Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Mon,15.Jun.09, 08:59:59, Patrick Wiseman wrote: > The problem is, I think, that someone upstream thinks that this > limitation is a feature not a bug, and so it's unlikely to get fixed. Writing an app to be run as root is not a trivial thing. Too many things can go wrong. Did you investigate Daniel's suggestion about running a custom command? You could also try sux. Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein) signature.asc Description: Digital signature
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Mon, Jun 15, 2009 at 10:12:08AM -0400, Patrick Wiseman wrote: > On Mon, Jun 15, 2009 at 10:08 AM, Osamu Aoki wrote: > > On Mon, Jun 15, 2009 at 08:59:59AM -0400, Patrick Wiseman wrote: > >> The problem is, I think, that someone upstream thinks that this > >> limitation is a feature not a bug, and so it's unlikely to get fixed. > > > > I am not the right person to judge this. It may be a right decision and > > it is a feature. > > > > But advanced cordination with popular existing tools should have > > happened before implimenting this feature for sure. > > > > Well, this is typical when using "unstable". At this moment, we do not > > even have testing security support. You should see quite a bit of these > > despite we most DD tries to keep such incident as few as possible. > > Just as an aside, I'm on a testing system, and just got two security > updates this morning. Good I may have missed announcement but I thought it is not yet official. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Mon, Jun 15, 2009 at 08:59:59AM -0400, Patrick Wiseman wrote: > The problem is, I think, that someone upstream thinks that this > limitation is a feature not a bug, and so it's unlikely to get fixed. I am not the right person to judge this. It may be a right decision and it is a feature. But advanced cordination with popular existing tools should have happened before implimenting this feature for sure. Well, this is typical when using "unstable". At this moment, we do not even have testing security support. You should see quite a bit of these despite we most DD tries to keep such incident as few as possible. Osamu -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Mon, Jun 15, 2009 at 10:08 AM, Osamu Aoki wrote: > On Mon, Jun 15, 2009 at 08:59:59AM -0400, Patrick Wiseman wrote: >> The problem is, I think, that someone upstream thinks that this >> limitation is a feature not a bug, and so it's unlikely to get fixed. > > I am not the right person to judge this. It may be a right decision and > it is a feature. > > But advanced cordination with popular existing tools should have > happened before implimenting this feature for sure. > > Well, this is typical when using "unstable". At this moment, we do not > even have testing security support. You should see quite a bit of these > despite we most DD tries to keep such incident as few as possible. Just as an aside, I'm on a testing system, and just got two security updates this morning. Patrick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Mon, Jun 15, 2009 at 8:19 AM, Osamu Aoki wrote: > On Sun, Jun 14, 2009 at 11:59:56AM -0400, Patrick Wiseman wrote: > ... >> >> This is a design restriction in D-Bus." >> >> [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390] Well, >> >> that's just stupid, especially for experienced users like myself; I >> >> NEED to be able to use gnome-terminal as root. I don't want a hackish >> >> workaround, I just want it to work as it always has. Is there ANY way >> >> to make D-Bus less restrictive? >> > >> > Well, does this problem happens if user uses sudo mode for gksu. >> > >> > Application-> System Tools-> Configuration Editor: >> > /apps/gksu/sudo-mode >> >> Makes no difference; 'gksu gnome-terminal' fails without a message. >> >> > Also question is what happens if you enter followings in terminal. >> > >> > $ su -c gnome-terminal >> > $ sudo gnome-terminal >> > $ sudo -H gnome-terminal > > Hmmm ... so this > >> All fail with "Failed to contact the GConf daemon; exiting." > > are coming not from gksu but from gnome-terminal. > > How about > > $ su -c xterm That gives me this warning: Warning: Tried to connect to session manager, Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed but the xterm opens anyway. > $ sudo xterm Opens the root xterm without warning. > $ sudo -H xterm Likewise. > If this works, this bug needs to be assigned to gnome-terminal. > > It should drop privilidge to use $SUDO_USER for sudo or $USERNAME for su > which ever is not root before accessing GConf. > There is already a bug filed against gnome-terminal on this issue; I added my 2 cents to that bug. >> Apparently, dbus will accept changes in a system-local.conf file, so >> I'll see if I can figure out what I need to do in there. > > This path may work but is not generic solution for all of us to live with. The problem is, I think, that someone upstream thinks that this limitation is a feature not a bug, and so it's unlikely to get fixed. Patrick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Sun, Jun 14, 2009 at 11:59:56AM -0400, Patrick Wiseman wrote: ... > >> This is a design restriction in D-Bus." > >> [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390] Well, > >> that's just stupid, especially for experienced users like myself; I > >> NEED to be able to use gnome-terminal as root. I don't want a hackish > >> workaround, I just want it to work as it always has. Is there ANY way > >> to make D-Bus less restrictive? > > > > Well, does this problem happens if user uses sudo mode for gksu. > > > > Application-> System Tools-> Configuration Editor: > > /apps/gksu/sudo-mode > > Makes no difference; 'gksu gnome-terminal' fails without a message. > > > Also question is what happens if you enter followings in terminal. > > > > $ su -c gnome-terminal > > $ sudo gnome-terminal > > $ sudo -H gnome-terminal Hmmm ... so this > All fail with "Failed to contact the GConf daemon; exiting." are coming not from gksu but from gnome-terminal. How about $ su -c xterm $ sudo xterm $ sudo -H xterm If this works, this bug needs to be assigned to gnome-terminal. It should drop privilidge to use $SUDO_USER for sudo or $USERNAME for su which ever is not root before accessing GConf. > Apparently, dbus will accept changes in a system-local.conf file, so > I'll see if I can figure out what I need to do in there. This path may work but is not generic solution for all of us to live with. > Patrick > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Jun 14, 2009, at 8:24 PM, Patrick Wiseman wrote: On Sun, Jun 14, 2009 at 3:13 PM, Rick Thomas wrote: Bug reported as Bug#533089 Sadly, if your diagnosis is correct, it may not be fixable... Oh well, I guess that's what "sudo -i" in a normal terminal is for... 'sudo -l' you mean? That (or just 'su' alone) gives me root access within a gnome-terminal, at which point I can do what I need to do. But that also demonstrates that whatever security concerns are driving the disabling of 'Root Terminal' from the menu are completely bogus. And it has conveniences (not having to provide a password every time I open a new tab, for example) which this workaround doesn't. Oh, well, indeed I meant "-i" -- from the man page for sudo(8) -i The -i (simulate initial login) option runs the shell specified in the passwd(5) entry of the user that the command is being run as. The command name argument given to the shell begins with a `-' to tell the shell to run as a login shell. sudo attempts to change to that user's home directory before running the shell. It also ini- tializes the environment, leaving TERM unchanged, setting HOME, SHELL, USER, LOGNAME, and PATH, and unsetting all other environment variables. Note that because the shell to use is determined before the sudoers file is parsed, a runas_default setting in sudoers will specify the user to run the shell as but will not affect which shell is actually run. And you can configure /etc/sudoers so that you never have to provide a password. Read the sudoers(5) man page. I'm not clear on whether the security concerns driving this issue extend to sub-processes running as root, or just those started as root. I'll leave that explanation to those with a better understanding of the issue. Rick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Sun, Jun 14, 2009 at 3:13 PM, Rick Thomas wrote: > > Bug reported as Bug#533089 > > Sadly, if your diagnosis is correct, it may not be fixable... > > Oh well, I guess that's what "sudo -i" in a normal terminal is for... 'sudo -l' you mean? That (or just 'su' alone) gives me root access within a gnome-terminal, at which point I can do what I need to do. But that also demonstrates that whatever security concerns are driving the disabling of 'Root Terminal' from the menu are completely bogus. And it has conveniences (not having to provide a password every time I open a new tab, for example) which this workaround doesn't. Oh, well, indeed Patrick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
Bug reported as Bug#533089 Sadly, if your diagnosis is correct, it may not be fixable... Oh well, I guess that's what "sudo -i" in a normal terminal is for... Rick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Sun, Jun 14, 2009 at 10:27:56AM -0400, Patrick Wiseman wrote: > On Sun, Jun 14, 2009 at 8:16 AM, Patrick Wiseman wrote: > > On Sun, Jun 14, 2009 at 4:19 AM, Andrei Popescu > > wrote: > >> On Sat,13.Jun.09, 09:32:52, Patrick Wiseman wrote: > >>> Running 'sudo gnome-terminal' (which is the equivalent) reports > >> How do you know that? I thought gksu was used for that. Try: > >> gksu gnome-terminal > > ** (gnome-terminal:14228): WARNING **: Failed to connect to the > > session manager: Authentication Rejected, reason : None of the > > authentication protocols specified are supported and host-based > > authentication failed > > > > Failed to contact the GConf daemon; exiting. > > > > Which, I suppose, is slightly more informative. But the fact remains > > that Root Terminal in the Accessories menu is, for some reason, > > disabled. (This is on a fully up-to-date, amd64, testing system.) > > Further Googling informs me that "the result [of Gconf using D-Bus] is > that root applications can’t use the user’s GConf settings anymore. > This is a design restriction in D-Bus." > [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390] Well, > that's just stupid, especially for experienced users like myself; I > NEED to be able to use gnome-terminal as root. I don't want a hackish > workaround, I just want it to work as it always has. Is there ANY way > to make D-Bus less restrictive? Well, does this problem happens if user uses sudo mode for gksu. Application-> System Tools-> Configuration Editor: /apps/gksu/sudo-mode Also question is what happens if you enter followings in terminal. $ su -c gnome-terminal $ sudognome-terminal $ sudo -H gnome-terminal (I think we do not need gconf settings for root. If one of above works, gnome just need to change default mode for gksu.) Osamu -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Sun, Jun 14, 2009 at 11:47 AM, Osamu Aoki wrote: > On Sun, Jun 14, 2009 at 10:27:56AM -0400, Patrick Wiseman wrote: >> On Sun, Jun 14, 2009 at 8:16 AM, Patrick Wiseman wrote: >> > On Sun, Jun 14, 2009 at 4:19 AM, Andrei Popescu >> > wrote: >> >> On Sat,13.Jun.09, 09:32:52, Patrick Wiseman wrote: >> >>> Running 'sudo gnome-terminal' (which is the equivalent) reports >> >> How do you know that? I thought gksu was used for that. Try: >> >> gksu gnome-terminal >> > ** (gnome-terminal:14228): WARNING **: Failed to connect to the >> > session manager: Authentication Rejected, reason : None of the >> > authentication protocols specified are supported and host-based >> > authentication failed >> > >> > Failed to contact the GConf daemon; exiting. >> > >> > Which, I suppose, is slightly more informative. But the fact remains >> > that Root Terminal in the Accessories menu is, for some reason, >> > disabled. (This is on a fully up-to-date, amd64, testing system.) >> >> Further Googling informs me that "the result [of Gconf using D-Bus] is >> that root applications can’t use the user’s GConf settings anymore. >> This is a design restriction in D-Bus." >> [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390] Well, >> that's just stupid, especially for experienced users like myself; I >> NEED to be able to use gnome-terminal as root. I don't want a hackish >> workaround, I just want it to work as it always has. Is there ANY way >> to make D-Bus less restrictive? > > Well, does this problem happens if user uses sudo mode for gksu. > > Application-> System Tools-> Configuration Editor: > /apps/gksu/sudo-mode Makes no difference; 'gksu gnome-terminal' fails without a message. > Also question is what happens if you enter followings in terminal. > > $ su -c gnome-terminal > $ sudo gnome-terminal > $ sudo -H gnome-terminal All fail with "Failed to contact the GConf daemon; exiting." Apparently, dbus will accept changes in a system-local.conf file, so I'll see if I can figure out what I need to do in there. Patrick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Paternalistic D-Bus Restrictions (was Re: 'Applications, Accessories, Root Terminal' fails silently)
On Sun, Jun 14, 2009 at 8:16 AM, Patrick Wiseman wrote: > On Sun, Jun 14, 2009 at 4:19 AM, Andrei Popescu > wrote: >> On Sat,13.Jun.09, 09:32:52, Patrick Wiseman wrote: >>> Running 'sudo gnome-terminal' (which is the equivalent) reports >> >> How do you know that? I thought gksu was used for that. Try: >> >> gksu gnome-terminal > > That yields: > > ** (gnome-terminal:14228): WARNING **: Failed to connect to the > session manager: Authentication Rejected, reason : None of the > authentication protocols specified are supported and host-based > authentication failed > > Failed to contact the GConf daemon; exiting. > > Which, I suppose, is slightly more informative. But the fact remains > that Root Terminal in the Accessories menu is, for some reason, > disabled. (This is on a fully up-to-date, amd64, testing system.) Further Googling informs me that "the result [of Gconf using D-Bus] is that root applications can’t use the user’s GConf settings anymore. This is a design restriction in D-Bus." [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390] Well, that's just stupid, especially for experienced users like myself; I NEED to be able to use gnome-terminal as root. I don't want a hackish workaround, I just want it to work as it always has. Is there ANY way to make D-Bus less restrictive? Patrick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org