You are not logged in.

#1 2019-01-19 08:05:14

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Removal of gksu/gksudo ... general discussion.

In my case, this is one of those things done by upstream that annoys me. Still as mentioned in another thread, tend to feel I just have to accept such developments as they come and then find a solution that appeals to me as a desktop gnu/Linux user.

What started this junk off for me, was wanting to dork around with Linux Mint (Mate) in this case. In Debian it's a moot point, as gksu and related packages are available in the current stable repositories. Not the case for buntu/based, such as LM main releases. Not that it took much effort to sort out to my satisfaction. Just tracked down the two .deb(s) I needed from an earlier release, like 14.04 or something and installed them to get gksu/gksudo working normally.

Despite people mentioning this was coming for YEARS. I didn't pay any attention to it. While it's a non-issue for the life of the current Debian stable release, gksu-etc have been removed from the testing and unstable branches and are going to be replaced with polkit + .policy files and using pkexec for the purpose of launching graphical applications with privileges in future Debian stable.

Overall this whole thing aggravates me, as I don't see how this being implemented improves anything. Change for improvement makes perfect sense, change for the sake of apparently just screwing with things for the sake of it, not so much.

People can create or modify these .policy files as they please. How does having a stupid .policy file make an application more secure anyway ? Seems to me the place to make sure software is well coded, functions as intended and acts in a non-malicious manner would be auditing or in the actual development of the software used itself. People can still launch anything they want with sudo + whichever options, people can of course run as root user and launch/use anything they desire. Overall I just don't get it. In no way see this as any kind of improvement. To me comes off as foolish and aggravating change, for the sake of screwing with something.

Any thoughts fellow nixers, particularly anything that's solid data based and outlines the merits of pkexec vs gksudo etc ? Thanks in advance.

Online

#2 2019-01-19 08:49:19

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

The problem is partly that the devs dropped maintaining it upstream, add to which there's a genuine vulnerability in the helper library it uses (unpatched and never likely to be fixed) there's a CVE for it though run abitrary code as root, not a good idea, you get an idea why it was pulled,  the gnome devs lost interest since it wouldn't work under wayland which is where they're going...

Gentoo have also pulled it,  they have a security advisory saying no known workaround and advising everyone to uninstall it.

So you have policykit, and if you want a graphical front end for sudo, there's lxqt-sudo & a kde variant, neither of which use the dodgy library, nothing using gtk... but it seems you can't have everything.

I suppose someone could fork gksudo, if they wanted to fix the security hole & maintain it, had a pile of other bugs filed with Debian too when it was pulled.. those might need addressing too.

Last edited by Bearded_Blunder (2019-01-19 09:16:35)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#3 2019-01-19 09:17:39

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

Hey thanks, plenty of interesting info. smile

Had found the lxqt-sudo and the kdesudo deal. Really appreciate the adds Bearded_B. Being an uber-anal person have of course googled and found info aplenty on this but the simple and concise way you typed out that post just made something click.

Online

#4 2019-01-19 09:25:23

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

Found the info earlier actually, when looking for workarounds for broken session tracking for policykit in Debian under sysvinit.  You just happened to mention something I dug into recently.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#5 2019-01-20 16:07:44

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

This subject actually made me learn a lot. The differences in the options being used with sudo and etc. It's really a non-issue overall and one of those things any user with some common sense and/or google-fu can easily sort out regardless. Oh well just don't like the situation as it stands with Linux Mint. Really disappointed in the lack of initiative the devs-maintainers there seem to show.

The use of gksu and killing it off in gnome-centric (new user focused)distro's without a well polished replacement put in place still seems mostly silly to me. Used it(gksu/do) pretty much the entire time I've used gnu/Linux and never had any resulting issues. Hey Bearded_Blunder, have you tried the lxqt-sudo software ? Anyone else with opinions on that ? Thanks fellow nixers.


Vll! smile

Last edited by BLizgreat! (2019-01-20 16:19:01)

Online

#6 2019-01-28 16:34:58

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

Yup I've tried lxqt-sudo, don't install it with recommends, you'll get 2/3 of the LXQt DE & defaulted to the lxqt-session just for a password box for sudo, not so bad with --no-install-recommends.
It works just fine, but being qt based it'll bring more deps than is ideal if you're in a mainly gtk environment like Bunsen even without recs.
I was kinda pushed into trying lxqt-sudo by trying to run Bunsen on Buster with sysvinit, the pkexec option gets broken by the switch policykit and it appears other things it talks to need recompiling for different session tracking, and consequently no (working) password agent, you can make policykit rules to do stuff provided you reduce the security to zero for the command -- long story & many wasted hours, back to lxsu(do) it's exactly like gksu(do) to use except obviously the command is different.  Might be some milage in sudo -A if you find a suitable gtk dialogue (ssh-askpass or friends maybe?), or just live with pulling in the Qt libs.

Nobody wrote a gtk alternative to gksu(do) because, well gksu(do) was already there and worked, why reinvent the wheel? Unless of course your UI was all Qt (LXQt, KDE) then you had a reason & they each did.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#7 2019-01-28 19:47:48

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

^ Appreciate the commentary, always good to hear from someone with 1st hand experience in a matter. I've pitched in the towel on Mint again anyway. Can't really deal with the community and even the distro anymore. If were going to use ubuntu, would just go ahead and do the minimal install and build the sucker according to what I like. Once someone gets used to doing it their way, think it ruins them for most other gnu/Nix.

Was no issue getting gksudo installed and working ( in LM main release), just had to snatch the 2 packages from an earlier archive. Guessing gksu/do will remain a viable options for quite awhile. Then may try lxqt-sudo or who knows what other approach to doing what gksudo does/did, shrugs. Thanks again Bearded_Blunder. smile

Last edited by BLizgreat! (2019-01-28 19:49:32)

Online

#8 2019-01-28 21:23:58

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

In the sense of working & installing.. then gksu is "Viable", in the sense of being a good idea, no so much, see the linked security advisories in post two, for myself that'd be sufficient to use lxqt-sudo instead, & hang the extra deps.. ok it's Qt, but you see it what? 5 seconds every now & then, and it's not eye-searingly out of place like the 1995 ish xscreensaver password dialogue, only slightly mismatched.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#9 2019-01-29 07:27:47

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

^ LOL ... you weren't kidding, lxqt-sudo is BUTT-UGLY. big_smile Oh well ... still went ahead and installed it just to dork around. It's a fresh minimal netinstall of Stretch, though I have installed various junk too. Installing lxqt-sudo pulled in 9 packages. Popped open gmrun and opened thunar with the thing, yowza !!! Ah agree with you though, a box you type a password into, it's not like someone has to look at it all the time. Could definitely live with it if needed.

The exploit for gksu from what I'd found googling about it, supposedly takes someone "tricking" users into installing malicious software on their gnu/Nix Os to even be an issue. Vast majority of us and hopefully comp users in general know better than to just install software from anywhere/everywhere. I don't think it's all that big a deal and considering Debian has left it in the stable repositories for the life of Stretch, seems to me that must mean they aren't considering it a big deal.

Hey ... this prompted me to learn things about sudo and what the options mean and to just in general poke around at stuff under the hood I may not have otherwise. Definitely no shortage of work around's, which is nothing new for gnu/Linux. Seems just a matter of enough googling and experimenting to figure whatever someone wants out. smile

Also just for hades of it, looking at another graphical frontend I'd found digging into this, seems Arch has one called qsudo, which believe is something ported from Bsd ? Trying to work up the energy to track down the source for it and try compiling it just to dork around. Not sure if that will ever happen.

Dobbie3 might sound off on it, if he has any opinions or experiences on qsudo ?

Pointless babble-update: Not quite sure wth qsudo is, only been able to find it on git atm. Really doubting it's worth the effort anyway. Wanted to mention it just cause. Maybe someone here does have something to say on it.

Last edited by BLizgreat! (2019-01-29 08:20:30)

Online

#10 2019-01-29 14:30:59

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

BLizgreat! wrote:

^ LOL ... you weren't kidding, lxqt-sudo is BUTT-UGLY. big_smile

To be fair, installed on Bunsen & without the recs that pull in virtually the entire lxqt DE, it arrives with a near enough empty ~/.config/lxqt/lxqt.conf to the extent you need to set icon_theme= there to stop it spitting errors when launched in a terminal, I strongly suspect there's other things you could define there to tame the appearance, but frankly I've not the first clue with regards to theming, and not much interest for something so infrequently seen.

