gparted, root and policykit

VinzC · Posted: Tue Sep 05, 2017 1:51 pm Post subject: gparted, root and policykit

Hi.

I'm trying to understand how gparted works as to why/how I'm asked for the root password — which is a hint gksu is not called in the process. Erm... I don't have no password for root. It's intentional.

I saw this thread in which ecatmur suggests to directly modify the desktop file but it dates 2006. And if gparted is compiled with policykit USE flags and I've set "privilege granting" to using sudo so shouldn't gparted conform?

EDIT: In Manjaro, it is

eccerr0r · Posted: Wed Sep 06, 2017 9:06 pm Post subject:

Is there a gparted-pkexec somewhere on your system?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

VinzC · Posted: Fri Sep 08, 2017 7:47 am Post subject:

eccerr0r · Posted: Fri Sep 08, 2017 3:38 pm Post subject:

I suppose now it's to tell polkit to not want a root password for gparted?
Or is it working as you wish now?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

VinzC · Posted: Fri Sep 08, 2017 7:44 pm Post subject:

eccerr0r · Posted: Fri Sep 08, 2017 9:02 pm Post subject:

Ok BIG security hole here. Go back to using the pkexec version and try this: Create a file

/etc/polkit-1/rules.d/10-VinzC-security-hole.rules

VinzC · Posted: Fri Sep 08, 2017 10:21 pm Post subject:

@eccerr0r

I suspect my answer has been a bit misleading. I don't know what you imply by "big security hole" but what I meant with

eccerr0r · Posted: Fri Sep 08, 2017 11:42 pm Post subject:

Ah okay, well, it wasn't clear from the initial post what you wanted - it seemed you had no root password for some reason (rescue cd?) and the intended desire was to have no password prompt, and personal password was the second best option. Well at least you got the right option now or is that not the case? Hard to tell by how you write ...

In any case the main reason for polkit is not to replicate sudo though it seems to be. Rather, it's GUI integration. The rule you had changed is specifically for enduser specific behavior - what did you want it to do (default is to ask for password, but through the GUI!). Note that if it had been the usual unix case and forgot you needed root privileges but started the application anyway, it would obviously fail. With pkexec you get a chance to type the password and then it would let you run (as well as "cache" the password for a while much like sudo). Also polkit allows fine grain control; though I don't know if gparted actually takes advantage or even needs fine grain control, things like udisks or power management may need it.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

VinzC · Posted: Sat Sep 09, 2017 9:25 am Post subject:

Thanks anyway for your insights, eccerr0r.

I might indeed have been unclear what I wanted to achieve and what I had — one reason might be that I've been struggling with issues, eventually solving them slowly one by one so when you've got your mind focused it's hard to raise the nose and be crystal clear explaining things. So thanks for your patience :-)

.

To summarize it all, I have indeed a root account on my laptop, for which I purposefully have not defined any password. I'm endorsing administrative privileges only through sudo <command> or sudo -i. I have of course changed /etc/sudoers to grant members of group wheel through password authentication as I prefer to avoid password-less authentication.

I honestly — naively maybe — believed that would suffice in Linux to automatically trigger the right password request dialogue boxes, once you've configured /etc/sudoers and "Privilege granting" application in Xfce. I thought gksu, properly configured through the GUI would, say, install a default policy that would prompt not for root password but for the user's password if the latter is part of group wheel, for instance. Apparently there's no such integration. But I suppose that generic behaviour can still be achieved in polkit for any application that starts with pkexec, right?

So here's the rule file I added, based on your hint:

eccerr0r · Posted: Sat Sep 09, 2017 11:11 am Post subject:

Ah, so you effectively want to 'disable' the root account so to speak. I thought you wanted to have a blank password for the root account and somehow just wanted to bypass the dialog. Makes a bit more sense and secure now.

I'm working on one of my polkit/systemd/gnome boxes now and do not have gksu. (what package is it from, I don't see it on my polkit/openrc/xfce box either?) In any case, I suspect that you should be able to do any GUI (and possibly even CLI as long as it's under the GUI) privileged commands with pkexec though as far as I know does not allow command line option restrictions that sudo offers; you probably can emulate the behavior with a wrapper script to an extent.

I suspect the xdg (X.org Desktop Group standards consortium?) probably prefers using polkit/pkexec system anyway, just for integration?
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

VinzC · Posted: Sat Sep 09, 2017 12:29 pm Post subject: