr/sbin/gparted
+ pidof gpartedbin
+ BASE_CMD=/usr/libexec/gpartedbin 
+ id -u
+ test x1000 != x0
+ test xpkexec --disable-internal-agent = x
+ ENABLE_XHOST_ROOT=no
+ GRANTED_XHOST_ROOT=no
+ test xno = xyes
+ pkexec --disable-internal-agent /usr/sbin/gparted
Authorization required, but no authorization protocol specified


(gpartedbin:49073): Gtk-WARNING **: 16:32:31.435: cannot open display: :0
+ status=1
+ test xno = xyes
+ exit 1

So it doesn't work at all without intervention. Either your way or the xhost way works here.

@HoaS seems to have gparted-1.7.0 whereas trixie ships 1.6.0.

mick@dellhome:~$ apt policy gparted
gparted:
  Installed: 1.6.0-1
  Candidate: 1.6.0-1
  Version table:
     1.6.0-2 600
        600 http://mirror.aarnet.edu.au/debian unstable/main amd64 Packages
 *** 1.6.0-1 650
        650 http://mirror.aarnet.edu.au/debian trixie/main amd64 Packages
        100 /var/lib/dpkg/status

..and same is in sid.

...there is an anomoly with gparted/thunar in wayland at least. After closing gparted via the 'X' button thunar proceeds to mount all partitions!
I don't understand how Thunar has got involved in this.
I'll try it in sway (wait - sway doesn't have window buttons!) openbox to see what happens.
Openbox? Isn't this all happening in Wayland?
...but anyway not allowing thunar to auto open seems a reasonable setting for me.
What auto-open setting is this?

It's a thunar-volman setting. It's a thunar bug as it seems doesn't matter the wayland/X thing; after gparted runs the partitions on the probed disk are automounted and opened.

johnraff · 2025-05-24 07:25:31

micko01 wrote:

johnraff wrote:
Couple of things I don't understand:
Head_on_a_Stick wrote:
There doesn't seem to be a problem with running gparted under Wayland for Debian bookworm:
https://i.postimg.cc/Vrb2vMWG/Screenshot-From-2025-05-21-17-47-50.png
This is from Chimera Linux but the launch script is identical except for the path change and a lack of support for LVM groups
I haven't been able to run gparted on Wayland without passing those aforementioned envvars to pkexec. Are you sure you weren't running on X11 for that screenshot?
micko01 wrote:
A detail:
GParted 1.7.0
So fixed upstream but still broken in trixie...
So, what exactly is broken in Trixie?
micko01 wrote:
mick@dellhome:~$ sh -x /usr/sbin/gparted
+ pidof gpartedbin
+ BASE_CMD=/usr/libexec/gpartedbin 
+ id -u
+ test x1000 != x0
+ test xpkexec --disable-internal-agent = x
+ ENABLE_XHOST_ROOT=no
+ GRANTED_XHOST_ROOT=no
+ test xno = xyes
+ pkexec --disable-internal-agent /usr/sbin/gparted
Authorization required, but no authorization protocol specified


(gpartedbin:49073): Gtk-WARNING **: 16:32:31.435: cannot open display: :0
+ status=1
+ test xno = xyes
+ exit 1
So it doesn't work at all without intervention. Either your way or the xhost way works here.
@HoaS seems to have gparted-1.7.0 whereas trixie ships 1.6.0.
..and same is in sid.

We'll have to wait for 1.7.0 but I wonder what has been changed. HoaS said the wrapper script was the same. Maybe something at a deeper level that makes a Wayland hack unnecessary. Nothing about Wayland in the release notes though:
https://sourceforge.net/projects/gparte … ted-1.7.0/

...there is an anomoly with gparted/thunar in wayland at least. After closing gparted via the 'X' button thunar proceeds to mount all partitions!
I don't understand how Thunar has got involved in this.
I'll try it in sway (wait - sway doesn't have window buttons!) openbox to see what happens.
Openbox? Isn't this all happening in Wayland?
...but anyway not allowing thunar to auto open seems a reasonable setting for me.
What auto-open setting is this?
https://i.imgur.com/QH4Vq8tt.png
It's a thunar-volman setting. It's a thunar bug as it seems doesn't matter the wayland/X thing; after gparted runs the partitions on the probed disk are automounted and opened.

