Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
gparted, root and policykit
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4974
Location: Dark side of the mood

PostPosted: Tue Sep 05, 2017 1:51 pm    Post subject: gparted, root and policykit Reply with quote

Hi.

I'm trying to understand how gparted works as to why/how I'm asked for the root password — which is a hint gksu is not called in the process. Erm... I don't have no password for root. It's intentional.

I saw this thread in which ecatmur suggests to directly modify the desktop file but it dates 2006. And if gparted is compiled with policykit USE flags and I've set "privilege granting" to using sudo so shouldn't gparted conform?

EDIT: In Manjaro, it is
Code:
Exec=/usr/bin/gparted_polkit %f


I found no such file or directory on my system.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Wed Sep 06, 2017 9:06 pm    Post subject: Reply with quote

Is there a gparted-pkexec somewhere on your system?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4974
Location: Dark side of the mood

PostPosted: Fri Sep 08, 2017 7:47 am    Post subject: Reply with quote

eccerr0r wrote:
Is there a gparted-pkexec somewhere on your system?

Yes, there is one. It is the same content (more or less, I don't know what it was in 2006 :-D) as in ecatmur's hint.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri Sep 08, 2017 3:38 pm    Post subject: Reply with quote

I suppose now it's to tell polkit to not want a root password for gparted?
Or is it working as you wish now?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4974
Location: Dark side of the mood

PostPosted: Fri Sep 08, 2017 7:44 pm    Post subject: Reply with quote

eccerr0r wrote:
I suppose now it's to tell polkit to not want a root password for gparted?

It doesn't indeed. Unless there's a way to tell policykit to ask for *my* password with gksu instead?
/usr/bin/gparted-pkexec:
pkexec "/usr/sbin/gparted" "$@"


eccerr0r wrote:
Or is it working as you wish now?

Nope, it's not. With the stock configuration it's still asking for root password. Unless I edit the stock script, of course, which will be overwritten upon every upgrade.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri Sep 08, 2017 9:02 pm    Post subject: Reply with quote

Ok BIG security hole here. Go back to using the pkexec version and try this: Create a file

/etc/polkit-1/rules.d/10-VinzC-security-hole.rules
Code:
polkit.addRule(function(action, subject) {
    if (action.id == "org.gentoo.pkexec.gparted") {
        return polkit.Result.YES;
    }
});


Yes. BIG security hole, but since you have no root password...?

Still not sure if this is answering the question but polkit has basically a parallel functionality to sudo, IIRC in the past it used to use sudo but now has its own system. It wasn't meant to be a replacement, but rather for integration into the GUI. However for most purposes it sort of ends up being a replacement.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4974
Location: Dark side of the mood

PostPosted: Fri Sep 08, 2017 10:21 pm    Post subject: Reply with quote

@eccerr0r

I suspect my answer has been a bit misleading. I don't know what you imply by "big security hole" but what I meant with
eccerr0r wrote:
I suppose now it's to tell polkit to not want a root password for gparted?

VinzC wrote:
It doesn't indeed. Unless there's a way to tell policykit to ask for *my* password with gksu instead?

gparted doesn't ask for my password but for root's password. What I'd like is to be asked for *my* password as my user ID is part of the wheel group. With the rule you've described gparted doesn't even ask for a password now, it just launches straight away — erm... wait isn't that what you were talking about, the "security hole"? Don't know if that's what you intended though.

Anyway, after reading your post I stumbled across polkit man page. So I've edited the file again and returned polkit.Result.AUTH_ADMIN instead but then I'm back to where I started: I'm asked for root password :roll: . So I tried with AUTH_SELF and now I'm asked for my own password.

But there's that one thing that puzzles me: what's the point of the "Privilege granting" applet if all you do with it has to be done again (and even hard-coded) in polkit rule files?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Fri Sep 08, 2017 11:42 pm    Post subject: Reply with quote

Ah okay, well, it wasn't clear from the initial post what you wanted - it seemed you had no root password for some reason (rescue cd?) and the intended desire was to have no password prompt, and personal password was the second best option. Well at least you got the right option now or is that not the case? Hard to tell by how you write ...

In any case the main reason for polkit is not to replicate sudo though it seems to be. Rather, it's GUI integration. The rule you had changed is specifically for enduser specific behavior - what did you want it to do (default is to ask for password, but through the GUI!). Note that if it had been the usual unix case and forgot you needed root privileges but started the application anyway, it would obviously fail. With pkexec you get a chance to type the password and then it would let you run (as well as "cache" the password for a while much like sudo). Also polkit allows fine grain control; though I don't know if gparted actually takes advantage or even needs fine grain control, things like udisks or power management may need it.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4974
Location: Dark side of the mood

PostPosted: Sat Sep 09, 2017 9:25 am    Post subject: Reply with quote

Thanks anyway for your insights, eccerr0r.

I might indeed have been unclear what I wanted to achieve and what I had — one reason might be that I've been struggling with issues, eventually solving them slowly one by one so when you've got your mind focused it's hard to raise the nose and be crystal clear explaining things. So thanks for your patience :-) .

To summarize it all, I have indeed a root account on my laptop, for which I purposefully have not defined any password. I'm endorsing administrative privileges only through sudo <command> or sudo -i. I have of course changed /etc/sudoers to grant members of group wheel through password authentication as I prefer to avoid password-less authentication.

I honestly — naively maybe — believed that would suffice in Linux to automatically trigger the right password request dialogue boxes, once you've configured /etc/sudoers and "Privilege granting" application in Xfce. I thought gksu, properly configured through the GUI would, say, install a default policy that would prompt not for root password but for the user's password if the latter is part of group wheel, for instance. Apparently there's no such integration. But I suppose that generic behaviour can still be achieved in polkit for any application that starts with pkexec, right?

So here's the rule file I added, based on your hint:
/etc/polkit-1/rules.d/50-gparted.rules:
polkit.addRule(function(action, subject) {
        if (action.id == "org.gentoo.pkexec.gparted") {
                if (subject.isInGroup("wheel")) {
                        return polkit.Result.AUTH_SELF;
                } else {
                        return polkit.Result.AUTH_ADMIN;
                }
        }
});

That gives me the behaviour I wanted. For gparted in particular, of course. I would like to generalize that behaviour though. I guess I know what to do...

But I still would like to know what "Privilege granting" acts upon. Does it interact with Polkit at all? Is it needed at all (on an OpenRC machine)?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Sat Sep 09, 2017 11:11 am    Post subject: Reply with quote

Ah, so you effectively want to 'disable' the root account so to speak. I thought you wanted to have a blank password for the root account and somehow just wanted to bypass the dialog. Makes a bit more sense and secure now.

I'm working on one of my polkit/systemd/gnome boxes now and do not have gksu. (what package is it from, I don't see it on my polkit/openrc/xfce box either?) In any case, I suspect that you should be able to do any GUI (and possibly even CLI as long as it's under the GUI) privileged commands with pkexec though as far as I know does not allow command line option restrictions that sudo offers; you probably can emulate the behavior with a wrapper script to an extent.

I suspect the xdg (X.org Desktop Group standards consortium?) probably prefers using polkit/pkexec system anyway, just for integration?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4974
Location: Dark side of the mood

PostPosted: Sat Sep 09, 2017 12:29 pm    Post subject: Reply with quote

eccerr0r wrote:
Ah, so you effectively want to 'disable' the root account so to speak.

That's it. I personally always make the distinction "no password" != "blank password".

eccerr0r wrote:
I suspect that you should be able to do any GUI (and possibly even CLI as long as it's under the GUI) privileged commands with pkexec though as far as I know does not allow command line option restrictions that sudo offers; you probably can emulate the behavior with a wrapper script to an extent.

Aaah, ok. It all makes perfect sense, now. Thanks.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum