Message-ID:

Writing is turning one's worst moments into money. -- J.P. Donleavy

rocksolid / de.comp.os.unix.x11 / pkexec?

Subject: pkexec?
From: Ulli Horlacher
Newsgroups: de.comp.os.unix.x11
Organization: University of Stuttgart, FRG
Date: Sat, 2 Mar 2024 20:05 UTC

Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.datentrampelpfad.de!thinkmo.de!news.uni-stuttgart.de!.POSTED!not-for-mail
From: frams...@rus.uni-stuttgart.de (Ulli Horlacher)
Newsgroups: de.comp.os.unix.x11
Subject: pkexec?
Date: Sat, 2 Mar 2024 20:05:39 +0000 (UTC)
Organization: University of Stuttgart, FRG
Lines: 31
Message-ID: <us00qj$7oj$1@news2.informatik.uni-stuttgart.de>
X-Trace: news2.informatik.uni-stuttgart.de 1709409939 7955 129.69.1.129 (2 Mar 2024 20:05:39 GMT)
X-Complaints-To: rusnews@informatik.uni-stuttgart.de
NNTP-Posting-Date: Sat, 2 Mar 2024 20:05:39 +0000 (UTC)
User-Agent: tin/2.6.3-20231224 ("Banff") (Linux/5.15.0-97-generic (x86_64))

View all headers

Ich hab jetzt erst pkexec entdeckt, was so eine Art GUI-sudo ist

Das funktioniert:

framstag@moep:~: cat /usr/bin/synaptic-pkexec
#!/bin/sh
pkexec "/usr/sbin/synaptic" "$@"

Das startet dann synaptic suid root.

Das funktioniert leider nicht:

framstag@moep:~: pkexec xterm
xterm: Xt error: Can't open display: %s
xterm: DISPLAY is not set

framstag@moep:~: pkexec /usr/bin/xfce4-terminal

(xfce4-terminal:14545): Gtk-WARNING **: 21:00:41.641: cannot open display:

Warum nicht?
synaptic ist schliesslich auch ein X11 Programm, das DISPLAY benoetigt?

--
Ullrich Horlacher Server und Virtualisierung
Rechenzentrum TIK
Universitaet Stuttgart E-Mail: horlacher@tik.uni-stuttgart.de
Allmandring 30a Tel: ++49-711-68565868
70569 Stuttgart (Germany) WWW: https://www.tik.uni-stuttgart.de/

Subject: Re: pkexec?
From: Marco Moock
Newsgroups: de.comp.os.unix.x11
Date: Sat, 2 Mar 2024 20:10 UTC
References: 1

Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: mm+sol...@dorfdsl.de (Marco Moock)
Newsgroups: de.comp.os.unix.x11
Subject: Re: pkexec?
Date: Sat, 2 Mar 2024 21:10:15 +0100
Message-ID: <us0137$ribi$3@solani.org>
References: <us00qj$7oj$1@news2.informatik.uni-stuttgart.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Injection-Date: Sat, 2 Mar 2024 20:10:15 -0000 (UTC)
Injection-Info: solani.org;
logging-data="903538"; mail-complaints-to="abuse@news.solani.org"
Cancel-Lock: sha1:U+9GjUbT55jkthItRhYCGL3jdKM=
X-User-ID: eJwFwYEBgDAIA7CXgNIOz0Em/59gQsg1J0Ull4v8VNVznjZMreBg91by4k2367iMDquNQP4R8hBi
X-Newsreader: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)

View all headers

Am 02.03.2024 20:05 Uhr schrieb Ulli Horlacher:

> Warum nicht?
> synaptic ist schliesslich auch ein X11 Programm, das DISPLAY
> benoetigt?

Weiß ich nicht, aber die Manpage sagt, dass das so gewollt ist:

The environment that PROGRAM will run it, will be set to a
minimal known and safe environment in order to avoid injecting
code through LD_LIBRARY_PATH or similar mechanisms. In addition
the PKEXEC_UID environment variable is set to the user id of the
process invoking pkexec. As a result, pkexec will not by default
allow you to run X11 applications as another user since the
$DISPLAY and $XAUTHORITY environment variables are not set.
These two variables will be retained if the
org.freedesktop.policykit.exec.allow_gui annotation on an action
is set to a nonempty value; this is discouraged, though, and
should only be used for legacy programs.

--
Gruß
Marco

Spam und Werbung bitte an
1709406339ichwillgesperrtwerden@nirvana.admins.ws

Subject	Author
pkexec?	Ulli Horlacher
Re: pkexec?	Marco Moock