Re: [DNG] pkexec in Chimaera
Lars Noodén via Dng wrote: > sudoedit is running as root there, but it is not itself an editor. > > You can verify for yourself that the editor runs under the unprivileged > account. Here is an example of using sudoedit to fire up Geany: > > $ EDITOR=geany sudoedit /etc/group & > > $ ps -p $(pgrep -d , 'sudoedit|geany') -o user,pid,ppid,args > USER PID PPID COMMAND > root 221381 221316 sudoedit /etc/group > lars 221382 221381 geany /var/tmp/group.XXm6gNkW > > As you see, sudoedit is a wrapper which supervises the editor and a > temporary file. > I see. Was confused not seeing "vi" in process list, only sudoedit. Turns out, it was running as /usr/bin/editor (as local user, not root). Thanks for your explanation and patience :-) ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
On 11/14/21 20:44, tempforever wrote: Lars Noodén via Dng wrote: [snip] On 11/8/21 05:12, tempforever wrote: > You say that sudoedit will run the editor itself under the unprivileged account; however, it appears it does run as root: [snip] Yes, I say that, but I got it from the manual page which is much more authoritative. It goes through the steps: 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. 2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used. 3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. sudoedit is running as root there, but it is not itself an editor. You can verify for yourself that the editor runs under the unprivileged account. Here is an example of using sudoedit to fire up Geany: $ EDITOR=geany sudoedit /etc/group & $ ps -p $(pgrep -d , 'sudoedit|geany') -o user,pid,ppid,args USER PIDPPID COMMAND root 221381 221316 sudoedit /etc/group lars 221382 221381 geany /var/tmp/group.XXm6gNkW As you see, sudoedit is a wrapper which supervises the editor and a temporary file. /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
Lars Noodén via Dng wrote: > On 11/8/21 05:12, tempforever wrote: > [snip]> Lars Noodén via Dng wrote: >>> You could consider running sudoedit instead. That will allow you to >>> edit a file as root (or any other designated account) while still >>> running the editor itself under the unprivileged account. One should >>> not run graphical programs as root, if it can be avoided. >>> >> Thank you for the help also. sudoedit requires user "a" to be in sudo >> group, which I'd prefer not to do. A non-gui text editor invoked with >> su -c will work for now. > > Please take another look at /etc/sudoers because the system is allowed > to have more than one group and users may be in more than one group at a > time. Also, there can be more than one single line in /etc/sudoers or > in any of the files beneath /etc/sudoers.d/ > > Thus you can have a group for account "a" which allows it to run > sudoedit but nothing else, and it doesn't even have to be a new group: > > %a ALL=(ALL:ALL) sudoedit > > See "man sudoers" for that. sudo is certanly one of the most > misunderstood and misused utilities around, in part because of the > tragic default settings spread by the Ubuntu distros, an affliction it > gets from Debian's default settings. > Thanks again for pointing me to sudoers. I was (mistakenly) under the impression that the user had to be in the sudo group. And yes, I did previously use mint/ubuntu. I had played around with sudoers previously for a different system (including once when I messed it up badly, not using visudo; had to boot from a live disk to fix it). You say that sudoedit will run the editor itself under the unprivileged account; however, it appears it does run as root: tempo@dev1:~$ ps aux|grep sudoedit root 3167 0.0 0.1 11176 5332 pts/0 S+ 13:42 0:00 sudoedit /etc/hosts tempo 3177 0.0 0.0 6180 664 pts/1 S+ 13:42 0:00 grep sudoedit Le 08/11/2021 à 14:16, Didier Kryn a écrit : > There is a hand-made replacement for pkexec and the good old gksu > and gksudo: > > In your sudoers file (edited with visudo), put the following line > > Defaults env_keep = "XAUTHORITY DISPLAY" > > Note there can be other variables in the list, like EDITOR, but the > above are the ones which will allow you to run GUIs under root priviledge. > > Then allow yourself to run foo with sudo (also by editing your sudoers > file vith visudo) and then > > sudo foo Nice to know this also; I can now verify that it does indeed work as you describe. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
Le 08/11/2021 à 14:16, Didier Kryn a écrit : > There is a hand-made replacement for pkexec and the good old gksu > and gksudo: > > In your sudoers file (edited with visudo), put the following line > > Defaults env_keep = "XAUTHORITY DISPLAY" > > Note there can be other variables in the list, like EDITOR, but the > above are the ones which will allow you to run GUIs under root priviledge. > > Then allow yourself to run foo with sudo (also by editing your sudoers > file vith visudo) and then > > sudo foo > > hth > > -- Didier > Alternative: su -w DISPLAY,XAUTHORITY -c /usr/sbin/foo Doesn't work with option -l of su; therefore the PATH is yours. -- Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
There is a hand-made replacement for pkexec and the good old gksu and gksudo: In your sudoers file (edited with visudo), put the following line Defaults env_keep = "XAUTHORITY DISPLAY" Note there can be other variables in the list, like EDITOR, but the above are the ones which will allow you to run GUIs under root priviledge. Then allow yourself to run foo with sudo (also by editing your sudoers file vith visudo) and then sudo foo hth -- Didier ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
On 11/8/21 05:12, tempforever wrote: [snip]> Lars Noodén via Dng wrote: You could consider running sudoedit instead. That will allow you to edit a file as root (or any other designated account) while still running the editor itself under the unprivileged account. One should not run graphical programs as root, if it can be avoided. Thank you for the help also. sudoedit requires user "a" to be in sudo group, which I'd prefer not to do. A non-gui text editor invoked with su -c will work for now. Please take another look at /etc/sudoers because the system is allowed to have more than one group and users may be in more than one group at a time. Also, there can be more than one single line in /etc/sudoers or in any of the files beneath /etc/sudoers.d/ Thus you can have a group for account "a" which allows it to run sudoedit but nothing else, and it doesn't even have to be a new group: %a ALL=(ALL:ALL) sudoedit See "man sudoers" for that. sudo is certanly one of the most misunderstood and misused utilities around, in part because of the tragic default settings spread by the Ubuntu distros, an affliction it gets from Debian's default settings. /Lars PS. Thank you in advance for not top-posting. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
Thanks for the (attempted) help. su -c - root mousepad returned the same error (Mousepad-CRITICAL... Failed to initialize xfconf: The connection is closed) su -c - root xterm and then mousepad (in that xterm) returned the same error again. I noticed on my Beowulf system I get a similar "error" except it says dconf-WARNING ... failed to commit changes to dconf: The connection is closed However, mousepad actually opens there, I guess because it is a warning instead of a critical error in Beowulf? I'm not terribly concerned about (not) being able to run GUI programs as root, it just seemed odd to me that pkexec would require a different user's password, especially when specifying --user root. Steve Litt wrote: > Try this: > su -c - root mousepad > > Remember to put the dash between -c and root. > > If you get the same results, perform the following: > > su -c - root xterm > > Now, within that xterm, run the mousepad command and see what goes > wrong. It's probably a wrong directory, or perhaps some missing > environment variable, either of which can be cured by a shellscript. > Thank you for the help also. sudoedit requires user "a" to be in sudo group, which I'd prefer not to do. A non-gui text editor invoked with su -c will work for now. Lars Noodén via Dng wrote: > You could consider running sudoedit instead. That will allow you to > edit a file as root (or any other designated account) while still > running the editor itself under the unprivileged account. One should > not run graphical programs as root, if it can be avoided. > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
tempforever said on Sun, 7 Nov 2021 14:19:54 -0500 >I'm logged on user "a" (with very few permissions), on the same system >exists user "b" (in sudo group). >When I run pkexec --user root mousepad (for example), it prompts for >user "b" password, instead of root password. >If I remove user "b" from sudo group, the above example will prompt for >root password. >I would like to keep user "b" in sudo group, and enter root user's >password. I believe gksu used to do this. Is this possible to do any >more in devuan? > >In beowulf, I was allowed to run "su -c mousepad" but now that fails: >(mousepad:3105): Mousepad-CRITICAL **: 13:59:58.624: Failed to >initialize xfconf: The connection is closed >which is why I am now using pkexec Try this: su -c - root mousepad Remember to put the dash between -c and root. If you get the same results, perform the following: su -c - root xterm Now, within that xterm, run the mousepad command and see what goes wrong. It's probably a wrong directory, or perhaps some missing environment variable, either of which can be cured by a shellscript. The shellscript, call it my_shellscript.sh, might look something like the following: #!/bin/sh cd /my/special/directory export MY_ENV_VAR="my special environment variable" exec mousepad If you use the shellscript, your command will be : su -c - root my_shellscript.sh SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] pkexec in Chimaera
On 11/7/21 21:19, tempforever wrote: [snip]> Actually I'll probably switch to a text-based editor for this particular case, but in general, for GUI applications, how is this done now? [snip] You could consider running sudoedit instead. That will allow you to edit a file as root (or any other designated account) while still running the editor itself under the unprivileged account. One should not run graphical programs as root, if it can be avoided. From the manual page for sudo: When invoked as sudoedit, the -e option (described below), is implied. [...] -e, --edit Edit one or more files instead of running a command. In lieu of a path name, the string "sudoedit" is used when consultimg the security policy. If the user is authorized by the pol‐ icy, the following steps are taken: 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. 2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used. 3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. To help prevent the editing of unauthorized files, the following restrictions are enforced unless [...] There a lot more about that in the manual pages. See "man sudo" and "man sudoers" /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng