Re: [DNG] why is polkit needed?

[tom]

On Tue, 10 Mar 2020 12:08:23 -0600
tekHedd  wrote:

> On Sat, Mar 7, 2020, at 5:37 PM, Rick Moen wrote:
> > Quoting tekHedd (tekh...@byteheaven.net):
> >   
> > > Cool software doesn't really happen without the ability for apps
> > > to communicate and read/write the state of the system and
> > > communicate with other user level components.  
> > 
> > If so, so what?  This doesn't in any way suggest need for a new
> > extra system authentication layer.  By default, all software
> > running under the user's EUID can intercommunicate as peers.  So,
> > given that, and taking as true for the sake of discussion your
> > assertion above, what would polkit or a workalike add, given that
> > apps can already do what you said is desirable?
> > 
> > I don't know, man.  Perhaps we're somehow failing to communicate, on
> > that point.  
> 
> I believe I see your point. Each app is responsible for deciding
> which actions to allow, or they have no security. In the end though
> you need to communicate, and you need to map those communications to
> authorized actions. The current toolkits fill these general needs, if
> perhaps suboptimally.
> 
> A quick analysis of polkit performed by the simple method of "trying
> to uninstall it on a working system" shows that it is required by:
> 
>  * synaptic etc
>  * colord (!)
> 
> and recommend by:
> 
>  * blueman
>  * cups
>  * elogind
>  * the desktop (xfce in my case)
>  * udisks2
>  * upower2
> 
> Which is what I'd expect. System management apps using polkit to
> decide whether to allow specific actions.
> 
> There are two correct answers to the thread: 1) polkit is not needed
> because you can accomplish all this with "sudo" and also 2) "you need
> polkit if you want to be able to manage local system things like
> disks and bluetooth devices from friendly UI programs without sudo".
> 
> One difference between polkit and d-bus is you can sum up polkit's
> requirements in one sentence. :) 
> 
> Polkit's goals seem reasonable. I hear suggestions that "polkit's
> goals should be accomplished with another mechanism"; groovy! What is
> that mechanism? If not polkit, what? I'm a sudo-only user myself by
> nature, but I find it difficult to criticize something that lets me
> configure bluetooth devices more easily.
> 
> t
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

assign bluetooth devices to a group, and make sure users that should be
able to access the hardware are in that group, also

add the 'user' mount option to things like cdroms to allow unprivileged
uses to mount the media.
/dev/sr0/media/cdrom0
auto,user,ro  0   0
#Compact Discs


-- 
 ___ 
/ leverage, n.: \
|   |
| Even if someone doesn't care what the |
| world thinks  |
|   |
| about them, they always hope their|
\ mother doesn't find out.  /
 --- 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Gastón via Dng]

On Thu, Feb 13, 2020 at 10:27:50PM -0300, Gastón wrote:
> On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
> > On Thu, 9 Jan 2020 16:50:15 +
> > Mark Hindley  wrote:
> > 
> > > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely via Dng
> > > wrote:
> > > > Hi,
> > > > 
> > > > is there a recommended GUI package browser for Devuan?
> > > > 
> > > > After migrating, synaptic isn't installed.  If I try to install it,
> > > > it says it needs policykit-1.  Since the latter seems to be akin to
> > > > systemd, I reply 'n'.
> > > 
> > > I really don't think that is true. There is no direct relationship
> > > between policykit-1 and systemd. And our policykit works with either
> > > elogind or consolekit, so you have options.
> > > 
> > > If you want a integrated gui desktop that allows you to do privileged
> > > things like install packages, you will need policykit-1 or something
> > > similar.
> > > 
> > > Alternatively, use apt or aptitude from the commandline.
> > > 
> > > Mark
> > > ___
> > 
> > Sorry, can you explain why exactly polkit is needed here? What is wrong
> > with what everyone was doing before polkit which was gksu or gksudo?
> > 
> gksu is no longer available from Beowulf. Now, apparently, you have to
> use: pkexec
> 
> I'm in touch with the GNU/EterTics developer and he's having trouble
> running d-i from Live Mode on a beta version with Beowulf he's testing.
> 
> He used to launch the d-i from Live mode using this command:
> `su-to-root -X -c /usr/sbin/debian-installer-launcher`, but su-tu-root is
> no longer available.
> 
> When he wants to launch the d-i from Live mode using this command:
> `pkexec /usr/sbin/debian-installer-launcher` , the installer does not
> start in GUI mode.
> 
> Yesterday we tried several alternatives, like this one, but without
> success:
> 
> We tried running it this way: 
> `pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
> /usr/sbin/debian-installer-launcher` , with this it tries to open a
> window, but closes immediately. 
> 
> We couldn't get pkexec to run the d-I in GUI mode from live-version. 
> Nor is there much documentation about its use available.
> 
> Has anyone been through this using pkexec?
> 
> 

Hi again, thank you very much for all the suggestions that you shared
with us.

Finally we find a solution.

What was the problem? If we created an ISO image of Devuan Beowulf with
Mate, and we wanted to run d-i from live mode, it did not run in GUI
mode, it opened in text mode. Using su-to-root and pkexec.

On the other hand, if we tried the same from a Devuan Beowulf ISO with
XFCE or LXQt, it works without problems. Using su-to-root, d-i runs in
GUI mode. ¯\_(ツ)_/¯

After trying in many ways, we managed to get the launcher to work in the
Mate version using this command:

`pkexec mate-terminal -e /usr/sbin/debian-installer-launcher`

We were left wondering why in XFCE it works with su-to-root and with
Mate we have to resort to launching it using pkexec in that way?

Thanks again :)


PS: In this URL: http://distro.misiones.gob.ar/ultima/beta/ 
are the beta versions where we were doing the tests,
there is a version with XFCE, another with Mate and one that includes
both. The version with Mate has already corrected the command in the d-i
launcher on the desktop, but you can try running from the terminal with:
`su-to-root -X -c /usr/sbin/debian-installer-launcher` or 
`pkexec /usr/sbin/debian-installer-launcher` to see the behavior.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[tekHedd]

On Sat, Mar 7, 2020, at 5:37 PM, Rick Moen wrote:
> Quoting tekHedd (tekh...@byteheaven.net):
> 
> > Cool software doesn't really happen without the ability for apps to
> > communicate and read/write the state of the system and communicate
> > with other user level components.
> 
> If so, so what?  This doesn't in any way suggest need for a new extra
> system authentication layer.  By default, all software running under the
> user's EUID can intercommunicate as peers.  So, given that, and taking
> as true for the sake of discussion your assertion above, what would
> polkit or a workalike add, given that apps can already do what you said
> is desirable?
> 
> I don't know, man.  Perhaps we're somehow failing to communicate, on
> that point.

I believe I see your point. Each app is responsible for deciding which actions 
to allow, or they have no security. In the end though you need to communicate, 
and you need to map those communications to authorized actions. The current 
toolkits fill these general needs, if perhaps suboptimally.

A quick analysis of polkit performed by the simple method of "trying to 
uninstall it on a working system" shows that it is required by:

 * synaptic etc
 * colord (!)

and recommend by:

 * blueman
 * cups
 * elogind
 * the desktop (xfce in my case)
 * udisks2
 * upower2

Which is what I'd expect. System management apps using polkit to decide whether 
to allow specific actions.

There are two correct answers to the thread: 1) polkit is not needed because 
you can accomplish all this with "sudo" and also 2) "you need polkit if you 
want to be able to manage local system things like disks and bluetooth devices 
from friendly UI programs without sudo".

One difference between polkit and d-bus is you can sum up polkit's requirements 
in one sentence. :) 

Polkit's goals seem reasonable. I hear suggestions that "polkit's goals should 
be accomplished with another mechanism"; groovy! What is that mechanism? If not 
polkit, what? I'm a sudo-only user myself by nature, but I find it difficult to 
criticize something that lets me configure bluetooth devices more easily.

t
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Steve Litt]

On Sat, 7 Mar 2020 16:47:00 -0800
tom  wrote:

> The ONLY thing I am using DBUS for on my systems is for notifications.
> Be it have something blip in the top right of my monitor when I get an
> email, or gmusicplayer changes a song. psi-plus (XMPP client) is able
> to read MPRISv2 over dbus to update my presence information with the
> song i'm currently listening to.
> 
> Other than that that is the only thing dbus is useful for that I can
> see. But I am sure there is a more elegant way to handle desktop
> notifications.

It's called dunst, and it's pretty good.

 
SteveT

Steve Litt 
February 2020 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[tom]

On Fri, 06 Mar 2020 15:25:55 -0700
tekHedd  wrote:

> On Fri, Mar 6, 2020, at 12:51 PM, Hendrik Boom wrote:
> > On Thu, Mar 05, 2020 at 02:09:37PM +0100, Didier Kryn wrote:
> > > Le 03/03/2020 à 23:37, tekHedd a écrit :
> > > > 
> > > > So, I would consider rewriting polkit and dbus from scratch.
> > > > 
> > > > Also, who has time to rewrite polkit and dbus from scratch?
> > 
> > What are the actual requirements for a dbus-like system?
> > Requirements that would allow a completely different design?
> 
> Exactly. Are there even requirements supporting the current design?
> Were there ever requirements at all? We can easily see what it does,
> but it's really hard to determine what it *needs* to do. 
> 
> Bad sign: You know you've chosen poorly the moment you are
> simultaneously offering a) broadcast messaging and b) guaranteed
> delivery.
> 
> A google search for d-bus requirements turns up, well, documentation
> of its current architecture. No requirements. Also contains this
> choice quote:
> 
> "The usage of D-Bus is steadily expanding beyond the initial scope of
> desktop environments to cover an increasing amount of system
> services. For instance, NetworkManager network daemon, BlueZ
> bluetooth stack and Pulseaudio sound server use D-Bus to provide part
> or all of its services. systemd uses the D-Bus wire protocol for
> communication between systemctl and systemd, and is also promoting
> traditional system daemons to D-Bus services, such as logind.[25]
> Another heavy user of D-Bus is Polkit, whose policy authority daemon
> is implemented as a service connected to the system bus.[26]"
> 
> So... all of the usual suspects. What is absent here? That's right,
> no *other* programs are listed besides the usual suspects. So who
> really uses it? 
> 
> Nothing I can find suggests that dbus is used for anything essential,
> besides possibly polkit. And there's nothing suggesting that polkit
> needs to be implemented via dbus. Therefore, you could eliminate dbus
> entirely and rethink polkit's implementation without undue impact,
> assuming you are ditching systemd and friends of course.
> 
> (I realize I'm skirting "devil's advocate" territory here...)
> 
> t
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

The ONLY thing I am using DBUS for on my systems is for notifications.
Be it have something blip in the top right of my monitor when I get an
email, or gmusicplayer changes a song. psi-plus (XMPP client) is able
to read MPRISv2 over dbus to update my presence information with the
song i'm currently listening to.

Other than that that is the only thing dbus is useful for that I can
see. But I am sure there is a more elegant way to handle desktop
notifications.

but to me clear i'm talking purely about dbus, not polkit

-- 
 _ 
< You love peace. >
 - 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Rick Moen]

Quoting tekHedd (tekh...@byteheaven.net):

> Cool software doesn't really happen without the ability for apps to
> communicate and read/write the state of the system and communicate
> with other user level components.

If so, so what?  This doesn't in any way suggest need for a new extra
system authentication layer.  By default, all software running under the
user's EUID can intercommunicate as peers.  So, given that, and taking
as true for the sake of discussion your assertion above, what would
polkit or a workalike add, given that apps can already do what you said
is desirable?

I don't know, man.  Perhaps we're somehow failing to communicate, on
that point.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 06/03/2020 à 20:51, Hendrik Boom a écrit :

What are the actual requirements for a dbus-like system?  Requirements
that would allow a completely different design?


    There must have been requirements. At the time KDE had its own 
middleware called DCOP and Gnome had or was developping its own. I guess 
they both had requirements and they devised a superset.



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[tekHedd]

On Fri, Mar 6, 2020, at 12:51 PM, Hendrik Boom wrote:
> On Thu, Mar 05, 2020 at 02:09:37PM +0100, Didier Kryn wrote:
> > Le 03/03/2020 à 23:37, tekHedd a écrit :
> > > 
> > > So, I would consider rewriting polkit and dbus from scratch.
> > > 
> > > Also, who has time to rewrite polkit and dbus from scratch?
> 
> What are the actual requirements for a dbus-like system?  Requirements 
> that would allow a completely different design?

Exactly. Are there even requirements supporting the current design? Were there 
ever requirements at all? We can easily see what it does, but it's really hard 
to determine what it *needs* to do. 

Bad sign: You know you've chosen poorly the moment you are simultaneously 
offering a) broadcast messaging and b) guaranteed delivery.

A google search for d-bus requirements turns up, well, documentation of its 
current architecture. No requirements. Also contains this choice quote:

"The usage of D-Bus is steadily expanding beyond the initial scope of desktop 
environments to cover an increasing amount of system services. For instance, 
NetworkManager network daemon, BlueZ bluetooth stack and Pulseaudio sound 
server use D-Bus to provide part or all of its services. systemd uses the D-Bus 
wire protocol for communication between systemctl and systemd, and is also 
promoting traditional system daemons to D-Bus services, such as logind.[25] 
Another heavy user of D-Bus is Polkit, whose policy authority daemon is 
implemented as a service connected to the system bus.[26]"

So... all of the usual suspects. What is absent here? That's right, no *other* 
programs are listed besides the usual suspects. So who really uses it? 

Nothing I can find suggests that dbus is used for anything essential, besides 
possibly polkit. And there's nothing suggesting that polkit needs to be 
implemented via dbus. Therefore, you could eliminate dbus entirely and rethink 
polkit's implementation without undue impact, assuming you are ditching systemd 
and friends of course.

(I realize I'm skirting "devil's advocate" territory here...)

t
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Hendrik Boom]

On Thu, Mar 05, 2020 at 02:09:37PM +0100, Didier Kryn wrote:
> Le 03/03/2020 à 23:37, tekHedd a écrit :
> > 
> > So, I would consider rewriting polkit and dbus from scratch.
> > 
> > Also, who has time to rewrite polkit and dbus from scratch?

What are the actual requirements for a dbus-like system?  Requirements 
that would allow a completely different design?

> > * dbus probably not salvageable, also deeply integrated into every 
> > possible program; consider dbus compatibility shim D:
>     By definition, a shim preserves the API, and I consider the problem of
> Dbus is precisely its API.

Preserving the API would not be done by the new system; the shim is to 
allow old software to continue running until it was rewritten.

(And yes, I know there's nothing so permanent as a temporary building.)

-- hendrik
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[tekHedd]

On Wed, Mar 4, 2020, at 9:42 PM, Rick Moen wrote:
> Quoting tekHedd (tekh...@byteheaven.net):
> 
> > Re this thread, clearly a multi-user system with a GUI does need
> > polkit and /some/ sort of dbus mechanism (which I will henceforth
> > refer to as the "dbus mechanism" as if it were some sort of doomsday
> > device). 
> 
> I don't think I buy that assumption, at all.  Users who need access to a
> sound device can be added to the group with privileges to that sound
> advice, etc.  Proper user-friendly administrative tools can front-end
> that granting of user privilege.  A whole new system layer to regulate
> access to everything strikes me a solution in search of a problem.

Cool software doesn't really happen without the ability for apps to communicate 
and read/write the state of the system and communicate with other user level 
components. I maintain that at the core of each of these new annoying packages 
is genuine user need, combined with poor execution and massive feature creep.  

And the reason for this:

 - execution is actually difficult
 - requirements management is more difficult

I think most people on this list would agree that the core requirements could 
have been/should be solved without creating a configuration nightmare and/or 
discarding the UNIX paradigm. I maintain that this can be accomplished by 
isolating the actual requirements that are the reason polkit/dbus are shipped 
on every system, and separating them from the "other things that these things 
also do". 

Mind you, I'm not sure /why/ I care, maybe it's because I like using Linux. :)

> dbus as a generic object-and-message-passing mechanism seems per-se
> harmless enough, but the history of component software using a messaging
> bus (e.g., CORBA, KCOP, Microsoft's OLE) is wretched and wasteful enough

DCOM  :/

Yeah, dbus is extra sad considering that it came after all that. Message 
systems can be handy, but I agree: the implementation was (obviously?) not 
driven by requirements other than that of a developer going "wouldn't it be 
neat if I made a thing called dbus".  My hypothesis is not "dbus is needed" but 
rather that "projects that use dbus are /sometimes/ driven by a genuine need 
that is not solved elsewhere". Hmm, perhaps scraping the dbus issue tracker for 
past feature requirements would confirm or disprove this..

I don't know, maybe it's not a solvable problem.

t
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 03/03/2020 à 23:37, tekHedd a écrit :

On Tue, Feb 25, 2020, at 3:28 AM, Didier Kryn wrote:

Le 25/02/2020 à 09:05, Steve Litt a écrit :

On Mon, 24 Feb 2020 12:21:16 +
Daniel Abrecht via Dng  wrote:

...

Without dbus, applications & daemons could do similar things using
unix sockets. ...

      Yep, socket, signals, fifos, inotify, netlink, semaphores,
shared-memory, what else?

      It's probably possible to build some well thought middleware with
these, but Dbus isn't that one.

^^ This has been in the back of my mind for some time. In the last few years, 
we have been inspired to collect a fairly complete set of requirements for what 
polkit, dbus (and init :) need to do, and what they don't. In great detail. 
Requirements are great, because once you have them you can do a much better job 
of designing software.

Surely it is time to boil down the dbus/polkit requirements and and start over. 
Preferably with sane limitations on scope and configuration mechanisms. I mean, 
I'm just thinking out loud here something that I've been thinking for about 6 
months.

As it stands now, these systems can serve as a good proof of concept from which 
to harvest requirements. This is not a *fun* project. Speaking as a programmer, 
sysadm, and end user, I would gladly never touch dbus again, and I've gone out 
of my way to avoid using or installing it since my initial contact and my life 
has been better for it. But I mean, basic publish-subscribe message 
functionality doesn't /have/ to be a nightmare does it? Surely this was not a 
requirement? :) Polkit doesn't /have/ to be a total pain to configure? Surely 
ease of configuration should have been a top-level requirement for polkit, and 
a clean programming api and sensible message naming should have been first-pass 
requirements for dbus?
    Except that making it a nightmare may be a requirement for people 
who make their buisness out of complexity, as Steve already explained 
several times (~:


Re this thread, clearly a multi-user system with a GUI does need polkit and /some/ sort 
of dbus mechanism (which I will henceforth refer to as the "dbus mechanism" as 
if it were some sort of doomsday device). But it doesn't have to be polkit as currently 
shipping. And clearly The DBus Mechanism just needs a do-over. Both of these things can 
be very useful even if done badly, as demonstrated by their current incarnation.



    I'm not sure Polkit is necessary. In practice the multi-user 
concept applies to servers while Dbus, Polkit and the like belong to 
Freedesktop and are forced in by dependencies only when it come to 
installing DE's, that is mostly on single user machines. But I admit 
such a tool is usefull, provided it is KISS.





So, I would consider rewriting polkit and dbus from scratch.

Also, who has time to rewrite polkit and dbus from scratch?

* polkit might be salvageable?
    Plokit would have to provide some benefit with respect to sudo, 
because its functionning and configuration are far more complicated.

* dbus probably not salvageable, also deeply integrated into every possible 
program; consider dbus compatibility shim D:
    By definition, a shim preserves the API, and I consider the problem 
of Dbus is precisely its API.

Just thinking aloud. Also, hi.


    You're not the only one on this list (~:

    Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Rick Moen]

Quoting tekHedd (tekh...@byteheaven.net):

> Re this thread, clearly a multi-user system with a GUI does need
> polkit and /some/ sort of dbus mechanism (which I will henceforth
> refer to as the "dbus mechanism" as if it were some sort of doomsday
> device). 

I don't think I buy that assumption, at all.  Users who need access to a
sound device can be added to the group with privileges to that sound
advice, etc.  Proper user-friendly administrative tools can front-end
that granting of user privilege.  A whole new system layer to regulate
access to everything strikes me a solution in search of a problem.

dbus as a generic object-and-message-passing mechanism seems per-se
harmless enough, but the history of component software using a messaging
bus (e.g., CORBA, KCOP, Microsoft's OLE) is wretched and wasteful enough
that I doubt the competence at software design of coders making
significant use of it, and, again, I see no compelling use-case at all.

-- 
Cheers, "Why doesn't anyone invite copyeditors to parties,
Rick Moen   when we're such cool people out with whom to hang?"
r...@linuxmafia.com-- @laureneoneal (Lauren O'Neal)
McQ! (4x80)
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Simon Hobson]

tekHedd  wrote:

> Surely it is time to boil down the dbus/polkit requirements and and start 
> over. Preferably with sane limitations on scope and configuration mechanisms. 
> I mean, I'm just thinking out loud here something that I've been thinking for 
> about 6 months.

I applaud your thinking, but alas I fear the result may be https://xkcd.com/927/


> Also, who has time to rewrite polkit and dbus from scratch?

Alas I have neither the time nor skills to help with such a project :-(

Simon

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[tekHedd]

On Tue, Feb 25, 2020, at 3:28 AM, Didier Kryn wrote:
> Le 25/02/2020 à 09:05, Steve Litt a écrit :
> > On Mon, 24 Feb 2020 12:21:16 +
> > Daniel Abrecht via Dng  wrote:
> ...
> >> Without dbus, applications & daemons could do similar things using
> >> unix sockets. ...
> 
>      Yep, socket, signals, fifos, inotify, netlink, semaphores, 
> shared-memory, what else?
> 
>      It's probably possible to build some well thought middleware with 
> these, but Dbus isn't that one.

^^ This has been in the back of my mind for some time. In the last few years, 
we have been inspired to collect a fairly complete set of requirements for what 
polkit, dbus (and init :) need to do, and what they don't. In great detail. 
Requirements are great, because once you have them you can do a much better job 
of designing software.

Surely it is time to boil down the dbus/polkit requirements and and start over. 
Preferably with sane limitations on scope and configuration mechanisms. I mean, 
I'm just thinking out loud here something that I've been thinking for about 6 
months.

As it stands now, these systems can serve as a good proof of concept from which 
to harvest requirements. This is not a *fun* project. Speaking as a programmer, 
sysadm, and end user, I would gladly never touch dbus again, and I've gone out 
of my way to avoid using or installing it since my initial contact and my life 
has been better for it. But I mean, basic publish-subscribe message 
functionality doesn't /have/ to be a nightmare does it? Surely this was not a 
requirement? :) Polkit doesn't /have/ to be a total pain to configure? Surely 
ease of configuration should have been a top-level requirement for polkit, and 
a clean programming api and sensible message naming should have been first-pass 
requirements for dbus?

Re this thread, clearly a multi-user system with a GUI does need polkit and 
/some/ sort of dbus mechanism (which I will henceforth refer to as the "dbus 
mechanism" as if it were some sort of doomsday device). But it doesn't have to 
be polkit as currently shipping. And clearly The DBus Mechanism just needs a 
do-over. Both of these things can be very useful even if done badly, as 
demonstrated by their current incarnation.

So, I would consider rewriting polkit and dbus from scratch.

Also, who has time to rewrite polkit and dbus from scratch?

* polkit might be salvageable?
* dbus probably not salvageable, also deeply integrated into every possible 
program; consider dbus compatibility shim D:

Sounds like a medium-sized project. Ideally should be done by someone with a 
big ego and no coding skills, rolling it all in C++ as one huge binary and 
integrating it into systemd. No, wait, that was sarcasm. But seriously, it 
shouldn't be as difficult of a problem to solve, other than the problem of 
inertia keeping the existing hacks in place and the problem of raw development 
effort. But these are core system processes and important. If it were my OS I'd 
be working on replacing these things as a priority because they're core.

Just thinking aloud. Also, hi.
DD
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Daniel Abrecht via Dng]

On 2020-02-25 11:11, Hendrik Boom wrote:

Which is the reason for a capability architecture.  Is there anything
resembling that in GNU/Linux userspace?


Kind of, not really.

There is something similar to role based access control, namely the unix 
file permission model, which is a kind of DAC. Users and groups 
(=roles), can have different permissions on files (reading, writing, 
executing).
Then there are the security modules. These can extend that 
functionality, which is usually used to add some kind of MAC.


For processes / syscalls, Linux has capabilities as a replacement for 
things usually reserved for root, but these usually aren't very useful, 
they are crude and can often be used to escalate to root anyway.
For syscalls, there is also seccomp, but it's hard to use and 
architecture dependent, and it will break applications which use it 
regularly.


Something which is currently missing is a way to manage permissions for 
specific ioctls. Usually, its per device, and some ioctls need need read 
or write permissions to the fd. Sometimes, that's suficent, sometimes 
not.
There is kind of a horrible situation with /dev/dri/card* devices, if I 
remember correctly, you need root for the ioctls to become drm master 
and do modesetting, even if you have read and write permissions to the 
file, which is why this is delegated to logind or a suid binary, I 
think? One way to resolve this would be to splitt those card devices 
into multiple ones, but I don't think that's going to happen. I don't 
think configurable supplementary group based per ioctl permissions are 
going to happen either. Except maybe as an LSM.


One interesting thing about files is that permissions are only checked 
when those are opened. A file descriptor is like an access token. And 
they can be sent over unix sockets, which can also be files. Those file 
descriptors are unrevokable, though.


There is also a small problem with the DAC permission model. A process 
has only one set of user, group, supplementary groups. This means, 
either you can use them to restrict a program, or you can use them to 
restrict a user, but you can't have restrictions based on a user and a 
program. I was thinking a lot about this at some point, and wanted to 
write an LSM for that at some point, but I never got to to it. I did 
write down my thoughts, although retrospectively, I did make various 
mistakes and misused some terminology there in there: 
https://github.com/Daniel-Abrecht/Discretionary-Program-Access-Control/blob/proposal/Discretionary%20Program%20Access%20Control.md


It's possible that there are still some other access control mechanisms 
I don't know of yet.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[aitor]

Hi Tom
En 25 de febrero de 2020 18:39:51 tom 
 escribió:



On Mon, 24 Feb 2020 14:33:25 +0100
Tito via Dng  wrote:


and only for known "safe" commands. For everything else, it'd be much
better to just log in on a tty as root. Same goes for su.


for sudo only if set


userALL=(ALL:ALL) ALL


or if the user is added to the sudo group


# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL


if used for single commands it should not be a problem
unless you allow to open a root xterm
To replace su or sudo binary you need root so at this point
the system is already compromised.
The use with no password solves one problem but creates others
like everybody being able to wreck the system with synaptic
or gparted as soon as they find an unattended desktop.
Don't want my mom to use synaptic..just mail and browser.

just so you know, it's more traditional and portable to allow the wheel
group to sudo, not have a separate sudo group.
https://en.wikipedia.org/wiki/Wheel_%28computing%29
%wheel   ALL=(ALL:ALL) ALL


Wheel seems to be analogous to sudo, but focused to other diferent unix 
systems (like, for example, BSD). Am I wrong?


Aitor.



Enviado con AquaMail para Android
https://www.mobisystems.com/aqua-mail


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[tom]

On Mon, 24 Feb 2020 14:33:25 +0100
Tito via Dng  wrote:

> and only for known "safe" commands. For everything else, it'd be much
> better to just log in on a tty as root. Same goes for su.
> 
> for sudo only if set
> 
> userALL=(ALL:ALL) ALL
> 
> or if the user is added to the sudo group
> 
> # Allow members of group sudo to execute any command
> %sudo   ALL=(ALL:ALL) ALL
> 
> if used for single commands it should not be a problem
> unless you allow to open a root xterm
> To replace su or sudo binary you need root so at this point
> the system is already compromised.
> The use with no password solves one problem but creates others
> like everybody being able to wreck the system with synaptic
> or gparted as soon as they find an unattended desktop.
> Don't want my mom to use synaptic..just mail and browser.
just so you know, it's more traditional and portable to allow the wheel
group to sudo, not have a separate sudo group.
https://en.wikipedia.org/wiki/Wheel_%28computing%29
%wheel   ALL=(ALL:ALL) ALL

-- 
  
/ Hello... IRON CURTAIN? Send over a \
| SAUSAGE PIZZA! World War III? No   |
\ thanks!/
  
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[fsmithred via Dng]

On 2/24/20 7:21 AM, Daniel Abrecht via Dng wrote:

> One last, only partially related thing. Does anyone know how to get polkit
> agents working properly? If I start `lxqt-policykit-agent`, for example,
> pkexec won't work. If I start it as `su -c 'lxqt-policykit-agent'`, it
> does, but I'm pretty sure that's not the right way to do this. I'm
> currently on devuan beowulf, but I think debian users may have similar
> problems, I think systemd/logind people may have broken something in
> polkit...
> 
> 
> Regards,
> Daniel Abrecht
>
I have a beowulf lxqt in a VM, and synaptic-pkexec works correctly.

Here's all the lxqt, policykit and polkit stuff that's running:


user  2438  2429  0 10:09 ?00:00:00 lxqt-session
root  2479 1  0 10:09 ?00:00:00
/usr/lib/policykit-1/polkitd --no-debug
user  2491  2438  0 10:09 ?00:00:00 /usr/bin/pcmanfm-qt
--desktop --profile=lxqt
user  2492  2438  0 10:09 ?00:00:00 /usr/bin/lxqt-globalkeysd
user  2493  2438  0 10:09 ?00:00:00 /usr/bin/lxqt-notificationd
user  2494  2438  1 10:09 ?00:00:03 /usr/bin/lxqt-panel
user  2495  2438  0 10:09 ?00:00:00 /usr/bin/lxqt-policykit-agent
user  2498  2438  0 10:09 ?00:00:00 /usr/bin/lxqt-runner
user  2669  2438  0 10:09 ?00:00:00 /usr/bin/lxqt-powermanagement


Here's a list of all the kit-related packages that are installed.

ii  elogind   241.3-1
amd64user, seat and session management daemon
ii  gir1.2-polkit-1.0 0.105-25+devuan7~beowulf1
amd64GObject introspection data for PolicyKit
ii  libelogind0:amd64 241.3-1
amd64user, seat and session management library
ii  libpam-cap:amd64  1:2.25-2
amd64POSIX 1003.1e capabilities (PAM module)
ii  libpam-elogind:amd64  241.3-1
amd64elogind PAM module
ii  libpam-gnome-keyring:amd643.28.2-5
amd64PAM module to unlock the GNOME keyring upon login
ii  libpam-modules:amd64  1.3.1-5
amd64Pluggable Authentication Modules for PAM
ii  libpam-modules-bin1.3.1-5
amd64Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime1.3.1-5
all  Runtime support for the PAM library
ii  libpam0g:amd641.3.1-5
amd64Pluggable Authentication Modules library
ii  libpolkit-agent-1-0:amd64 0.105-25+devuan7~beowulf1
amd64PolicyKit Authentication Agent API
ii  libpolkit-backend-1-0 0.105-25+devuan7~beowulf1
all  PolicyKit Authorization API
ii  libpolkit-backend-elogind-1-0:amd64   0.105-25+devuan7~beowulf1
amd64PolicyKit backend API
ii  libpolkit-gobject-1-0 0.105-25+devuan7~beowulf1
all  PolicyKit Authorization API
ii  libpolkit-gobject-elogind-1-0:amd64   0.105-25+devuan7~beowulf1
amd64PolicyKit Authorization API
ii  libpolkit-qt5-1-1:amd64   0.112.0-6
amd64PolicyKit-qt5-1 library
ii  lxqt-policykit0.14.1-1
amd64LXQt authentication agent for PolicyKit
ii  lxqt-policykit-l10n   0.14.1-1
all  Language package for lxqt-policykit
ii  policykit-1   0.105-25+devuan7~beowulf1
amd64framework for managing administrative policies and privileges

HTH,
fsmithred
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Hendrik Boom]

On Tue, Feb 25, 2020 at 03:05:27AM -0500, Steve Litt wrote:
> On Mon, 24 Feb 2020 12:21:16 +
> Daniel Abrecht via Dng  wrote:
> 
> 
> > So next, why is dbus needed?
> > dbus is a message bus. There usually is one for the whole system, and 
> > one for each session.
> > There are various uses and missuses for it, but I think the most
> > crucial things are:
> >   * Notify any process interested in something of these things.
> >   * Tell other programs which can do something to do something.
> 
> The cost is the world's biggest modularity global variable. Everyone
> can write it, everyone can read it. Yeah, there are ways of aiming a
> dbus message at a specific process (I think), but just tracing stuff
> through dbus is incredibly daunting.
> 
> > This can be useful for various things, for example:
> >   * A program may want to now if a device got rotated, so it can
> > rotate a screen.
> 
> Or, you can use dmenu to call a script that rotates the screen. It's
> not automagical, but it gets the ultimate railroad switchyard dbus out
> of the loop.
> 
> >   * A wlan management gui may want to tell it's daemon that it shall 
> > connect to a wlan, and it may want to know what connections it
> > already has and manages.
> 
> Sockets (You address this later).
> 
> >   * A phone call application may want to ring when a call arrives, or
> > it may want to let the user initiate a call.
> 
> I don't understand the relationship between this one and dbus. Phone
> call comes in, the app decides what to do.
> 
> > 
> > Now, those examples are mainly things that would need the system bus.
> > I couldn't come up with a good example solely within a user
> > session/bus, but I'm sure these exist too, especially because dbus
> > doesn't need a graphical session.
> > 
> > And with that, back to polkit. 
> 
> My understanding is that the systemd folks have coopted/kidnapped
> polkit. If that's true, my life would be simpler doing a few things
> manually, or writing a few more shellscripts.
> 
> > It'd be bad if just
> > everyone/everything could do system level stuff, so per default,
> > noone can. But that would make dbus useless for a lot of things.
> > This is the problem polkit is there to solve, there are config files 
> > specifying who (user, group, etc.) can see/use which methods calls, 
> > signals/messages, etc.
> 
> I can't think of it at a moment's notice, but there's got to be a
> better way than the global switchyard dbus and the systemd coopted
> polkit.
> > 
> > Without dbus, applications & daemons could do similar things using
> > unix sockets. However, then, every application would need their own
> > socket, permission management, configs, etc. 
> 
> The preceding is true only if every app needed to be in every other
> app's business. For the vast majority of them, this just isn't true.
> For the few that need this, there are sockets, fifos, and signals.
> 
> 
> > This would have the same
> > security implications as just using dbus, which also just uses unix
> > sockets, but would leave a bigger attack surface, and a lot of
> > scattered security critical configs with different formats.
> 
> If every app required it. In a client-server situation, the user of the
> server would need to be in a specific group. If it's even that
> important. I don't really care if somebody else gets into my mplayer
> fifo.
> 
> > 
> > Now, there is also the approach of using a suid binary for the 
> > privileged stuff. As a good and bad thing, just like sudo, this can't 
> > escape a container, unlike a unix socket passed to one could.
> > However, it would leave the problem of a bigger attack surface, and a
> > lot of scattered security critical configs with different formats,
> > and is very difficult to get right.
> 
> I think suid binaries have fallen out of favor, for the reasons you
> mention.
> 
> In summary, I would fully agree with you if everything absolutely had
> to talk to everything else. But such permiscuous talking leads to all
> sorts of problems. Encapsulation is a wonderful thing for stability and
> maintainability.

Which is the reason for a capability architecture.  Is there anything
resembling that in GNU/Linux userspace?

-- hendrik

> 
> SteveT
> 
> Steve Litt 
> February 2020 featured book: Thriving in Tough Times
> http://www.troubleshooters.com/thrive
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 25/02/2020 à 09:05, Steve Litt a écrit :

On Mon, 24 Feb 2020 12:21:16 +
Daniel Abrecht via Dng  wrote:

...

Without dbus, applications & daemons could do similar things using
unix sockets. However, then, every application would need their own
socket, permission management, configs, etc.

The preceding is true only if every app needed to be in every other
app's business. For the vast majority of them, this just isn't true.
For the few that need this, there are sockets, fifos, and signals.


    Yep, socket, signals, fifos, inotify, netlink, semaphores, 
shared-memory, what else?


    It's probably possible to build some well thought middleware with 
these, but Dbus isn't that one.


    Dbus more complicated than the others, and cast against C++ 
concepts, which isn't  a sign of quality. It was designed to match the 
needs of the two biggest integrated blobs ever written for Linux, Gnome 
and KDE. The aim is to "facilitate" a few things for the user, but it's 
a little gain for a huge cost.



This would have the same
security implications as just using dbus, which also just uses unix
sockets, but would leave a bigger attack surface, and a lot of
scattered security critical configs with different formats.

If every app required it. In a client-server situation, the user of the
server would need to be in a specific group. If it's even that
important. I don't really care if somebody else gets into my mplayer
fifo.


Now, there is also the approach of using a suid binary for the
privileged stuff. As a good and bad thing, just like sudo, this can't
escape a container, unlike a unix socket passed to one could.
However, it would leave the problem of a bigger attack surface, and a
lot of scattered security critical configs with different formats,
and is very difficult to get right.

I think suid binaries have fallen out of favor, for the reasons you
mention.

    Well, suid binaries are still the only way to obtain root 
priviledge. pkexec is one more; it does the same thing as login, su, and 
sudo, in a different way.


    Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Steve Litt]

On Mon, 24 Feb 2020 12:21:16 +
Daniel Abrecht via Dng  wrote:


> So next, why is dbus needed?
> dbus is a message bus. There usually is one for the whole system, and 
> one for each session.
> There are various uses and missuses for it, but I think the most
> crucial things are:
>   * Notify any process interested in something of these things.
>   * Tell other programs which can do something to do something.

The cost is the world's biggest modularity global variable. Everyone
can write it, everyone can read it. Yeah, there are ways of aiming a
dbus message at a specific process (I think), but just tracing stuff
through dbus is incredibly daunting.

> This can be useful for various things, for example:
>   * A program may want to now if a device got rotated, so it can
> rotate a screen.

Or, you can use dmenu to call a script that rotates the screen. It's
not automagical, but it gets the ultimate railroad switchyard dbus out
of the loop.

>   * A wlan management gui may want to tell it's daemon that it shall 
> connect to a wlan, and it may want to know what connections it
> already has and manages.

Sockets (You address this later).

>   * A phone call application may want to ring when a call arrives, or
> it may want to let the user initiate a call.

I don't understand the relationship between this one and dbus. Phone
call comes in, the app decides what to do.

> 
> Now, those examples are mainly things that would need the system bus.
> I couldn't come up with a good example solely within a user
> session/bus, but I'm sure these exist too, especially because dbus
> doesn't need a graphical session.
> 
> And with that, back to polkit. 

My understanding is that the systemd folks have coopted/kidnapped
polkit. If that's true, my life would be simpler doing a few things
manually, or writing a few more shellscripts.

> It'd be bad if just
> everyone/everything could do system level stuff, so per default,
> noone can. But that would make dbus useless for a lot of things.
> This is the problem polkit is there to solve, there are config files 
> specifying who (user, group, etc.) can see/use which methods calls, 
> signals/messages, etc.

I can't think of it at a moment's notice, but there's got to be a
better way than the global switchyard dbus and the systemd coopted
polkit.
> 
> Without dbus, applications & daemons could do similar things using
> unix sockets. However, then, every application would need their own
> socket, permission management, configs, etc. 

The preceding is true only if every app needed to be in every other
app's business. For the vast majority of them, this just isn't true.
For the few that need this, there are sockets, fifos, and signals.


> This would have the same
> security implications as just using dbus, which also just uses unix
> sockets, but would leave a bigger attack surface, and a lot of
> scattered security critical configs with different formats.

If every app required it. In a client-server situation, the user of the
server would need to be in a specific group. If it's even that
important. I don't really care if somebody else gets into my mplayer
fifo.

> 
> Now, there is also the approach of using a suid binary for the 
> privileged stuff. As a good and bad thing, just like sudo, this can't 
> escape a container, unlike a unix socket passed to one could.
> However, it would leave the problem of a bigger attack surface, and a
> lot of scattered security critical configs with different formats,
> and is very difficult to get right.

I think suid binaries have fallen out of favor, for the reasons you
mention.

In summary, I would fully agree with you if everything absolutely had
to talk to everything else. But such permiscuous talking leads to all
sorts of problems. Encapsulation is a wonderful thing for stability and
maintainability.

SteveT

Steve Litt 
February 2020 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 25/02/2020 à 08:17, marc a écrit :

Hello


I would like to add my point of view to the polkit debate.

And they are well thought out comments :)


All things considered, I think for the purpose of interacting with system
level daemons/services and managing related permissions, especially in cases
more complex than simply shutting down the system for example, dbus + polkit
is a very nice solution, especially considering the alternatives. It does
have some flaws, though, such as noone knowing how to correctly configure
it, for example.

I think that isn't quite enough to redeem polkit. I have the following
reservations about it - it is written by the same/similar group that
has written systemd, and many of their design decisions are very poor
IMNSHO (I'd like use stronger words) and they have a habit of merging/entangling
their code so that it becomes one big hairy mess. Devuan maintainers know
how hard it is to disentangle that.

On the systems I run, my first step is to remove avahi, pulse, systemd
(thanks devuan), polkit, network manager and dbus. I find after that the
system uses way less RAM and behaves more predictably - so when I configure
it, it stays configured.

The critique of polkit specifically relates to its poor config
infrastructure - it is written in XML, this not only drags in another
huge dependency, but is just ugly. XML was the fashion a decade or two
ago, but is a bad idea for config files. It might be human readable,
but barely so...

The other problem of polkit and dbus is that it breaks the inheritance model
of unix (a process is a child of some other one and inherits a subset of
its capabilities, ignoring setuid). Changing this adds many complications,
and makes chroot and containers a lot more complex to secure...


Regarding gksudo, I think it's intended use case is an awful thing as well.
The very Idea of asking for a users password for starting a more privileged
process is a bad one. It means that if the user account is breached, as soon
as sudo or gksudo is used to obtain root, it could have been replaced (z.B.
by changing the PATH, setting an alias, etc.) by an attacker to get the
password instead, and then compromise the rest of the system. In my opinion,
sudo should always be used in such a way as to work without password, and
only for known "safe" commands. For everything else, it'd be much better to
just log in on a tty as root. Same goes for su.

No argument with that - that is a most sound argument. I would be
nice if distributions could make that part of their standard documentation
("to upgrade a package, please press control-alt-F2, log in as root
and type xxx"). There is even a fancy word we can use for "control-alt-F2",
the "trusted path" or maybe even the "secure attention" keys. Maybe even
reserve a certain tty so that a login there spawns the package management 
tool...

regards

marc


    Sorry, but synaptic is popular for a reason: it gives a large and 
sensible view of packages, something apt or apt-get can't do.


    For what concerns aptitude, I've seen two persons able to make 
sense out of it, but I never could.


        Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Mon, 24 Feb 2020 13:46:46 +0100
Didier Kryn  wrote:

> Le 24/02/2020 à 10:44, aitor a écrit :
> > Hi Didier,
> >
> > En 24 de febrero de 2020 10:01:33 Didier Kryn 
> > escribió:
> >
> >> Le 24/02/2020 à 01:16, Aitor a écrit :
> >>>
> >>> Hi Tito,
> >>>
> >>> On 23/2/20 17:02, Tito via Dng wrote:
>  Why use 2 binaries rather than one, more programs, more code,
>  more communication in between them equals to more attack surface.
>  I would stay with just one suid binary, more so if you want to
>  go the su-only route.
> >>> I'll answer to this question in more detail: the requeriment of
> >>> suid privilegies implies an additional (non GUI) binary due to
> >>> the fact that the usage of any GTK suid binary is impossible.
> >>> Read here:
> >>>
> >>> http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html
> >>     Does it mean that synaptic works that way with droping
> >> priviledges in the GUI?
> >>
> >>     Didier
> >
> > Synaptic is run as root via sudo/su. There are no suid privilegies
> 
>      Hi Aitor.
> 
>      Sure, but it is running a GUI with root priviledge. I thought
> this was the danger and I understood this was forbidden in GTK+.
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

It's not a big deal as long as it's not some crazy bloated mess like a
web browser or something.

-- 
 _ 
/ This is the story of the bee Whose sex  \
| is very hard to see |
| |
| You cannot tell the he from the she But |
| she can tell, and so can he |
| |
| The little bee is never still She has   |
| no time to take the pill|
| |
| And that is why, in times like these|
\ There are so many sons of bees. /
 - 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[marc]

Hello

> I would like to add my point of view to the polkit debate.

And they are well thought out comments :)

> All things considered, I think for the purpose of interacting with system
> level daemons/services and managing related permissions, especially in cases
> more complex than simply shutting down the system for example, dbus + polkit
> is a very nice solution, especially considering the alternatives. It does
> have some flaws, though, such as noone knowing how to correctly configure
> it, for example.

I think that isn't quite enough to redeem polkit. I have the following
reservations about it - it is written by the same/similar group that
has written systemd, and many of their design decisions are very poor
IMNSHO (I'd like use stronger words) and they have a habit of merging/entangling
their code so that it becomes one big hairy mess. Devuan maintainers know
how hard it is to disentangle that. 

On the systems I run, my first step is to remove avahi, pulse, systemd 
(thanks devuan), polkit, network manager and dbus. I find after that the 
system uses way less RAM and behaves more predictably - so when I configure 
it, it stays configured.

The critique of polkit specifically relates to its poor config
infrastructure - it is written in XML, this not only drags in another
huge dependency, but is just ugly. XML was the fashion a decade or two
ago, but is a bad idea for config files. It might be human readable,
but barely so...

The other problem of polkit and dbus is that it breaks the inheritance model
of unix (a process is a child of some other one and inherits a subset of
its capabilities, ignoring setuid). Changing this adds many complications,
and makes chroot and containers a lot more complex to secure...

> Regarding gksudo, I think it's intended use case is an awful thing as well.
> The very Idea of asking for a users password for starting a more privileged
> process is a bad one. It means that if the user account is breached, as soon
> as sudo or gksudo is used to obtain root, it could have been replaced (z.B.
> by changing the PATH, setting an alias, etc.) by an attacker to get the
> password instead, and then compromise the rest of the system. In my opinion,
> sudo should always be used in such a way as to work without password, and
> only for known "safe" commands. For everything else, it'd be much better to
> just log in on a tty as root. Same goes for su.

No argument with that - that is a most sound argument. I would be
nice if distributions could make that part of their standard documentation
("to upgrade a package, please press control-alt-F2, log in as root
and type xxx"). There is even a fancy word we can use for "control-alt-F2", 
the "trusted path" or maybe even the "secure attention" keys. Maybe even
reserve a certain tty so that a login there spawns the package management 
tool...

regards

marc
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Tito via Dng]

On 2/24/20 1:21 PM, Daniel Abrecht via Dng wrote:

Hi

I would like to add my point of view to the polkit debate.
I don't think polkit is bad or unnecessary, it simply has a completely 
different usecase/scope than sudo has.


sudo is for starting a process as an other user provided some preconditions 
(group/user allowed to use it, supplied arguments allowed, etc.) are met.
And it can retain or restrict some resources inherited from the parent process 
(such as environment variables, for example).
Therefore, the use case is to allow some users to execute certain commands in 
certain ways with certain resources.


I know polkit less well, but my current understanding is, that polkit is for 
managing access to stuff on dbus.

So next, why is dbus needed?
dbus is a message bus. There usually is one for the whole system, and one for 
each session.
There are various uses and missuses for it, but I think the most crucial things 
are:
  * Notify any process interested in something of these things.
  * Tell other programs which can do something to do something.

This can be useful for various things, for example:
  * A program may want to now if a device got rotated, so it can rotate a 
screen.
  * A wlan management gui may want to tell it's daemon that it shall connect to 
a wlan, and it may want to know what connections it already has and manages.
  * A phone call application may want to ring when a call arrives, or it may 
want to let the user initiate a call.

Now, those examples are mainly things that would need the system bus. I 
couldn't come up with a good example solely within a user session/bus, but I'm 
sure these exist too, especially because dbus doesn't need a graphical session.

And with that, back to polkit. It'd be bad if just everyone/everything could do 
system level stuff, so per default, noone can. But that would make dbus useless 
for a lot of things.
This is the problem polkit is there to solve, there are config files specifying 
who (user, group, etc.) can see/use which methods calls, signals/messages, etc.


Hi,
Yes inter-process communication can be useful.


Without dbus, applications & daemons could do similar things using unix 
sockets. However, then, every application would need their own socket, permission 
management, configs, etc. This would have the same security implications as just 
using dbus, which also just uses unix sockets, but would leave a bigger attack 
surface, and a lot of scattered security critical configs with different formats.

Now, there is also the approach of using a suid binary for the privileged 
stuff. As a good and bad thing, just like sudo, this can't escape a container, 
unlike a unix socket passed to one could. However, it would leave the problem 
of a bigger attack surface, and a lot of scattered security critical configs 
with different formats, and is very difficult to get right.


Why is the attack surface bigger? Bigger than polkit running a daemon  as root, 
an
agent as the user and having config files scattered all over the place?
 

All things considered, I think for the purpose of interacting with system level 
daemons/services and managing related permissions, especially in cases more 
complex than simply shutting down the system for example, dbus + polkit is a 
very nice solution, especially considering the alternatives. It does have some 
flaws, though, such as noone knowing how to correctly configure it, for example.


Yes I fully agree this is difficult to configure even more so if you use more 
than one DE
and I see the security risk in this complexity, long cryptic config files
that compell you to use sudo or su to get things working.




Regarding pkexec, I think this thing is an abomination. Starting a process is 
absolutely not something which should be done in a way completely disregarding 
resources and restrictions of the spawning process. It's kind of useful for 
checking if polkit works at all, but aside from that, I recommend getting rid 
of it as fast as possible.

Regarding gksudo, I think it's intended use case is an awful thing as well. The very Idea of asking for a users password for starting a more privileged process is a bad one. It means that if the user account is breached, as soon as sudo or gksudo is used to obtain root, it could have been replaced (z.B. by changing the PATH, setting an alias, etc.) by an attacker to get the password instead, and then compromise the rest of the system. In my opinion, sudo should always be used in such a way as to work without password, 

and only for known "safe" commands. For everything else, it'd be much better to 
just log in on a tty as root. Same goes for su.

for sudo only if set

userALL=(ALL:ALL) ALL

or if the user is added to the sudo group

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

if used for single commands it should not be a problem
unless you allow to open a root xterm
To replace su or sudo binary you need root so at this 

Re: [DNG] why is polkit needed? dropin replacement

[Didier Kryn]

Le 24/02/2020 à 10:44, aitor a écrit :

Hi Didier,

En 24 de febrero de 2020 10:01:33 Didier Kryn  escribió:


Le 24/02/2020 à 01:16, Aitor a écrit :


Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:

Why use 2 binaries rather than one, more programs, more code, more
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the
su-only route.

I'll answer to this question in more detail: the requeriment of suid
privilegies implies an additional (non GUI) binary due to the fact
that the usage of any GTK suid binary is impossible.
Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

    Does it mean that synaptic works that way with droping priviledges
in the GUI?

    Didier


Synaptic is run as root via sudo/su. There are no suid privilegies


    Hi Aitor.

    Sure, but it is running a GUI with root priviledge. I thought this 
was the danger and I understood this was forbidden in GTK+.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Daniel Abrecht via Dng]

Hi

I would like to add my point of view to the polkit debate.
I don't think polkit is bad or unnecessary, it simply has a completely 
different usecase/scope than sudo has.



sudo is for starting a process as an other user provided some 
preconditions (group/user allowed to use it, supplied arguments allowed, 
etc.) are met.
And it can retain or restrict some resources inherited from the parent 
process (such as environment variables, for example).
Therefore, the use case is to allow some users to execute certain 
commands in certain ways with certain resources.



I know polkit less well, but my current understanding is, that polkit is 
for managing access to stuff on dbus.


So next, why is dbus needed?
dbus is a message bus. There usually is one for the whole system, and 
one for each session.
There are various uses and missuses for it, but I think the most crucial 
things are:

 * Notify any process interested in something of these things.
 * Tell other programs which can do something to do something.

This can be useful for various things, for example:
 * A program may want to now if a device got rotated, so it can rotate a 
screen.
 * A wlan management gui may want to tell it's daemon that it shall 
connect to a wlan, and it may want to know what connections it already 
has and manages.
 * A phone call application may want to ring when a call arrives, or it 
may want to let the user initiate a call.


Now, those examples are mainly things that would need the system bus. I 
couldn't come up with a good example solely within a user session/bus, 
but I'm sure these exist too, especially because dbus doesn't need a 
graphical session.


And with that, back to polkit. It'd be bad if just everyone/everything 
could do system level stuff, so per default, noone can. But that would 
make dbus useless for a lot of things.
This is the problem polkit is there to solve, there are config files 
specifying who (user, group, etc.) can see/use which methods calls, 
signals/messages, etc.


Without dbus, applications & daemons could do similar things using unix 
sockets. However, then, every application would need their own socket, 
permission management, configs, etc. This would have the same security 
implications as just using dbus, which also just uses unix sockets, but 
would leave a bigger attack surface, and a lot of scattered security 
critical configs with different formats.


Now, there is also the approach of using a suid binary for the 
privileged stuff. As a good and bad thing, just like sudo, this can't 
escape a container, unlike a unix socket passed to one could. However, 
it would leave the problem of a bigger attack surface, and a lot of 
scattered security critical configs with different formats, and is very 
difficult to get right.


All things considered, I think for the purpose of interacting with 
system level daemons/services and managing related permissions, 
especially in cases more complex than simply shutting down the system 
for example, dbus + polkit is a very nice solution, especially 
considering the alternatives. It does have some flaws, though, such as 
noone knowing how to correctly configure it, for example.



Regarding pkexec, I think this thing is an abomination. Starting a 
process is absolutely not something which should be done in a way 
completely disregarding resources and restrictions of the spawning 
process. It's kind of useful for checking if polkit works at all, but 
aside from that, I recommend getting rid of it as fast as possible.


Regarding gksudo, I think it's intended use case is an awful thing as 
well. The very Idea of asking for a users password for starting a more 
privileged process is a bad one. It means that if the user account is 
breached, as soon as sudo or gksudo is used to obtain root, it could 
have been replaced (z.B. by changing the PATH, setting an alias, etc.) 
by an attacker to get the password instead, and then compromise the rest 
of the system. In my opinion, sudo should always be used in such a way 
as to work without password, and only for known "safe" commands. For 
everything else, it'd be much better to just log in on a tty as root. 
Same goes for su.



One last, only partially related thing. Does anyone know how to get 
polkit agents working properly? If I start `lxqt-policykit-agent`, for 
example, pkexec won't work. If I start it as `su -c 
'lxqt-policykit-agent'`, it does, but I'm pretty sure that's not the 
right way to do this. I'm currently on devuan beowulf, but I think 
debian users may have similar problems, I think systemd/logind people 
may have broken something in polkit...



Regards,
Daniel Abrecht
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[aitor]

Hi Didier,

En 24 de febrero de 2020 10:01:33 Didier Kryn  escribió:


Le 24/02/2020 à 01:16, Aitor a écrit :


Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:

Why use 2 binaries rather than one, more programs, more code, more
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the
su-only route.

I'll answer to this question in more detail: the requeriment of suid
privilegies implies an additional (non GUI) binary due to the fact
that the usage of any GTK suid binary is impossible.
Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

Does it mean that synaptic works that way with droping priviledges
in the GUI?

Didier


Synaptic is run as root via sudo/su. There are no suid privilegies.

Cheers,

Aitor.




Enviado con AquaMail para Android
https://www.mobisystems.com/aqua-mail


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Didier Kryn]

Le 24/02/2020 à 01:16, Aitor a écrit :


Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:
Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the 
su-only route.
I'll answer to this question in more detail: the requeriment of suid 
privilegies implies an additional (non GUI) binary due to the fact 
that the usage of any GTK suid binary is impossible.

Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

    Does it mean that synaptic works that way with droping priviledges 
in the GUI?


    Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Didier Kryn]

Le 23/02/2020 à 16:26, Aitor a écrit :

On 23/2/20 16:22, Aitor wrote:
- To have a look at the code of ssh-askpass, suggested by Didier 
Krin, whose dialog frame is useful only for X11 and not for wayland.


Kryn :)

    ssh-askpass is just an example. There is certainly something usable 
in wayland. sudo accepts any helper.


        Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[wirelessduck--- via Dng]


On 2020-02-23 22:10, marc wrote:
> If I understand you correctly, you propose a simple gtk
> program that is setuid (so that it can read /etc/shadow, and
> grant root privileges). The problem is that there is no such
> thing as a simple gtk program. This is not comment limited to
> gtk programs - most graphical toolkits and libraries present
> a pretty large attack surface - they contain large protocol
> interpreters and font rendering engines, flaws in which could 
> then be exploited to give root access without any password 
> whatsoever.

The author of XScreenSaver, Jamie Zawinski, has some FAQ [1] entries and a 
separate page [2] explaining why he never used GTK or other graphical toolkits 
for XScreenSaver development. Perhaps some of those ideas may be relevant to 
this gkexec project?

[1] https://www.jwz.org/xscreensaver/faq.html#toolkits
[2] https://www.jwz.org/xscreensaver/toolkits.html

—Tom

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 23:10, marc wrote:

You should never send an unencrypted password over a shell or pipe.

So in the case of the former (using the shell, via echo or an
environment variable) you are correct. Those show up in process
listings...

I am not so sure about the second part, the bit about not passing
confidential information down a pipe. I am not aware of a third
party being able to see the content of a pipe. If you are worried
about the invoking user seeing the password, bear in mind that on sane
distributions a normal user can strace the xterm in which one
invokes su or sudo. This is not a recommendation to disable
strace, it is a strong recommendation to run your webbrowser
under a different uid - actually I am surprised that distributions
dont have a wrapper which runs a browser as a different uid
but with a shared gid...


i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i suppose...):

...

Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the su-only 
route.

If I understand you correctly, you propose a simple gtk
program that is setuid (so that it can read /etc/shadow, and
grant root privileges). The problem is that there is no such
thing as a simple gtk program. This is not comment limited to
gtk programs - most graphical toolkits and libraries present
a pretty large attack surface - they contain large protocol
interpreters and font rendering engines, flaws in which could
then be exploited to give root access without any password
whatsoever.

So invoking su or sudo via a pipe is probably the way to go
after all. Do note that sudo (or su) might not accept input
from a plain pipe - you might have to allocate a pseudotty
via /dev/pts/ptmx, then fork, exec su or sudo in the child
and in the parent write the password down the filedescriptor...

regards

marc


Thanks for your suggestions, Mark. My first draft is a replacement for 
ssh-askpass.


Here you are the sources:

gnuinos.org/gkexec/gkexec.tar.bz2

The usage is similar to ssh-askpass, that is:

$ SUDO_ASKPASS=./gkexec sudo -A synaptic

I'm aware about several system variables playing a role in this issue, 
and i'm lookint at the code of lxqt-sudo.


See the README file.

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tito,

On 23/2/20 17:02, Tito via Dng wrote:
Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the 
su-only route.
I'll answer to this question in more detail: the requeriment of suid 
privilegies implies an additional (non GUI) binary due to the fact that 
the usage of any GTK suid binary is impossible.

Read here:

http://soc.if.usp.br/manual/libgtk2.0-doc/faq/x392.html

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 11:10 PM, marc wrote:

You should never send an unencrypted password over a shell or pipe.


So in the case of the former (using the shell, via echo or an
environment variable) you are correct. Those show up in process
listings...

I am not so sure about the second part, the bit about not passing
confidential information down a pipe. I am not aware of a third
party being able to see the content of a pipe. If you are worried
about the invoking user seeing the password, bear in mind that on sane
distributions a normal user can strace the xterm in which one
invokes su or sudo. This is not a recommendation to disable
strace, it is a strong recommendation to run your webbrowser
under a different uid - actually I am surprised that distributions
dont have a wrapper which runs a browser as a different uid
but with a shared gid...


Hi,
I intended | as a pipe, so doing echo something |.



i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i suppose...):

...

Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the su-only 
route.


If I understand you correctly, you propose a simple gtk
program that is setuid (so that it can read /etc/shadow, and
grant root privileges). The problem is that there is no such
thing as a simple gtk program. This is not comment limited to
gtk programs - most graphical toolkits and libraries present
a pretty large attack surface - they contain large protocol
interpreters and font rendering engines, flaws in which could
then be exploited to give root access without any password
whatsoever.


Yes, but after having written part of it, it looked to easy
to be true and I started wondering why nobody did it that
way already and so I figured out the reason myself.
I fully agree.


So invoking su or sudo via a pipe is probably the way to go
after all. Do note that sudo (or su) might not accept input
from a plain pipe - you might have to allocate a pseudotty
via /dev/pts/ptmx, then fork, exec su or sudo in the child
and in the parent write the password down the filedescriptor...

regards

marc


Ciao,
Tito



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[marc]

> >>You should never send an unencrypted password over a shell or pipe.

So in the case of the former (using the shell, via echo or an 
environment variable) you are correct. Those show up in process
listings...

I am not so sure about the second part, the bit about not passing
confidential information down a pipe. I am not aware of a third
party being able to see the content of a pipe. If you are worried
about the invoking user seeing the password, bear in mind that on sane
distributions a normal user can strace the xterm in which one 
invokes su or sudo. This is not a recommendation to disable
strace, it is a strong recommendation to run your webbrowser
under a different uid - actually I am surprised that distributions
dont have a wrapper which runs a browser as a different uid
but with a shared gid...

> i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
> buttons (cancel, ok)
> that way it will be the gtk backend to care about X11 or wayland (i 
> suppose...):
...
> Why use 2 binaries rather than one, more programs, more code, more 
> communication in between them equals to more attack surface.
> I would stay with just one suid binary, more so if you want to go the su-only 
> route.

If I understand you correctly, you propose a simple gtk
program that is setuid (so that it can read /etc/shadow, and
grant root privileges). The problem is that there is no such
thing as a simple gtk program. This is not comment limited to
gtk programs - most graphical toolkits and libraries present
a pretty large attack surface - they contain large protocol
interpreters and font rendering engines, flaws in which could 
then be exploited to give root access without any password 
whatsoever.

So invoking su or sudo via a pipe is probably the way to go
after all. Do note that sudo (or su) might not accept input
from a plain pipe - you might have to allocate a pseudotty
via /dev/pts/ptmx, then fork, exec su or sudo in the child
and in the parent write the password down the filedescriptor...

regards

marc
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi again Tito,

On 23/2/20 17:02, Tito via Dng wrote:

On 2/23/20 4:22 PM, Aitor wrote:

Hi Tito,

On 23/2/20 14:15, Tito via Dng wrote:

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:
The binary won't be suid, but rather it'll receive the root 
password through the mentioned unix socket using internally (sudo 
| su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in 
e.g. /proc?

You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the 
correct cipher
for the system and the buffer is zeroed, then the encrypted password 
is compared
to what is in /etc/shadow or /etc/password or handled in the way is 
deemed fit.
I suggest you to handle the passwords and the command and args to be 
run in your program

This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that 
are run.


Hope this helps.

Ciao,
Tito


Thanks for the info, i know... Some people ripped me to shreds in the 
IRC channel some years ago, when i started working on the backend of 
simple-netaid.


This is only for testing the first part of the project. I have two 
ideas for the second part:


- To have a look at the code of ssh-askpass, suggested by Didier 
Krin, whose dialog frame is useful only for X11 and not for wayland.


Hi,

i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) 
+ 2 buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i 
suppose...):


"put into “password mode” using gtk_entry_set_visibility(). In this 
mode, entered text is displayed using
 a “invisible” character. By default, GTK+ picks the best invisible 
character that is available in the current
font, but it can be changed with gtk_entry_set_invisible_char(). Since 
2.16, GTK+ displays a warning when Caps
Lock or input methods might interfere with entering text in a password 
entry.

The warning can be turned off with the “caps-lock-warning” property."

"Note that you probably want to set “input-purpose” to 
GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN
 to inform input methods about the purpose of this entry, in addition 
to setting visibility to FALSE."


On hitting Enter or the OK button this returns a gchar string (typdef 
of char)

that could be fed to:

encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1);
r = (strcmp(encrypted, pw_pass) == 0);
free(encrypted);
nuke_str(plaintext);
return r;

To see a good example take a look at: busybox/libbb/correct_password.c
This is widely used code and most pitfalls are already handled.


Thanks, i'll have a look at the code. In any case, something like the 
code below would be enough:


setenv("SUDO_ASKPASS", password, 1);
printf("%s\n", password);

The password needs to be printed, otherwise it won't work.

Then, sudo reads the value of the system variable via:

askpass = getenv_unhooked("SUDO_ASKPASS");

and inmediately sudo uses the "unsetenv" fuction in ordeer to reset the 
value. This is exactly how ssh-askpass works.


All that done, the application can be used in the same way suggested by 
Didier, replacing ssh-askpass by our new application.


- To emulate keypress events in C code afterwards, according to the 
received password.


Looks as overcomplex to me but I'm not a guru


Yes, i think so.



On the other hand, what do you think about the suid receiving the 
password through the socket, staying the file descriptor for the 
shortest time? I assume it encrypted.


Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the 
su-only route.
After having taken a look at the sudo source code I think it is by far 
more complex than simple su, I personally
would avoid it at all, but this could be added later after having got 
right the simpler su-only case.
I will see if I'm able to cobble toghether a working example code just 
for the fun and to refresh

my C coding skills.


I started using two separate binaries due to the suid permissions. 
Bypassing it, then the use of two binaries has no sense.




Just my 2 cents.

Ciao,
Tito



Thanks a lot!

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 4:22 PM, Aitor wrote:

Hi Tito,

On 23/2/20 14:15, Tito via Dng wrote:

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:

The binary won't be suid, but rather it'll receive the root password through 
the mentioned unix socket using internally (sudo | su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in e.g. /proc?
You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the correct 
cipher
for the system and the buffer is zeroed, then the encrypted password is compared
to what is in /etc/shadow or /etc/password or handled in the way is deemed fit.
I suggest you to handle the passwords and the command and args to be run in 
your program
This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that are run.

Hope this helps.

Ciao,
Tito


Thanks for the info, i know... Some people ripped me to shreds in the IRC 
channel some years ago, when i started working on the backend of simple-netaid.

This is only for testing the first part of the project. I have two ideas for 
the second part:

- To have a look at the code of ssh-askpass, suggested by Didier Krin, whose 
dialog frame is useful only for X11 and not for wayland.


Hi,

i would use a simple gtk window with a gtkentry (Gtk2 GTK3 compatible) + 2 
buttons (cancel, ok)
that way it will be the gtk backend to care about X11 or wayland (i suppose...):

"put into “password mode” using gtk_entry_set_visibility(). In this mode, 
entered text is displayed using
 a “invisible” character. By default, GTK+ picks the best invisible character 
that is available in the current
font, but it can be changed with gtk_entry_set_invisible_char(). Since 2.16, 
GTK+ displays a warning when Caps
Lock or input methods might interfere with entering text in a password entry.
The warning can be turned off with the “caps-lock-warning” property."

"Note that you probably want to set “input-purpose” to 
GTK_INPUT_PURPOSE_PASSWORD or GTK_INPUT_PURPOSE_PIN
 to inform input methods about the purpose of this entry, in addition to setting 
visibility to FALSE."

On hitting Enter or the OK button this returns a gchar string (typdef of char)
that could be fed to:

encrypted = pw_encrypt(plaintext, /*salt:*/ pw_pass, 1);
r = (strcmp(encrypted, pw_pass) == 0);
free(encrypted);
nuke_str(plaintext);
return r;

To see a good example take a look at: busybox/libbb/correct_password.c
This is widely used code and most pitfalls are already handled.




- To emulate keypress events in C code afterwards, according to the received 
password.


Looks as overcomplex to me but I'm not a guru


On the other hand, what do you think about the suid receiving the password 
through the socket, staying the file descriptor for the shortest time? I assume 
it encrypted.


Why use 2 binaries rather than one, more programs, more code, more 
communication in between them equals to more attack surface.
I would stay with just one suid binary, more so if you want to go the su-only 
route.
After having taken a look at the sudo source code I think it is by far more 
complex than simple su, I personally
would avoid it at all, but this could be added later after having got right the 
simpler su-only case.
I will see if I'm able to cobble toghether a working example code just for the 
fun and to refresh
my C coding skills.

Just my 2 cents.

Ciao,
Tito



Thanks in advance,

Aitor.



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

On 23/2/20 16:22, Aitor wrote:
- To have a look at the code of ssh-askpass, suggested by Didier Krin, 
whose dialog frame is useful only for X11 and not for wayland.


Kryn :)



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tito,

On 23/2/20 14:15, Tito via Dng wrote:

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:
The binary won't be suid, but rather it'll receive the root password 
through the mentioned unix socket using internally (sudo | su) 
afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in e.g. 
/proc?

You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the 
correct cipher
for the system and the buffer is zeroed, then the encrypted password 
is compared
to what is in /etc/shadow or /etc/password or handled in the way is 
deemed fit.
I suggest you to handle the passwords and the command and args to be 
run in your program

This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that are 
run.


Hope this helps.

Ciao,
Tito


Thanks for the info, i know... Some people ripped me to shreds in the 
IRC channel some years ago, when i started working on the backend of 
simple-netaid.


This is only for testing the first part of the project. I have two ideas 
for the second part:


- To have a look at the code of ssh-askpass, suggested by Didier Krin, 
whose dialog frame is useful only for X11 and not for wayland.


- To emulate keypress events in C code afterwards, according to the 
received password.


On the other hand, what do you think about the suid receiving the 
password through the socket, staying the file descriptor for the 
shortest time? I assume it encrypted.


Thanks in advance,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 1:54 PM, Aitor wrote:

Hi,

On 23/2/20 13:17, Aitor wrote:

The binary won't be suid, but rather it'll receive the root password through 
the mentioned unix socket using internally (sudo | su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


Hi,

this looks dangerous, isn't the password readable unencrypted in e.g. /proc?
You should never send an unencrypted password over a shell or pipe.
Usually the password as soon as it is inputted is encrypted with the correct 
cipher
for the system and the buffer is zeroed, then the encrypted password is compared
to what is in /etc/shadow or /etc/password or handled in the way is deemed fit.
I suggest you to handle the passwords and the command and args to be run in 
your program
This way:
1) password stays unencrypted for the shortest time
2) you have control and you can vet the env, program and args that are run.

Hope this helps.

Ciao,
Tito


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 13:17, Aitor wrote:
The binary won't be suid, but rather it'll receive the root password 
through the mentioned unix socket using internally (sudo | su) afterwards.


As simple as that:

system( "echo  | sudo -S ");

I tested my first draft and it works. Do it simple, isn't it?

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tito,

On 23/2/20 13:19, Tito via Dng wrote:


Hi,

please don't restrict it, make it a universally usable tool.


Ok :)


Why using a socket maybe KISS?
For inspiration you can take a look at:
https://git.busybox.net/busybox/tree/loginutils/su.c
this is tested and widely used code.


Thanks for the info. I'll give it a try.


If you will use C as programming language and you any need help
drop a line.

Ciao,
Tito

BTW: it would be nice if this tool could be compiled
 with gtk2 or gtk3 this would allow more widespread
 adoption
The first code (for testing purposes) will be taken from the frontend of 
simple-netaid -which is developed in gtkmm/C++-,

but i can reverse it to Gtk/C over time.

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 13:23, Aitor wrote:


Hi Tom,

On 23/2/20 13:21, tom wrote:

What happens when a password isn't need, such as when a sudo policy is
set?


Are you referring to the sudo | su duality?

Aitor.

If so, the application might check the sudo permissions of the current 
user, reading the /etc/groups and /etc/sudoers files.



___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Tom,

On 23/2/20 13:21, tom wrote:

What happens when a password isn't need, such as when a sudo policy is
set?


Are you referring to the sudo | su duality?

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Sun, 23 Feb 2020 13:17:21 +0100
Aitor  wrote:

> Hi,
> 
> On 23/2/20 12:34, Aitor wrote:
> >
> > Hi Steve,
> >
> > On 21/2/20 21:57, Steve Litt wrote:
> >> Will it work even if I'm not using lxqt? Does it stand alone?
> >>   
> >> SteveT
> > I've just started developing a replacement for gksu in gtk2
> > following the same method used in simple-netaid,
> > that is: a suid binary receiving the password through an unix
> > socket, and the name of the application
> > to be run as an argument in the command line. Since i'm not that 
> > expert on security stuff, maybe i'll
> > restrict this tool only to a few graphical applications like
> > synaptic, bleachbit, gparted, thunar, pcmanfm...
> > Any suggestion for the name of this alternative? What about gkexec?
> >
> > Cheers,
> >
> > Aitor.
> >
> I rectify:
> 
> The binary won't be suid, but rather it'll receive the root password 
> through the mentioned unix socket using internally (sudo | su)
> afterwards.
> 
> Aitor.
> 
> 

What happens when a password isn't need, such as when a sudo policy is
set?

-- 
 ___ 
/ I smell like a wet reducing clinic on \
\ Columbus Day! /
 --- 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/23/20 12:34 PM, Aitor wrote:

Hi Steve,

On 21/2/20 21:57, Steve Litt wrote:

Will it work even if I'm not using lxqt? Does it stand alone?
  
SteveT

I've just started developing a replacement for gksu in gtk2 following the same 
method used in simple-netaid,
that is: a suid binary receiving the password through an unix socket, and the 
name of the application
to be run as an argument in the command line. Since i'm not that expert on 
security stuff, maybe i'll
restrict this tool only to a few graphical applications like synaptic, 
bleachbit, gparted, thunar, pcmanfm...
Any suggestion for the name of this alternative? What about gkexec?

Cheers,

Aitor.



Hi,

please don't restrict it, make it a universally usable tool.
Why using a socket maybe KISS?
For inspiration you can take a look at:
https://git.busybox.net/busybox/tree/loginutils/su.c
this is tested and widely used code.
If you will use C as programming language and you any need help
drop a line.

Ciao,
Tito

BTW: it would be nice if this tool could be compiled
 with gtk2 or gtk3 this would allow more widespread
 adoption.

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi,

On 23/2/20 12:34, Aitor wrote:


Hi Steve,

On 21/2/20 21:57, Steve Litt wrote:

Will it work even if I'm not using lxqt? Does it stand alone?
  
SteveT
I've just started developing a replacement for gksu in gtk2 following 
the same method used in simple-netaid,
that is: a suid binary receiving the password through an unix socket, 
and the name of the application
to be run as an argument in the command line. Since i'm not that 
expert on security stuff, maybe i'll
restrict this tool only to a few graphical applications like synaptic, 
bleachbit, gparted, thunar, pcmanfm...

Any suggestion for the name of this alternative? What about gkexec?

Cheers,

Aitor.


I rectify:

The binary won't be suid, but rather it'll receive the root password 
through the mentioned unix socket using internally (sudo | su) afterwards.


Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Aitor]

Hi Steve,

On 21/2/20 21:57, Steve Litt wrote:

Will it work even if I'm not using lxqt? Does it stand alone?
  
SteveT
I've just started developing a replacement for gksu in gtk2 following 
the same method used in simple-netaid,
that is: a suid binary receiving the password through an unix socket, 
and the name of the application
to be run as an argument in the command line. Since i'm not that expert 
on security stuff, maybe i'll
restrict this tool only to a few graphical applications like synaptic, 
bleachbit, gparted, thunar, pcmanfm...

Any suggestion for the name of this alternative? What about gkexec?

Cheers,

Aitor.


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/21/20 10:56 PM, Florian Zieboll wrote:

On Fri, 21 Feb 2020 15:57:42 -0500
Steve Litt  wrote:


On Wed, 19 Feb 2020 01:23:47 -0800
tom  wrote:



Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
https://github.com/lxqt/lxqt-sudo
It works pretty well.


Will it work even if I'm not using lxqt? Does it stand alone?



Not "alone", but quite fine for a GUI - and compared to gksu in a very
different league:

$ apt show lxqt-sudo | grep Depends # beowulf
Depends: libc6 (>= 2.14), liblxqt0 (>= 0.14.1~), libqt5core5a (>=
5.11.0~rc1), libqt5gui5 (>= 5.7.0), libqt5widgets5 (>= 5.0.2),
libstdc++6 (>= 6)

$ apt show gksu | grep Depends  # jessie
Depends: gconf-service, libatk1.0-0 (>= 1.12.4), libc6 (>= 2.4),
libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.11), libfreetype6 (>=
2.2.1), libgconf-2-4 (>= 3.2.5), libgdk-pixbuf2.0-0 (>= 2.22.0),
libgksu2-0 (>= 2.0.8), libglib2.0-0 (>= 2.16.0), libgnome-keyring0 (>=
2.20.3), libgtk2.0-0 (>= 2.8.0), libpango-1.0-0 (>= 1.14.0),
libpangocairo-1.0-0 (>= 1.14.0), libpangoft2-1.0-0 (>= 1.14.0),
libstartup-notification0 (>= 0.2), sudo Conflicts: gnome-sudo (<=
0.3-1.1)


libre Grüße,
Florian


Hi,

I wonder if there is a way to make it intercept the polkit
dbus calls and eventually ask for a password?
Does somthing like: Replaces polkit exist in the
debian packaging voodoo?

Ciao,
Tito

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Wed, 19 Feb 2020 15:17:06 +0100
Tito via Dng  wrote:

> 
> 
> On 2/19/20 10:23 AM, tom wrote:
> > On Wed, 19 Feb 2020 00:35:26 -0800
> > tom  wrote:
> > 
> >> Deprecated gksudo? Well thats pretty dumb. Any particular reason
> >> Devuan doesn't just fish around for the old gksudo git repo and
> >> continue that instead of dealing with this policykit mess of
> >> complexity? You can allow users in your a group for example
> >> 'installers' to run synaptic by editing sudo's config like so:
> >>
> >> %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> >>
> >> This Policykit stuff just seems like completely unneeded and
> >> unstable cruft like systemd or pulseaudio.
> >>
> >> Thank you for clarifying though. I'm going to see about getting it
> >> working on Gentoo since I have more experience with ebuilds than I
> >> do with Debian packaging currently.
> >>
> >>
> >>
> > 
> > Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
> > https://github.com/lxqt/lxqt-sudo
> > It works pretty well.
> > 
> Hi,
> 
> this one is nice! but it solves only partially the problem
> of eventually removing policykit because most packages
> like for example synaptic or network-manager have a
> dependency on polkit or on libpolkit-gobject-1.
> Replacing pkexec could be easily done with a wrapper
> calling lxqt-sudo, but I cannot imagine what
> debian packaging voodoo would be needed to
> remove polkit, but for sure a lot of work.
> It is hard to weed out over-complexity once
> it slipped in.
> 
> Ciao,
> Tito
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

If someone had some time they could patch synaptic to remove any pkexec
stuff. But a quick and dirty hack would be to simply modify the
XDG .desktop file and prepend lxsudo to the command line. Here is an
example I did for Zenmap: https://0x0.st/iZpe.png

[Desktop Entry]
Name=Zenmap (as root)
GenericName=GUI Port Scanner
TryExec=/usr/share/zenmap/su-to-zenmap.sh
Exec=lxsudo zenmap
Terminal=false
Icon=/usr/share/zenmap/pixmaps/zenmap.png
Type=Application
Categories=Network;System;Security;
Comment=A cross-platform GUI for the Nmap Security Scanner.
Keywords=network;scan;scanner;IP;security;
Path=
StartupNotify=false

It should also be noted the Zenmap already came with a decent script to
do this, but for my purposes this simple hack worked well enough. I
didn't like the jarring visual discontinuity of xterm. I also would
rather use sudo than su based tools since sudo can have finer grained
polices set

-- 
  
/ Maternity pay? Now every Tom, Dick and \
| Harry will get pregnant.   |
||
\ -- Malcolm Smith   /
  
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Florian Zieboll]

On Fri, 21 Feb 2020 15:57:42 -0500
Steve Litt  wrote:

> On Wed, 19 Feb 2020 01:23:47 -0800
> tom  wrote:
> 
> > 
> > Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
> > https://github.com/lxqt/lxqt-sudo
> > It works pretty well.
> 
> Will it work even if I'm not using lxqt? Does it stand alone?


Not "alone", but quite fine for a GUI - and compared to gksu in a very
different league:

$ apt show lxqt-sudo | grep Depends # beowulf
Depends: libc6 (>= 2.14), liblxqt0 (>= 0.14.1~), libqt5core5a (>=
5.11.0~rc1), libqt5gui5 (>= 5.7.0), libqt5widgets5 (>= 5.0.2),
libstdc++6 (>= 6)

$ apt show gksu | grep Depends  # jessie
Depends: gconf-service, libatk1.0-0 (>= 1.12.4), libc6 (>= 2.4),
libcairo2 (>= 1.2.4), libfontconfig1 (>= 2.11), libfreetype6 (>=
2.2.1), libgconf-2-4 (>= 3.2.5), libgdk-pixbuf2.0-0 (>= 2.22.0),
libgksu2-0 (>= 2.0.8), libglib2.0-0 (>= 2.16.0), libgnome-keyring0 (>=
2.20.3), libgtk2.0-0 (>= 2.8.0), libpango-1.0-0 (>= 1.14.0),
libpangocairo-1.0-0 (>= 1.14.0), libpangoft2-1.0-0 (>= 1.14.0),
libstartup-notification0 (>= 0.2), sudo Conflicts: gnome-sudo (<=
0.3-1.1)


libre Grüße,
Florian
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Steve Litt]

On Wed, 19 Feb 2020 01:23:47 -0800
tom  wrote:

> On Wed, 19 Feb 2020 00:35:26 -0800
> tom  wrote:
> 
> > Deprecated gksudo? Well thats pretty dumb. Any particular reason
> > Devuan doesn't just fish around for the old gksudo git repo and
> > continue that instead of dealing with this policykit mess of
> > complexity? You can allow users in your a group for example
> > 'installers' to run synaptic by editing sudo's config like so:
> > 
> > %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> > 
> > This Policykit stuff just seems like completely unneeded and
> > unstable cruft like systemd or pulseaudio.
> > 
> > Thank you for clarifying though. I'm going to see about getting it
> > working on Gentoo since I have more experience with ebuilds than I
> > do with Debian packaging currently.
> > 
> > 
> >   
> 
> Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
> https://github.com/lxqt/lxqt-sudo
> It works pretty well.

Will it work even if I'm not using lxqt? Does it stand alone?
 
SteveT

Steve Litt 
February 2020 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[Tito via Dng]

On 2/19/20 10:23 AM, tom wrote:

On Wed, 19 Feb 2020 00:35:26 -0800
tom  wrote:


Deprecated gksudo? Well thats pretty dumb. Any particular reason
Devuan doesn't just fish around for the old gksudo git repo and
continue that instead of dealing with this policykit mess of
complexity? You can allow users in your a group for example
'installers' to run synaptic by editing sudo's config like so:

%installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic

This Policykit stuff just seems like completely unneeded and unstable
cruft like systemd or pulseaudio.

Thank you for clarifying though. I'm going to see about getting it
working on Gentoo since I have more experience with ebuilds than I do
with Debian packaging currently.





Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
https://github.com/lxqt/lxqt-sudo
It works pretty well.


Hi,

this one is nice! but it solves only partially the problem
of eventually removing policykit because most packages
like for example synaptic or network-manager have a
dependency on polkit or on libpolkit-gobject-1.
Replacing pkexec could be easily done with a wrapper
calling lxqt-sudo, but I cannot imagine what
debian packaging voodoo would be needed to
remove polkit, but for sure a lot of work.
It is hard to weed out over-complexity once
it slipped in.

Ciao,
Tito

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? dropin replacement

[tom]

On Wed, 19 Feb 2020 00:35:26 -0800
tom  wrote:

> Deprecated gksudo? Well thats pretty dumb. Any particular reason
> Devuan doesn't just fish around for the old gksudo git repo and
> continue that instead of dealing with this policykit mess of
> complexity? You can allow users in your a group for example
> 'installers' to run synaptic by editing sudo's config like so:
> 
> %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> 
> This Policykit stuff just seems like completely unneeded and unstable
> cruft like systemd or pulseaudio.
> 
> Thank you for clarifying though. I'm going to see about getting it
> working on Gentoo since I have more experience with ebuilds than I do
> with Debian packaging currently.
> 
> 
> 

Just found a drop-in replacement for gksudo. It's called lxqt-sudo.
https://github.com/lxqt/lxqt-sudo
It works pretty well.

-- 
 _ 
/ We're Knights of the Round Table We \
| dance whene'er we're able We do |
| routines and chorus scenes We're|
| knights of the Round Table With |
| footwork impeccable Our shows are   |
| formidable We dine well here in Camelot |
| But many times We eat ham and jam and   |
| Spam a lot. We're given rhymes  |
| |
| That are quite unsingable In war we're  |
| tough and able, We're opera mad in  |
| Camelot Quite indefatigable We sing |
| from the diaphragm a lot. Between our   |
| quests We sequin vests And impersonate  |
| Clark Gable It's a busy life in |
| Camelot. I have to push the pram a lot. |
| |
\ -- Monty Python /
 - 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? bring back gksudo

[tom]

On Wed, 19 Feb 2020 00:35:26 -0800
tom  wrote:

> Deprecated gksudo? Well thats pretty dumb. Any particular reason
> Devuan doesn't just fish around for the old gksudo git repo and
> continue that instead of dealing with this policykit mess of
> complexity? You can allow users in your a group for example
> 'installers' to run synaptic by editing sudo's config like so:
> 
> %installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> 
> This Policykit stuff just seems like completely unneeded and unstable
> cruft like systemd or pulseaudio.
> 
> Thank you for clarifying though. I'm going to see about getting it
> working on Gentoo since I have more experience with ebuilds than I do
> with Debian packaging currently.
> 
> 
> 

Oh, I just remembered. This would also be a very clean fix for being
about to shutdown and reboot in XFCE. using gksudo to ask sudo if the
user is allowed to manage the system's power state instead of policykit.

-- 
  
/ "You can't teach seven foot." -- Frank \
| Layton, Utah Jazz basketball coach,|
| when asked why he had recruited|
||
\ a seven-foot tall auto mechanic/
  
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed? bring back gksudo

[tom]

Deprecated gksudo? Well thats pretty dumb. Any particular reason Devuan
doesn't just fish around for the old gksudo git repo and continue that
instead of dealing with this policykit mess of complexity? You can
allow users in your a group for example 'installers' to run synaptic by
editing sudo's config like so:

%installers ALL=(ALL) NOPASSWD: /usr/sbin/synaptic

This Policykit stuff just seems like completely unneeded and unstable
cruft like systemd or pulseaudio.

Thank you for clarifying though. I'm going to see about getting it
working on Gentoo since I have more experience with ebuilds than I do
with Debian packaging currently.



-- 
  
/ "You can't teach seven foot." -- Frank \
| Layton, Utah Jazz basketball coach,|
| when asked why he had recruited|
||
\ a seven-foot tall auto mechanic/
  
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 14/02/2020 à 14:12, Didier Kryn a écrit :

    I've found a solution on the web:

    Just 'su' - or 'sudo -u root bash -l' then

xauth add $(xauth -f ~/.Xauthority list | tail -1) # where 
 is your username.


Then you can launch an application with a GUI. 



    Hey. Here is a method to do it all automatically:

Edit /etc/sudoers:

*** WARNING for people not used to editing the sudoers file

Don't edit directly /etc/sudoers; instead invoke visudo (and RTFM for 
sudo, sudoers and visudo)


*** END OF WARNING

The goal is to add the following lines to sudoers:

Defaults env_keep = "EDITOR XAUTHORITY DISPLAY"
Defaults editor = /usr/bin/emacs:/usr/bin/vi:/bin/nano

Explanation:

    The variables listed in Defaults env_keep are preserved by sudo; 
XAUTHORITY and DISPLAY are used to forward your X session. EDITOR is 
usefull if you now want to invoke visudo without prior becoming root: 
edit your .bashrc (or the like) to set EDITOR to your preferred editor; 
tjhen, from your next session, you can run "sudo visudo".


    The second line is for security, ie make sure the application you 
pass as EDITOR is a valid editor and not a security exploit.


    For example my own EDITOR is set to 'emacs -nw'

    Then, from your session, you can run 'sudo synaptic'

    Beware, if you want to run 'sudo synaptic' by clicking on a 
.desktop icon, specify that you want to run it in a terminal, because 
sudo will need it to ask your password.


    Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 14/02/2020 à 22:01, Rick Moen a écrit :

Quoting Didier Kryn (k...@in2p3.fr):


AFAIR sudo does not transmit the X session. I heard years ago
of something called sudox. Dunno if it is available somewhere. I
dislike pkexec [...]

You're a man of wise instincts, Didier.  ;->


    Thanks :~) This is because the policykit paradigm conflicts with 
traditional Unix.


    Unix has built-in means of authentication which are perfectly 
adequate. Nevertheless, the policykit machinery bypasses them to 
introduce its own methods, aledgedly to make it easier.


    Making day life easier is the usual way for dangerous technologies 
to get accepted. Eg facial recognition allows people to withdraw money 
from cash machines without a credit card, but it also allows global 
surveillance.


    Similarly, and more globally, Systemd is a big parasite making 
Linux behave differently of what it does natively. This is not a 
byproduct, this is the goal.





Here's a Linuxmafia.com Knowledgebase article I try to bring up to date
every couple of years:

'Root w/X11' onhttp://linuxmafia.com/kb/Security/  
(direct linkhttp://linuxmafia.com/faq/Security/root-with-x11.html).


I'm_personally_  a long-term fan of the first option mentioned which is:

   "ssh -Y root@localhost" (requires local sshd)


    I retain from the link above the simple solution which is to add 
these lines into root 's .bashrc:


if [ ! "$LOGNAME" = "root" ]; then
export XAUTHORITY=/home/$LOGNAME/.Xauthority
fi

    The only defect of this solution is that it doesn't come out of the 
box or by installing a package; instead it is an active hack by the admin.


    Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Rick Moen]

Quoting Dr. Nikolaus Klepp (dr.kl...@gmx.at):

> There was a "sux" on ascii (or was it lenny?), that did thi thing for
> su. Pity, it's gone.

It is, however, an extremely simple shell wrapper around su.
http://fgouget.free.fr/sux/sux
http://fgouget.free.fr/sux/sux-readme.shtml

-- 
Cheers, "Why doesn't anyone invite copyeditors to parties,
Rick Moen   when we're such cool people out with whom to hang?"
r...@linuxmafia.com-- @laureneoneal (Lauren O'Neal)
McQ! (4x80)
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Rick Moen]

Quoting Didier Kryn (k...@in2p3.fr):

> AFAIR sudo does not transmit the X session. I heard years ago
> of something called sudox. Dunno if it is available somewhere. I
> dislike pkexec [...]

You're a man of wise instincts, Didier.  ;->


Here's a Linuxmafia.com Knowledgebase article I try to bring up to date
every couple of years:

'Root w/X11' on http://linuxmafia.com/kb/Security/ 
(direct link http://linuxmafia.com/faq/Security/root-with-x11.html).

I'm _personally_ a long-term fan of the first option mentioned which is:

  "ssh -Y root@localhost" (requires local sshd)

There are good marketing reasons that desktop-oriented Linux distributions
don't even consider recommending that to the masses, but that doesn't
make any difference to my own solution-finding processes, and it's a
nicely Unix-ey solution to the problem posed.

Distros might do well to look at some of the other options I list, such
as ktsuss ("keep the su simple, stupid").

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[aitor]

Hi,

En 14 de febrero de 2020 14:15:05 Didier Kryn  escribió:


Le 14/02/2020 à 13:14, Tito via Dng a écrit :



Hi,
did you try?


Yes I did :~)


Thanks a lot, i'll aply this method to my popupmenu.

Aitor





___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng



Enviado con AquaMail para Android
https://www.mobisystems.com/aqua-mail


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 14/02/2020 à 13:14, Tito via Dng a écrit :


Hi,
did you try? 


    Yes I did :~)

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 14/02/2020 à 12:29, Dr. Nikolaus Klepp a écrit :

Anno domini 2020 Fri, 14 Feb 11:30:03 +0100
  Didier Kryn scripsit:

Le 14/02/2020 à 08:24, Tito via Dng a écrit :

On 2/14/20 3:37 AM, Ozi Traveller via Dng wrote:

Does this help? You've probably seen this already.

https://mike632t.wordpress.com/2019/11/17/gksu-is-dead-long-live-pkexec/

https://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html

On Fri, Feb 14, 2020 at 12:28 PM Gastón via Dng mailto:dng@lists.dyne.org>> wrote:

     On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
  > On Thu, 9 Jan 2020 16:50:15 +
  > Mark Hindley mailto:m...@hindley.org.uk>> wrote:
  >
  > > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely
via Dng
  > > wrote:
  > > > Hi,
  > > >
  > > > is there a recommended GUI package browser for Devuan?
  > > >
  > > > After migrating, synaptic isn't installed. If I try to
install it,
  > > > it says it needs policykit-1.  Since the latter seems to
be akin to
  > > > systemd, I reply 'n'.
  > >
  > > I really don't think that is true. There is no direct
relationship
  > > between policykit-1 and systemd. And our policykit works
with either
  > > elogind or consolekit, so you have options.
  > >
  > > If you want a integrated gui desktop that allows you to do
privileged
  > > things like install packages, you will need policykit-1 or
something
  > > similar.
  > >
  > > Alternatively, use apt or aptitude from the commandline.
  > >
  > > Mark
  > > ___
  > > Dng mailing list
  > > Dng@lists.dyne.org 
  > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
  >
  > Sorry, can you explain why exactly polkit is needed here? What
is wrong
  > with what everyone was doing before polkit which was gksu or
gksudo?
  >
     gksu is no longer available from Beowulf. Now, apparently, you
have to
     use: pkexec

     I'm in touch with the GNU/EterTics developer and he's having trouble
     running d-i from Live Mode on a beta version with Beowulf he's
testing.

     He used to launch the d-i from Live mode using this command:
     `su-tu-root-X-c /usr/sbin/debian-installer-launcher`, but
su-tu-root is
     no longer available.

     When he wants to launch the d-i from Live mode using this command:
     `pkexec /usr/sbin/debian-installer-launcher` , the installer does
not
     start in GUI mode.

     Yesterday we tried several alternatives, like this one, but without
     success:

     We tried running it this way:
     `pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
     /usr/sbin/debian-installer-launcher` , with this it tries to open a
     window, but closes immediately.

     We couldn't get pkexec to run the d-I in GUI mode from live-version.
     Nor is there much documentation about its use available.

     Has anyone been through this using pkexec?




Hi,
you can try with sudo I tested it with synaptic and it seems to work:

1) add the live-mode user to /etc/sudoers with the nopasswd directive
    for the needed command e.g.:
    live-user ALL=(ALL) NOPASSWD: /usr/sbin/synaptic

2) run sudo synaptic from a commandline in the live session
    or add it to a panel launcher (works in xfce)
    or edit a .desktop file


      Hi.

      AFAIR sudo does not transmit the X session. I heard years ago of
something called sudox. Dunno if it is available somewhere. I dislike
pkexec - just because of polkit - and used to use gksu or gksudo to run
synaptic. One can also fall back to 'ssh -X root@localhost synaptic' but
you must configure your ssh server to allow X sessions on root when
connection is on localhost.

There was a "sux" on ascii (or was it lenny?), that did thi thing for su. 
Pitty, it's gone.

Nik


      Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng





    I've found a solution on the web:

    Just 'su' - or 'sudo -u root bash -l' then

xauth add $(xauth -f ~/.Xauthority list | tail -1) # where  
is your username.


Then you can launch an application with a GUI.

    There must be ways to automate this.

    Didier


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Tito via Dng]

On 2/14/20 11:30 AM, Didier Kryn wrote:

Le 14/02/2020 à 08:24, Tito via Dng a écrit :

On 2/14/20 3:37 AM, Ozi Traveller via Dng wrote:

Does this help? You've probably seen this already.

https://mike632t.wordpress.com/2019/11/17/gksu-is-dead-long-live-pkexec/

https://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html

On Fri, Feb 14, 2020 at 12:28 PM Gastón via Dng mailto:dng@lists.dyne.org>> wrote:

    On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
 > On Thu, 9 Jan 2020 16:50:15 +
 > Mark Hindley mailto:m...@hindley.org.uk>> wrote:
 >
 > > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely via Dng
 > > wrote:
 > > > Hi,
 > > >
 > > > is there a recommended GUI package browser for Devuan?
 > > >
 > > > After migrating, synaptic isn't installed. If I try to install it,
 > > > it says it needs policykit-1.  Since the latter seems to be akin to
 > > > systemd, I reply 'n'.
 > >
 > > I really don't think that is true. There is no direct relationship
 > > between policykit-1 and systemd. And our policykit works with either
 > > elogind or consolekit, so you have options.
 > >
 > > If you want a integrated gui desktop that allows you to do privileged
 > > things like install packages, you will need policykit-1 or something
 > > similar.
 > >
 > > Alternatively, use apt or aptitude from the commandline.
 > >
 > > Mark
 > > ___
 > > Dng mailing list
 > > Dng@lists.dyne.org 
 > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
 >
 > Sorry, can you explain why exactly polkit is needed here? What is wrong
 > with what everyone was doing before polkit which was gksu or gksudo?
 >
    gksu is no longer available from Beowulf. Now, apparently, you have to
    use: pkexec

    I'm in touch with the GNU/EterTics developer and he's having trouble
    running d-i from Live Mode on a beta version with Beowulf he's testing.

    He used to launch the d-i from Live mode using this command:
    `su-tu-root-X-c /usr/sbin/debian-installer-launcher`, but su-tu-root is
    no longer available.

    When he wants to launch the d-i from Live mode using this command:
    `pkexec /usr/sbin/debian-installer-launcher` , the installer does not
    start in GUI mode.

    Yesterday we tried several alternatives, like this one, but without
    success:

    We tried running it this way:
    `pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
    /usr/sbin/debian-installer-launcher` , with this it tries to open a
    window, but closes immediately.

    We couldn't get pkexec to run the d-I in GUI mode from live-version.
    Nor is there much documentation about its use available.

    Has anyone been through this using pkexec?





Hi,
you can try with sudo I tested it with synaptic and it seems to work:

1) add the live-mode user to /etc/sudoers with the nopasswd directive
   for the needed command e.g.:
   live-user ALL=(ALL) NOPASSWD: /usr/sbin/synaptic

2) run sudo synaptic from a commandline in the live session
   or add it to a panel launcher (works in xfce)
   or edit a .desktop file



     Hi.

     AFAIR sudo does not transmit the X session. I heard years ago of something 
called sudox. Dunno if it is available somewhere. I dislike pkexec - just 
because of polkit - and used to use gksu or gksudo to run synaptic. One can 
also fall back to 'ssh -X root@localhost synaptic' but you must configure your 
ssh server to allow X sessions on root when connection is on localhost.

     Didier



Hi,
did you try?

Ciao,
Tito

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Dr. Nikolaus Klepp]

Anno domini 2020 Fri, 14 Feb 11:30:03 +0100
 Didier Kryn scripsit:
> Le 14/02/2020 à 08:24, Tito via Dng a écrit :
> > On 2/14/20 3:37 AM, Ozi Traveller via Dng wrote:
> >> Does this help? You've probably seen this already.
> >>
> >> https://mike632t.wordpress.com/2019/11/17/gksu-is-dead-long-live-pkexec/
> >>
> >> https://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html
> >>
> >> On Fri, Feb 14, 2020 at 12:28 PM Gastón via Dng  >> > wrote:
> >>
> >>     On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
> >>  > On Thu, 9 Jan 2020 16:50:15 +
> >>  > Mark Hindley  >> > wrote:
> >>  >
> >>  > > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely 
> >> via Dng
> >>  > > wrote:
> >>  > > > Hi,
> >>  > > >
> >>  > > > is there a recommended GUI package browser for Devuan?
> >>  > > >
> >>  > > > After migrating, synaptic isn't installed. If I try to 
> >> install it,
> >>  > > > it says it needs policykit-1.  Since the latter seems to 
> >> be akin to
> >>  > > > systemd, I reply 'n'.
> >>  > >
> >>  > > I really don't think that is true. There is no direct 
> >> relationship
> >>  > > between policykit-1 and systemd. And our policykit works 
> >> with either
> >>  > > elogind or consolekit, so you have options.
> >>  > >
> >>  > > If you want a integrated gui desktop that allows you to do 
> >> privileged
> >>  > > things like install packages, you will need policykit-1 or 
> >> something
> >>  > > similar.
> >>  > >
> >>  > > Alternatively, use apt or aptitude from the commandline.
> >>  > >
> >>  > > Mark
> >>  > > ___
> >>  > > Dng mailing list
> >>  > > Dng@lists.dyne.org 
> >>  > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> >>  >
> >>  > Sorry, can you explain why exactly polkit is needed here? What 
> >> is wrong
> >>  > with what everyone was doing before polkit which was gksu or 
> >> gksudo?
> >>  >
> >>     gksu is no longer available from Beowulf. Now, apparently, you 
> >> have to
> >>     use: pkexec
> >>
> >>     I'm in touch with the GNU/EterTics developer and he's having trouble
> >>     running d-i from Live Mode on a beta version with Beowulf he's 
> >> testing.
> >>
> >>     He used to launch the d-i from Live mode using this command:
> >>     `su-tu-root-X-c /usr/sbin/debian-installer-launcher`, but 
> >> su-tu-root is
> >>     no longer available.
> >>
> >>     When he wants to launch the d-i from Live mode using this command:
> >>     `pkexec /usr/sbin/debian-installer-launcher` , the installer does 
> >> not
> >>     start in GUI mode.
> >>
> >>     Yesterday we tried several alternatives, like this one, but without
> >>     success:
> >>
> >>     We tried running it this way:
> >>     `pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
> >>     /usr/sbin/debian-installer-launcher` , with this it tries to open a
> >>     window, but closes immediately.
> >>
> >>     We couldn't get pkexec to run the d-I in GUI mode from live-version.
> >>     Nor is there much documentation about its use available.
> >>
> >>     Has anyone been through this using pkexec?
> >>
> >>
> >>
> >
> > Hi,
> > you can try with sudo I tested it with synaptic and it seems to work:
> >
> > 1) add the live-mode user to /etc/sudoers with the nopasswd directive
> >    for the needed command e.g.:
> >    live-user ALL=(ALL) NOPASSWD: /usr/sbin/synaptic
> >
> > 2) run sudo synaptic from a commandline in the live session
> >    or add it to a panel launcher (works in xfce)
> >    or edit a .desktop file
> 
> 
>      Hi.
> 
>      AFAIR sudo does not transmit the X session. I heard years ago of 
> something called sudox. Dunno if it is available somewhere. I dislike 
> pkexec - just because of polkit - and used to use gksu or gksudo to run 
> synaptic. One can also fall back to 'ssh -X root@localhost synaptic' but 
> you must configure your ssh server to allow X sessions on root when 
> connection is on localhost.

There was a "sux" on ascii (or was it lenny?), that did thi thing for su. 
Pitty, it's gone.

Nik

> 
>      Didier
> 
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 



-- 
Please do not email me anything that you are not comfortable also sharing with 
the NSA, CIA ...
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Didier Kryn]

Le 14/02/2020 à 08:24, Tito via Dng a écrit :

On 2/14/20 3:37 AM, Ozi Traveller via Dng wrote:

Does this help? You've probably seen this already.

https://mike632t.wordpress.com/2019/11/17/gksu-is-dead-long-live-pkexec/

https://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html

On Fri, Feb 14, 2020 at 12:28 PM Gastón via Dng > wrote:


    On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
 > On Thu, 9 Jan 2020 16:50:15 +
 > Mark Hindley > wrote:

 >
 > > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely 
via Dng

 > > wrote:
 > > > Hi,
 > > >
 > > > is there a recommended GUI package browser for Devuan?
 > > >
 > > > After migrating, synaptic isn't installed. If I try to 
install it,
 > > > it says it needs policykit-1.  Since the latter seems to 
be akin to

 > > > systemd, I reply 'n'.
 > >
 > > I really don't think that is true. There is no direct 
relationship
 > > between policykit-1 and systemd. And our policykit works 
with either

 > > elogind or consolekit, so you have options.
 > >
 > > If you want a integrated gui desktop that allows you to do 
privileged
 > > things like install packages, you will need policykit-1 or 
something

 > > similar.
 > >
 > > Alternatively, use apt or aptitude from the commandline.
 > >
 > > Mark
 > > ___
 > > Dng mailing list
 > > Dng@lists.dyne.org 
 > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
 >
 > Sorry, can you explain why exactly polkit is needed here? What 
is wrong
 > with what everyone was doing before polkit which was gksu or 
gksudo?

 >
    gksu is no longer available from Beowulf. Now, apparently, you 
have to

    use: pkexec

    I'm in touch with the GNU/EterTics developer and he's having trouble
    running d-i from Live Mode on a beta version with Beowulf he's 
testing.


    He used to launch the d-i from Live mode using this command:
    `su-tu-root-X-c /usr/sbin/debian-installer-launcher`, but 
su-tu-root is

    no longer available.

    When he wants to launch the d-i from Live mode using this command:
    `pkexec /usr/sbin/debian-installer-launcher` , the installer does 
not

    start in GUI mode.

    Yesterday we tried several alternatives, like this one, but without
    success:

    We tried running it this way:
    `pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
    /usr/sbin/debian-installer-launcher` , with this it tries to open a
    window, but closes immediately.

    We couldn't get pkexec to run the d-I in GUI mode from live-version.
    Nor is there much documentation about its use available.

    Has anyone been through this using pkexec?





Hi,
you can try with sudo I tested it with synaptic and it seems to work:

1) add the live-mode user to /etc/sudoers with the nopasswd directive
   for the needed command e.g.:
   live-user ALL=(ALL) NOPASSWD: /usr/sbin/synaptic

2) run sudo synaptic from a commandline in the live session
   or add it to a panel launcher (works in xfce)
   or edit a .desktop file



    Hi.

    AFAIR sudo does not transmit the X session. I heard years ago of 
something called sudox. Dunno if it is available somewhere. I dislike 
pkexec - just because of polkit - and used to use gksu or gksudo to run 
synaptic. One can also fall back to 'ssh -X root@localhost synaptic' but 
you must configure your ssh server to allow X sessions on root when 
connection is on localhost.


    Didier

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Tito via Dng]

On 2/14/20 3:37 AM, Ozi Traveller via Dng wrote:

Does this help? You've probably seen this already.

https://mike632t.wordpress.com/2019/11/17/gksu-is-dead-long-live-pkexec/

https://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html

On Fri, Feb 14, 2020 at 12:28 PM Gastón via Dng mailto:dng@lists.dyne.org>> wrote:

On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
 > On Thu, 9 Jan 2020 16:50:15 +
 > Mark Hindley mailto:m...@hindley.org.uk>> wrote:
 >
 > > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely via Dng
 > > wrote:
 > > > Hi,
 > > >
 > > > is there a recommended GUI package browser for Devuan?
 > > >
 > > > After migrating, synaptic isn't installed.  If I try to install it,
 > > > it says it needs policykit-1.  Since the latter seems to be akin to
 > > > systemd, I reply 'n'.
 > >
 > > I really don't think that is true. There is no direct relationship
 > > between policykit-1 and systemd. And our policykit works with either
 > > elogind or consolekit, so you have options.
 > >
 > > If you want a integrated gui desktop that allows you to do privileged
 > > things like install packages, you will need policykit-1 or something
 > > similar.
 > >
 > > Alternatively, use apt or aptitude from the commandline.
 > >
 > > Mark
 > > ___
 > > Dng mailing list
 > > Dng@lists.dyne.org 
 > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
 >
 > Sorry, can you explain why exactly polkit is needed here? What is wrong
 > with what everyone was doing before polkit which was gksu or gksudo?
 >
gksu is no longer available from Beowulf. Now, apparently, you have to
use: pkexec

I'm in touch with the GNU/EterTics developer and he's having trouble
running d-i from Live Mode on a beta version with Beowulf he's testing.

He used to launch the d-i from Live mode using this command:
`su-tu-root-X-c /usr/sbin/debian-installer-launcher`, but su-tu-root is
no longer available.

When he wants to launch the d-i from Live mode using this command:
`pkexec /usr/sbin/debian-installer-launcher` , the installer does not
start in GUI mode.

Yesterday we tried several alternatives, like this one, but without
success:

We tried running it this way:
`pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
/usr/sbin/debian-installer-launcher` , with this it tries to open a
window, but closes immediately.

We couldn't get pkexec to run the d-I in GUI mode from live-version.
Nor is there much documentation about its use available.

Has anyone been through this using pkexec?





Hi,
you can try with sudo I tested it with synaptic and it seems to work:

1) add the live-mode user to /etc/sudoers with the nopasswd directive
   for the needed command e.g.:
   live-user ALL=(ALL) NOPASSWD: /usr/sbin/synaptic

2) run sudo synaptic from a commandline in the live session
   or add it to a panel launcher (works in xfce)
   or edit a .desktop file

Hope this helps.

Ciao,
Tito

___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Ozi Traveller via Dng]

Does this help? You've probably seen this already.

https://mike632t.wordpress.com/2019/11/17/gksu-is-dead-long-live-pkexec/

https://www.freedesktop.org/software/polkit/docs/0.105/pkexec.1.html

On Fri, Feb 14, 2020 at 12:28 PM Gastón via Dng  wrote:

> On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
> > On Thu, 9 Jan 2020 16:50:15 +
> > Mark Hindley  wrote:
> >
> > > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely via Dng
> > > wrote:
> > > > Hi,
> > > >
> > > > is there a recommended GUI package browser for Devuan?
> > > >
> > > > After migrating, synaptic isn't installed.  If I try to install it,
> > > > it says it needs policykit-1.  Since the latter seems to be akin to
> > > > systemd, I reply 'n'.
> > >
> > > I really don't think that is true. There is no direct relationship
> > > between policykit-1 and systemd. And our policykit works with either
> > > elogind or consolekit, so you have options.
> > >
> > > If you want a integrated gui desktop that allows you to do privileged
> > > things like install packages, you will need policykit-1 or something
> > > similar.
> > >
> > > Alternatively, use apt or aptitude from the commandline.
> > >
> > > Mark
> > > ___
> > > Dng mailing list
> > > Dng@lists.dyne.org
> > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> >
> > Sorry, can you explain why exactly polkit is needed here? What is wrong
> > with what everyone was doing before polkit which was gksu or gksudo?
> >
> gksu is no longer available from Beowulf. Now, apparently, you have to
> use: pkexec
>
> I'm in touch with the GNU/EterTics developer and he's having trouble
> running d-i from Live Mode on a beta version with Beowulf he's testing.
>
> He used to launch the d-i from Live mode using this command:
> `su-tu-root-X-c /usr/sbin/debian-installer-launcher`, but su-tu-root is
> no longer available.
>
> When he wants to launch the d-i from Live mode using this command:
> `pkexec /usr/sbin/debian-installer-launcher` , the installer does not
> start in GUI mode.
>
> Yesterday we tried several alternatives, like this one, but without
> success:
>
> We tried running it this way:
> `pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
> /usr/sbin/debian-installer-launcher` , with this it tries to open a
> window, but closes immediately.
>
> We couldn't get pkexec to run the d-I in GUI mode from live-version.
> Nor is there much documentation about its use available.
>
> Has anyone been through this using pkexec?
>
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[Gastón via Dng]

On Thu, Feb 13, 2020 at 03:16:58PM -0800, tom wrote:
> On Thu, 9 Jan 2020 16:50:15 +
> Mark Hindley  wrote:
> 
> > On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely via Dng
> > wrote:
> > > Hi,
> > > 
> > > is there a recommended GUI package browser for Devuan?
> > > 
> > > After migrating, synaptic isn't installed.  If I try to install it,
> > > it says it needs policykit-1.  Since the latter seems to be akin to
> > > systemd, I reply 'n'.
> > 
> > I really don't think that is true. There is no direct relationship
> > between policykit-1 and systemd. And our policykit works with either
> > elogind or consolekit, so you have options.
> > 
> > If you want a integrated gui desktop that allows you to do privileged
> > things like install packages, you will need policykit-1 or something
> > similar.
> > 
> > Alternatively, use apt or aptitude from the commandline.
> > 
> > Mark
> > ___
> > Dng mailing list
> > Dng@lists.dyne.org
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> 
> Sorry, can you explain why exactly polkit is needed here? What is wrong
> with what everyone was doing before polkit which was gksu or gksudo?
> 
gksu is no longer available from Beowulf. Now, apparently, you have to
use: pkexec

I'm in touch with the GNU/EterTics developer and he's having trouble
running d-i from Live Mode on a beta version with Beowulf he's testing.

He used to launch the d-i from Live mode using this command:
`su-tu-root-X-c /usr/sbin/debian-installer-launcher`, but su-tu-root is
no longer available.

When he wants to launch the d-i from Live mode using this command:
`pkexec /usr/sbin/debian-installer-launcher` , the installer does not
start in GUI mode.

Yesterday we tried several alternatives, like this one, but without
success:

We tried running it this way: 
`pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY
/usr/sbin/debian-installer-launcher` , with this it tries to open a
window, but closes immediately. 

We couldn't get pkexec to run the d-I in GUI mode from live-version. 
Nor is there much documentation about its use available.

Has anyone been through this using pkexec?


___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Re: [DNG] why is polkit needed?

[tom]

On Thu, 9 Jan 2020 16:50:15 +
Mark Hindley  wrote:

> On Thu, Jan 09, 2020 at 05:44:17PM +0100, Alessandro Vesely via Dng
> wrote:
> > Hi,
> > 
> > is there a recommended GUI package browser for Devuan?
> > 
> > After migrating, synaptic isn't installed.  If I try to install it,
> > it says it needs policykit-1.  Since the latter seems to be akin to
> > systemd, I reply 'n'.
> 
> I really don't think that is true. There is no direct relationship
> between policykit-1 and systemd. And our policykit works with either
> elogind or consolekit, so you have options.
> 
> If you want a integrated gui desktop that allows you to do privileged
> things like install packages, you will need policykit-1 or something
> similar.
> 
> Alternatively, use apt or aptitude from the commandline.
> 
> Mark
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Sorry, can you explain why exactly polkit is needed here? What is wrong
with what everyone was doing before polkit which was gksu or gksudo?

-- 
 _ 
/ There is no character, howsoever good   \
| and fine, but it can be destroyed by|
| ridicule, howsoever poor and witless.   |
| Observe the ass, for instance: his  |
| character is about perfect, he is the   |
| choicest spirit among all the humbler   |
| animals, yet see what ridicule has  |
| brought him to. Instead of feeling  |
| complimented when we are called an ass, |
| we are left in doubt.   |
| |
| -- Mark Twain, "Pudd'nhead Wilson's |
\ Calendar"   /
 - 
\
 \
   /\   /\   
  //\\_//\\ 
  \_ _//   /
   / * * \/^^^]
   \_\O/_/[   ]
/   \_[   /
\ \_  /  /
 [ [ /  \/ _/
_[ [ \  /_/
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng