View previous topic :: View next topic |
Author |
Message |
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Tue Sep 05, 2017 1:51 pm Post subject: gparted, root and policykit |
|
|
Hi.
I'm trying to understand how gparted works as to why/how I'm asked for the root password — which is a hint gksu is not called in the process. Erm... I don't have no password for root. It's intentional.
I saw this thread in which ecatmur suggests to directly modify the desktop file but it dates 2006. And if gparted is compiled with policykit USE flags and I've set "privilege granting" to using sudo so shouldn't gparted conform?
EDIT: In Manjaro, it is Code: | Exec=/usr/bin/gparted_polkit %f |
I found no such file or directory on my system. _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Wed Sep 06, 2017 9:06 pm Post subject: |
|
|
Is there a gparted-pkexec somewhere on your system? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Fri Sep 08, 2017 7:47 am Post subject: |
|
|
eccerr0r wrote: | Is there a gparted-pkexec somewhere on your system? |
Yes, there is one. It is the same content (more or less, I don't know what it was in 2006 ) as in ecatmur's hint. _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Fri Sep 08, 2017 3:38 pm Post subject: |
|
|
I suppose now it's to tell polkit to not want a root password for gparted?
Or is it working as you wish now? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Fri Sep 08, 2017 7:44 pm Post subject: |
|
|
eccerr0r wrote: | I suppose now it's to tell polkit to not want a root password for gparted? |
It doesn't indeed. Unless there's a way to tell policykit to ask for *my* password with gksu instead?
/usr/bin/gparted-pkexec: | pkexec "/usr/sbin/gparted" "$@" |
eccerr0r wrote: | Or is it working as you wish now? |
Nope, it's not. With the stock configuration it's still asking for root password. Unless I edit the stock script, of course, which will be overwritten upon every upgrade. _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Fri Sep 08, 2017 9:02 pm Post subject: |
|
|
Ok BIG security hole here. Go back to using the pkexec version and try this: Create a file
/etc/polkit-1/rules.d/10-VinzC-security-hole.rules
Code: | polkit.addRule(function(action, subject) {
if (action.id == "org.gentoo.pkexec.gparted") {
return polkit.Result.YES;
}
}); |
Yes. BIG security hole, but since you have no root password...?
Still not sure if this is answering the question but polkit has basically a parallel functionality to sudo, IIRC in the past it used to use sudo but now has its own system. It wasn't meant to be a replacement, but rather for integration into the GUI. However for most purposes it sort of ends up being a replacement. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Fri Sep 08, 2017 10:21 pm Post subject: |
|
|
@eccerr0r
I suspect my answer has been a bit misleading. I don't know what you imply by "big security hole" but what I meant with
eccerr0r wrote: | I suppose now it's to tell polkit to not want a root password for gparted? |
VinzC wrote: | It doesn't indeed. Unless there's a way to tell policykit to ask for *my* password with gksu instead? |
gparted doesn't ask for my password but for root's password. What I'd like is to be asked for *my* password as my user ID is part of the wheel group. With the rule you've described gparted doesn't even ask for a password now, it just launches straight away — erm... wait isn't that what you were talking about, the "security hole"? Don't know if that's what you intended though.
Anyway, after reading your post I stumbled across polkit man page. So I've edited the file again and returned polkit.Result.AUTH_ADMIN instead but then I'm back to where I started: I'm asked for root password . So I tried with AUTH_SELF and now I'm asked for my own password.
But there's that one thing that puzzles me: what's the point of the "Privilege granting" applet if all you do with it has to be done again (and even hard-coded) in polkit rule files? _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Fri Sep 08, 2017 11:42 pm Post subject: |
|
|
Ah okay, well, it wasn't clear from the initial post what you wanted - it seemed you had no root password for some reason (rescue cd?) and the intended desire was to have no password prompt, and personal password was the second best option. Well at least you got the right option now or is that not the case? Hard to tell by how you write ...
In any case the main reason for polkit is not to replicate sudo though it seems to be. Rather, it's GUI integration. The rule you had changed is specifically for enduser specific behavior - what did you want it to do (default is to ask for password, but through the GUI!). Note that if it had been the usual unix case and forgot you needed root privileges but started the application anyway, it would obviously fail. With pkexec you get a chance to type the password and then it would let you run (as well as "cache" the password for a while much like sudo). Also polkit allows fine grain control; though I don't know if gparted actually takes advantage or even needs fine grain control, things like udisks or power management may need it. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Sat Sep 09, 2017 9:25 am Post subject: |
|
|
Thanks anyway for your insights, eccerr0r.
I might indeed have been unclear what I wanted to achieve and what I had — one reason might be that I've been struggling with issues, eventually solving them slowly one by one so when you've got your mind focused it's hard to raise the nose and be crystal clear explaining things. So thanks for your patience .
To summarize it all, I have indeed a root account on my laptop, for which I purposefully have not defined any password. I'm endorsing administrative privileges only through sudo <command> or sudo -i. I have of course changed /etc/sudoers to grant members of group wheel through password authentication as I prefer to avoid password-less authentication.
I honestly — naively maybe — believed that would suffice in Linux to automatically trigger the right password request dialogue boxes, once you've configured /etc/sudoers and "Privilege granting" application in Xfce. I thought gksu, properly configured through the GUI would, say, install a default policy that would prompt not for root password but for the user's password if the latter is part of group wheel, for instance. Apparently there's no such integration. But I suppose that generic behaviour can still be achieved in polkit for any application that starts with pkexec, right?
So here's the rule file I added, based on your hint:
/etc/polkit-1/rules.d/50-gparted.rules: | polkit.addRule(function(action, subject) {
if (action.id == "org.gentoo.pkexec.gparted") {
if (subject.isInGroup("wheel")) {
return polkit.Result.AUTH_SELF;
} else {
return polkit.Result.AUTH_ADMIN;
}
}
});
|
That gives me the behaviour I wanted. For gparted in particular, of course. I would like to generalize that behaviour though. I guess I know what to do...
But I still would like to know what "Privilege granting" acts upon. Does it interact with Polkit at all? Is it needed at all (on an OpenRC machine)? _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Sat Sep 09, 2017 11:11 am Post subject: |
|
|
Ah, so you effectively want to 'disable' the root account so to speak. I thought you wanted to have a blank password for the root account and somehow just wanted to bypass the dialog. Makes a bit more sense and secure now.
I'm working on one of my polkit/systemd/gnome boxes now and do not have gksu. (what package is it from, I don't see it on my polkit/openrc/xfce box either?) In any case, I suspect that you should be able to do any GUI (and possibly even CLI as long as it's under the GUI) privileged commands with pkexec though as far as I know does not allow command line option restrictions that sudo offers; you probably can emulate the behavior with a wrapper script to an extent.
I suspect the xdg (X.org Desktop Group standards consortium?) probably prefers using polkit/pkexec system anyway, just for integration? _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Sat Sep 09, 2017 12:29 pm Post subject: |
|
|
eccerr0r wrote: | Ah, so you effectively want to 'disable' the root account so to speak. |
That's it. I personally always make the distinction "no password" != "blank password".
eccerr0r wrote: | I suspect that you should be able to do any GUI (and possibly even CLI as long as it's under the GUI) privileged commands with pkexec though as far as I know does not allow command line option restrictions that sudo offers; you probably can emulate the behavior with a wrapper script to an extent. |
Aaah, ok. It all makes perfect sense, now. Thanks. _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
|