Ah yes, now I remember something in the past about Thunar grabbing things it shouldn't have. Like, when you create a new USB partition or something.
If you disable automounting as well as auto-opening (and auto-run) does the problem go away?
Probably a good BL default setting if it isn't already.

https://forums.bunsenlabs.org/viewtopic.php?id=6685

Last edited by johnraff (2025-05-24 07:27:26)

micko01 · 2025-05-24 10:14:44

Ok, here's the bottom line:

Gparted in debian cripples xhost. That is, it's not built with support for xhost at least for the last 5 years. I dug through the code and that's it.

configure --help wrote:

(snip)
--enable-xhost-root enable explicitly granting root access to the
display [default=disabled]

debian/rules wrote:

override_dh_auto_configure:
dh_auto_configure -- --enable-libparted-dmraid --bindir=\$${prefix}/sbin

Stick with the pkexec hack. It works and works well. xhost only works if called before /usr/sbin/gparted on debian, and turned off after of course.

ref: https://salsa.debian.org/debian/gparted … type=heads

johnraff · 2025-05-25 02:17:47

^Confirmed from the changelog, which refers to this bug:
https://bugs.debian.org/cgi-bin/bugrepo … bug=883812

gparted changelog wrote:

gparted (1.0.0-0.1) unstable; urgency=medium
* Non-maintainer upload.
* New upstream release 1.0.0 (2019-05-29)
+ Closes: #940278, #829986
+ Disable the xhost-root hack.
Not required anymore under GTK3 (Closes: #883812)
-- nicoo <nicoo@debian.org> Thu, 30 Jan 2020 17:33:03 +0100

Reading the bug #883812 discussion, the xhost "ugly workaround" was dropped in 2020 because the developers seemed to believe that version of gparted would work on Wayland or at least Xwayland, because it was using GTK3.
The current maintainer Philip Susi, Thu, 09 Jan 2020 wrote:

I tested the exp version under wayland and not only does it work
natively now with gtk3, but even when forced to use Xwayland, it still
works because it seems they finally fixed the bug with gdm and it is now
properly configuring XAUTHORITY. As a result, the --enable-xhost-root
workaround is no longer needed.

That seems no longer to be true, so either the devs (not only P.S.) missed something or there's been a regression in the package since.

Or else, maybe it only works with gdm and not lightdm?

So pkexec hack it is. I'd propose using our pkexec.wrapper script because it might also be needed for synaptic, but we could also ship a gparted.wrapper instead.

johnraff · 2025-05-25 03:01:11

current pkexec state of play

We're all agreed (I think) that in general it's not a good idea to open graphical apps as root if it can be reasonably avoided. They contain a lot of code which might not have been thoroughly audited for security vulnerabilities. A better approach is to run the GUI with only regular user permissions and invoke root only when needed for specific system operations. Various apps are coming round to this, but unfortunately some important ones remain which still need to be opened as root. Making that impossible in BL would only encourage people to take dangerous short-cuts so I think we should do what we can to strike a happy compromise.

Luckily, the list of apps which we need to provide in our menus and .desktop files requiring root GUIs is quite short.

*) gparted This is the big one. As the maintainer Philip Susu explains in various bug reports, gparted's operations are just not possible without root permissions. Anyway, we have a pkexec workaround available which we can use in menus etc. Needs some final Wayland checking

*) synaptic Has improved, but I think will also need to be invoked with the same pkexec wrapper. Some checking still to do...

*) Thunar Not strictly necessary, but a file manager running as root is quite useful. Thunar at least puts up a big warning banner in that case, showing that the devs are aware of the situation. I don't think we should ship a generic "file manager as root" menu item calling bl-file-manager because that could be set by the user to any file manager, not necessarily safe. Context menu items inside Thunar using pkexec might be OK though. (That's what we have now.) There seems to be a new URI admin:// available in Thunar but I'm not sure if it's ready yet. More investigation...

*) Editing text files as root. This is something people have to do all the time. Of course 'sudo nano <file>' works, but there's something to be said for letting people use the text editor they're familiar with. Lower risk of mistakes. Right now we're providing 'pkexec bl-text-editor' (with appropriate polkit permissions set up) but that means any text editor - whatever the user has set as bl-text-editor - could be running as root. Safer would be to take up Head_on_a_Stick's suggestion of using sudoedit which comes with sudo. Details of a possible implementation here. That allows the text editor GUI to run with user permissions, only using root to copy a temporary edited file into place at the end. Needs testing on Wayland.
EDIT: Tested on Wayland and the ssh-askpass-gnome password window comes up OK, as does the text editor window.

*) terminal emulator There's no need to run a terminal GUI as root at all IMO. Just open a user terminal and run root commands inside it.

Last edited by johnraff (2025-05-31 07:03:45)

hhh · 2025-05-25 03:21:26

^ Great summary!

Also, screw Synaptic. But that's from someone who hasn't used the application in ten years. Search engine, Debian package search, apt install.

Maybe not what a n00b wants to do.

johnraff · 2025-05-25 04:24:48

^Synaptic's useful sonetimes IMO, but in fact most of the handy search functions etc will work in the user-permissons mode. So root GUI perhaps not strictly necessary. I remember in my early Linux days I used it all the time though.

hhh · 2025-05-25 19:11:41

johnraff wrote:

I remember in my early Linux days I used it all the time though.

Fair enough, and reiterates what I said about n00bs.

Root permission for GParted though, that's a biggie. As you stated.

Maybe the Wayland devs will come up with something? (*chuckles in GNOME*)

micko01 · 2025-05-30 22:31:13

gparted_1.6.0-2 recently landed in trixe with this patch for exfatprogs. Works the same for me; I have no current need for exfatprogs anyway, but of course useful for those that do.

I found something interesting as far as wayland is concerned for our pkexec wrapper. Because we are creating a new environment for gparted (or any program that needs root) for wayland you can add the GTK_THEME envvar and get the curent theme to show up. Unfortunately I couldn't get it to work for X11. Would have been nice because it adds some gui consistency. Icons are the defaults though as there is no envvar for icons. Someone did raise an issue for this at gnome gitlab but it was dismissed.

Here is what I'm using for my pkexec.wrap now:

#!/bin/sh

# don't fail silently env GTK_THEME="$curtheme"

hash pkexec >/dev/null 2>&1 || \
yad --title=error --window-icon="dialog-error" --name="dialog-error" \
     --text="Error: pkexec is not installed." \
     --button="Close!dialog-error":1

if [ -z "$WAYLAND_DISPLAY" ] ; then
  pkexec "$@"
else
  curtheme=$(gsettings get org.gnome.desktop.interface gtk-theme | tr -d "'")
  pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" \
    XDG_RUNTIME_DIR=/run/user/0 GTK_THEME="$curtheme" "$@"
fi

I also wrote a handy little gtk3dialog script to target any drive connected to your machine (internal or external) and run gparted directly on that drive. Works fine in X11 and wayland.

#!/bin/bash

is_usb_device() {
    local device_path=$1        # such as /dev/sdc
    for devlink in /dev/disk/by-id/usb*; do
        if [ "$(readlink -f "$devlink")" = "$device_path" ]; then
            return 0
        fi
    done
    return 1
}; export -f is_usb_device

get_drives() {
	MHOME=$(grep -o .*' / ' /proc/mounts)
	MHOME=${MHOME:5:3}
	while read -r N R S M;do
		if is_usb_device /dev/$N; then
			case $R in
				0)
				TYPE='solid state disk'
				case $S in
					*T|[1-9][[0-9][0-9].[0-9]G)ICO=drive-harddisk-solidstate;;
					*)ICO=media-removable;;
				esac
				;;
				1)
				TYPE='spinning disk'
				ICO=drive-harddisk
				case $S in
					*T)ICO=drive-harddisk-usb;;
					*)ICO=media-removable;TYPE='solid state disk';;
				esac
				;;
			esac
		elif ! is_usb_device /dev/$N; then
			[[ $R -eq 0 ]] && ICO=drive-harddisk-solidstate TYPE='solid state disk' || ICO=drive-harddisk TYPE='spinning disk'
		fi
		DIS=''
		TT="/dev/$N"
		if [[ "$N" == "$MHOME" ]]; then
			DIS='<sensitive>false</sensitive>'
			TT="'/' root filesystem is mounted here. Disabled"
		fi
		echo "<hbox homogeneous=\"true\">
	<hbox space-expand=\"true\" space-fill=\"true\"><text use-markup=\"true\" tooltip-text=\"$TYPE - $M\" xalign=\"0\"><label>\"<big>Disk: $N</big>\"</label></text></hbox>
	<hbox space-expand=\"true\" space-fill=\"true\"><text use-markup=\"true\"><label>\"<big>Size: $S</big>\"</label></text></hbox>
	<button tooltip-text=\"$TT\"><height>32</height><width>32</width><input file icon=\"$ICO\"></input>
		<action>pkexec.wrap /usr/sbin/gparted /dev/$N</action>
		<action>exit:OK</action>$DIS
	</button>
</hbox>"
	done <<<$(lsblk -o NAME,ROTA,SIZE,MODEL -n | grep -vE '─|sr')
}

DISKS=$(get_drives)

export GUI='<window title="Resize with GParted" icon-name="drive-harddisk" width-request="360">
	<vbox>
	<hbox space-expand="true" space-fill="true"><text><label>Choose a drive to manipulate.</label></text></hbox>
	<hseparator></hseparator>
	'$DISKS'
	<hseparator></hseparator>
	<hbox><button cancel></button></hbox>
	</vbox>
</window>'
printf "%b\n" "$GUI" | gtk3dialog -s

The greyed out button is where / resides so can't be selected. IDK if Yad has this feature otherwise a Yad GUI could work.

The icons represent in order:

internal spinning disk
internal SSD
external SSD - not enough icons to differentiate - I could add one though
USB stick
USB spinning disk

GParted with the current GTK theme.

johnraff · 2025-05-31 01:53:34

More interesting ideas!

micko01 wrote:

...we are creating a new environment for gparted (or any program that needs root) for wayland...

Anyway adding a couple of variables to the "minimal known and safe environment" that pkexec sets up.

you can add the GTK_THEME envvar and get the curent theme to show up. Unfortunately I couldn't get it to work for X11. Would have been nice because it adds some gui consistency.

This topic comes up occasionally. Some people would like the root GUI that they have opened to inherit the same GTK theme that they regularly use, yes for consistency. Others are OK with the root GUI looking quite different, as a reminder to Be Careful. The latter is where BL is at the moment.

Here is what I'm using for my pkexec.wrap now:

#!/bin/sh
# don't fail silently env GTK_THEME="$curtheme"

hash pkexec >/dev/null 2>&1 || \
yad --title=error --window-icon="dialog-error" --name="dialog-error" \
     --text="Error: pkexec is not installed." \
     --button="Close!dialog-error":1

Let's add that pkexec check to our wrapper anyway.

  curtheme=$(gsettings get org.gnome.desktop.interface gtk-theme | tr -d "'")

On my boron system running X11:

john@boron:~$ gsettings get org.gnome.desktop.interface gtk-theme
'Adwaita'

My current theme is not Adwaita it's Boron-aqua.

I also wrote a handy little gtk3dialog script to target any drive connected to your machine (internal or external) and run gparted directly on that drive.

I'm probably missing something basic here, but can't gparted already operate on any drive connected to your machine, without having to be run directly on that drive?

micko01 · 2025-05-31 02:19:19

When you run gparted with no options it just seems to scan the drive where '/' resides. Tested in my carbon install and on slackware64-current. Adding the arg /dev/sdX targets whatever drive. Hence my little utility above.

johnraff · 2025-05-31 02:43:39

Are all the other drives - mounted or not - not available in that dropdown menu on the top right?
I just plugged in a usb stick and after hitting "Refresh Devices" it was there.
This is on Boron though. I can't test on Carbon because it's a VM with only one drive.

#41 2025-05-22 16:15:53

Re: pkexec on Wayland

#42 2025-05-23 06:00:42

Re: pkexec on Wayland

#43 2025-05-23 06:59:35

Re: pkexec on Wayland

#44 2025-05-23 07:26:30

Re: pkexec on Wayland

#45 2025-05-24 00:18:10

Re: pkexec on Wayland

#46 2025-05-24 04:47:53

Re: pkexec on Wayland

#47 2025-05-24 05:25:22

Re: pkexec on Wayland

#48 2025-05-24 05:34:26

Re: pkexec on Wayland

#49 2025-05-24 06:44:58

Re: pkexec on Wayland

#50 2025-05-24 07:25:31

Re: pkexec on Wayland

#51 2025-05-24 10:14:44

Re: pkexec on Wayland

#52 2025-05-25 02:17:47

Re: pkexec on Wayland

#53 2025-05-25 03:01:11

Re: pkexec on Wayland

#54 2025-05-25 03:21:26

Re: pkexec on Wayland

#55 2025-05-25 04:24:48

Re: pkexec on Wayland

#56 2025-05-25 19:11:41

Re: pkexec on Wayland

#57 2025-05-30 22:31:13

Re: pkexec on Wayland

#58 2025-05-31 01:53:34

Re: pkexec on Wayland

#59 2025-05-31 02:19:19

Re: pkexec on Wayland

#60 2025-05-31 02:43:39

Re: pkexec on Wayland

Board footer