Not like the default replacement for gksu (policykit-1-gnome) which responds when using pkexec is exactly a thing of beauty either.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#11 2019-01-29 20:46:21

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

Dang don't even want to see that sucker. big_smile For the time being sticking with gksu but sheesh, looking like it's time for a change and lxqt-sudo isn't bad at all. Like you mention, am sure a theme-etc could switch it's appearance though feel the same way about it. Doesn't seem important enough to bother with. Overall though having a convenient way to launch graphical apps with privileges does seem important. In particular for desktop gnu/Linux use.

Online

#12 2019-02-09 05:44:32

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

BLizgreat! wrote:

Overall though having a convenient way to launch graphical apps with privileges does seem important. In particular for desktop gnu/Linux use.

There's always:

sudo -H graphical-app &

in a terminal if shove comes to push, just don't forget the -H else if that app decides to write or update its config stuff you'll end up with files owned by root in your home & potentially misbehaving graphical-app which won't let you reconfigure it back when you notice three weeks later and you've forgotten you ever launched it with privileges.

Main reason you get told "don't launch graphical stuff with plain sudo".


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#13 2019-02-09 07:37:13

ohnonot
...again
Registered: 2015-09-29
Posts: 4,092
Website

Re: Removal of gksu/gksudo ... general discussion.

Bearded_Blunder wrote:

There's always:

sudo -H graphical-app &

in a terminal if shove comes to push, just don't forget the -H else if that app decides to write or update its config stuff you'll end up with files owned by root in your home & potentially misbehaving graphical-app which won't let you reconfigure it back when you notice three weeks later and you've forgotten you ever launched it with privileges.

Main reason you get told "don't launch graphical stuff with plain sudo".

i don't think you need this anymore.
At least I cannot remember the last time this has happened to me, except for geany and that was years ago.

From 'man sudo' (highlighting by me):

-H, --set-home
                 Request that the security policy set the HOME environment variable to the home
                 directory specified by the target user's password database entry.  Depending on
                 the policy, this may be the default behavior.

that said, there's still plenty of good reasons why you shouldn't make it a habit to start graphical apps with superuser privileges.

Last edited by ohnonot (2019-02-09 07:38:12)

Offline

#14 2019-02-09 08:03:54

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

ohnonot wrote:

that said, there's still plenty of good reasons why you shouldn't make it a habit to start graphical apps with superuser privileges.

And plenty of config files owned by root you may need to edit, needing to edit a root owned file is not "making a habit"
Though I actually quite like nano for the job, but many will like graphical stuff.

Furthurmore, is this supposed to extend to "not making a habit" out of reconfiguring disks? (GParted) ? If it needs reconfiguring it needs it & you need root.

Nobody suggested starting LibreOffice & making presentations as root.

Lighten up on the anti-root stuff!  He's not evil.

-H might also not be the default, & it's completely harmless if restated in the command even if it is.

Last edited by Bearded_Blunder (2019-02-09 08:06:57)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#15 2019-02-09 08:12:02

ohnonot
...again
Registered: 2015-09-29
Posts: 4,092
Website

Re: Removal of gksu/gksudo ... general discussion.

Bearded_Blunder wrote:

Lighten up on the anti-root stuff!  He's not evil.

wtf.
my statement was clear enough:

there's still plenty of good reasons why you shouldn't make it a habit to start graphical apps with superuser privileges.

roll

Offline

#16 2019-02-09 08:15:48

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

Nobody is advocating any such thing, *you're* the one jumping on people discussing perfectly legitimate tools for launching such apps WHEN NEEDED


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#17 2019-02-09 15:15:57

S7.L
Member
Registered: 2018-09-16
Posts: 338

Re: Removal of gksu/gksudo ... general discussion.

I dont have a need for root as gui, root operations are done via terminal. Although i would like to know how spacefm handles root windows, ive used it a few times just to see the usage, quite an interesting file manager spacefm, ive upgraded to the spacefm-ng on arch linux which is maintained kind of regularly. Not everyone is going to know how to manage root operations when push comes to shove and sometimes gui apps help but i would also advise against it in favour of the terminal with sudo.

Offline

#18 2019-02-09 16:25:04

ohnonot
...again
Registered: 2015-09-29
Posts: 4,092
Website

Re: Removal of gksu/gksudo ... general discussion.

Bearded_Blunder wrote:

Nobody is advocating any such thing, *you're* the one jumping on people discussing perfectly legitimate tools for launching such apps WHEN NEEDED

Where in this thread am I "jumping on" anybody? It really seems that YOU are doing that, very keen on getting me into a fight, across several threads. i wonder what triggered that...

in post #13 i made a constructive addition to your previous post, and yes, not without adding that even so "there's still plenty of good reasons why you shouldn't make it a habit to start graphical apps with superuser privileges."
that's all.

what YOU made out of it so far:
"*you're* the one jumping on people discussing perfectly legitimate tools"
"Nobody suggested starting LibreOffice & making presentations as root."
and
"Lighten up on the anti-root stuff!  He's not evil."

you must be hurting.

Last edited by ohnonot (2019-02-09 16:26:01)

Offline

#19 2019-02-09 16:26:42

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

Dang this sucker took off. Yeah am aware of a few ways to use sudo etc.Though did see something about such not being possible in Wayland without a "work around". Don't keep close watch on its development, so unsure if that's still the case. Do think many nixers tend to take root too seriously. It's not a poisonous snake, wearing a bomb. smile Ran many a windows system under the administration acct, continuously for years on end and the pc never killed me.

As a simple matter of convenience esp in desktop gnu/nix, it's clearly a good feature. I could live in cli too but wouldn't make for the most satisfying desktop experience. Overall doesn't matter, like everything gnu/nix there are plenty of solutions for when/if gksu goes away.

Vll! smile

Online

#20 2019-02-09 16:42:47

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

Ok guys, I want a good dirty fight. Gonna need yous to go to separate corners and when the bell rings, come out swinging. tongue

Yeah lately seems you/BB may be going through some of those pesky life things we all have to deal with here and there. Though glad he's around and among the nixer community too. Hope whatever it is, isn't too serious and works out well.

GROUP DIGI-HUG FELLOWS, WHOSE IN? smile

Online

#21 2019-02-09 18:48:51

malm
jgmenu developer
Registered: 2016-10-13
Posts: 526
Website

Re: Removal of gksu/gksudo ... general discussion.

Now now, come on guys. Much nicer if we stay polite.

Offline

#22 2019-02-09 20:33:59

iMBeCil
WAAAT?
From: Edrychwch o'ch cwmpas
Registered: 2015-09-29
Posts: 649

Re: Removal of gksu/gksudo ... general discussion.

^Naah, being politely is overrated.

The constructiveness is what people on internet mostly lacks. wink


Postpone all your duties; if you die, you won't have to do them ..

Offline

#23 2019-02-10 06:16:38

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Removal of gksu/gksudo ... general discussion.

ohnonot wrote:

in post #13 i made a constructive addition to your previous post, and yes, not without adding that even so "there's still plenty of good reasons why you shouldn't make it a habit to start graphical apps with superuser privileges."
that's all.

Well I have to disagree with your "constructive" addition saying you don't need a switch which keeps sudo safe from the consequences outlined even if a local administrator has changed the default policy is like telling people they only need to look one direction crossing a one way street. If they take such advice then occasionally someone will get hurt.

You can't rely on defaults which may have been reconfigured, heck if you relied on people having the default Debian desktop you'd be wrong more than 2/3 the time.

So that annoyed me and I possibly overreacted.

Starting graphical apps as root isn't something to do willy-nilly I agree, on the other hand, given a system without policykit I'd rather see someone make a habit of launching synaptic that way than see them not update.  Just an example, and I do know users who're scared of using a terminal.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#24 2019-02-10 06:35:20

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

^Understandable, those terminals with the weird talking cow, always freak me out.

Online

#25 2019-02-13 19:20:56

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,070

Re: Removal of gksu/gksudo ... general discussion.

Was dorking with lxqt-sudo and launched it in terminal, Yep complaints about icon theme not set and missing icon theme etc. So yeah can no doubt polish it's appearance. Still don't view it as important but good to know people can spruce it up if desired.

Online

Board footer

Powered by FluxBB