replace gksu

[oberon-manjaro]

gksu has been deprecated so we need to use alternatives. Where pkexec isn't they way to go, zensu seems to be a simple and good option. @manjaro/maintainers

Current state of manjaro:desktop-settings repo:

[bernhard@manjaro-sx desktop-settings]$ grep -re gksu .
./community/bspwm-minimal/skel/.config/GTKmenu/appmenu: cmd = gksu isousb
./community/bspwm-minimal/skel/.config/GTKmenu/appmenu: cmd = gksu -l gnome-terminal
./community/bspwm-minimal/skel/.config/GTKmenu/appmenu:         cmd = gksu-properties
./community/bspwm-minimal/skel/.config/dconf/user.d/everything.conf:command-history=['poweroff', 'dmenu', 'pkill docky', 'gksu bleachbit', 'killall docky']
./community/openbox/skel/.config/Thunar/uca.xml:    <command>gksu thunar %f</command>
./community/openbox/skel/.local/share/file-manager/actions/root.desktop:Exec=/usr/bin/gksu /usr/bin/pcmanfm %u
./community/cinnamon/skel/.local/share/applications/nemo-root.desktop:Exec=gksu nemo
./community/cinnamon/skel/.local/share/applications/nemo-root.desktop:Icon=gksu
./community/jwm/skel/.jwm/menu:        <Program label="Root">gksu pcmanfm /</Program>
./community/jwm/skel/.jwm/menu:            <Program label="Gufw Firewall">gksu gufw</Program>
./community/jwm/skel/.jwm/menu:            <Program label="Privilege Granting">gksu-properties</Program>
./community/jwm/skel/.jwm/menu:            <Program label="Root File Manager">gksu pcmanfm /</Program>         
./community/jwm/skel/.jwm/menu:            <Program label="Root Terminal">gksu sakura</Program>            
./community/fluxbox/skel/.config/fbmenugen/schema.pl:{item =>   ['gksu pcmanfm',        'Root File Manager',    'root-file-manager']},
./community/fluxbox/skel/.config/fbmenugen/schema.pl:  {item => ['gksu lightdm-gtk-greeter-settings','LightDM Greeter', ]},
./community/fluxbox/skel/.fluxbox/menu:  [exec] (Root File Manager) {gksu pcmanfm}
./community/fluxbox/skel/.fluxbox/menu:  [exec] (Root Terminal) {gksu -l gnome-terminal}
./community/fluxbox/skel/.fluxbox/menu:  [exec] (Privilege granting) {gksu-properties}
./community/fluxbox/skel/.fluxbox/menu:  [exec] (LightDM Greeter) {gksu lightdm-gtk-greeter-settings}
./community/budgie/skel/.local/share/applications/gksu.desktop:Comment=Opens a terminal as the root user, using gksu to ask for the password
./community/budgie/skel/.local/share/applications/gksu.desktop:Exec=gksudo -l gnome-terminal
./community/budgie/skel/.local/share/applications/gksu.desktop:Icon=gksu-root-terminal
./community/lxde/skel/.config/lxsession-default-apps/settings.conf:terminal_manager/installed=Root Terminal,gksu,gksu-root-terminal,/usr/share/applications/gksu.desktop,;LXTerminal,lxterminal,lxterminal,/usr/share/applications/lxterminal.desktop,;UXTerm,uxterm,xterm-color_48x48,/usr/share/applications/uxterm.desktop,;XTerm,xterm,xterm-color_48x48,/usr/share/applications/xterm.desktop,;
./community/lxde/skel/.local/share/file-manager/actions/openfolderasroot.desktop:Exec=gksudo pcmanfm %u
./community/lxde/skel/.local/share/file-manager/actions/editasroot.desktop:Exec=gksudo leafpad %f
./community/lxde/skel/.local/share/file-manager/actions/editasroot.desktop:Exec=gksudo leafpad %f
./community/pantheon/skel/.local/share/contractor/folder-openasroot.contract:Exec=gksudo pantheon-files %U
./community/pantheon/skel/.local/share/contractor/file-openasroot.contract:Exec=gksudo scratch-text-editor %U
./community/deepin/skel/.local/share/applications/root-filemanager.desktop:Icon=gksu
./community/bspwm-mate/skel/.config/GTKmenu/appmenu:    cmd = gksu isousb
./community/bspwm-mate/skel/.config/GTKmenu/appmenu:    cmd = gksu -l gnome-terminal
./community/bspwm-mate/skel/.config/GTKmenu/appmenu:            cmd = gksu-properties
./community/bspwm/skel/.config/GTKmenu/appmenu: cmd = gksu isousb
./community/bspwm/skel/.config/GTKmenu/appmenu: cmd = gksu -l gnome-terminal
./community/bspwm/skel/.config/GTKmenu/appmenu:         cmd = gksu-properties
./community/bspwm/skel/.config/dconf/user.d/everything.conf:command-history=['poweroff', 'dmenu', 'pkill docky', 'gksu bleachbit', 'killall docky']

also we have:

[bernhard@manjaro-sx xfce-settings]$ grep -re gksu .
./skel/.config/Thunar/uca.xml:  <command>gksu dbus-launch thunar</command>

and in package lists still:

[bernhard@manjaro-sx iso-profiles]$ grep -re gksu .
./community/awesome/Packages-Desktop:gksu
./community/lxde/Packages-Desktop:gksu
./community/bspwm-mate/Packages-Desktop:gksu
./manjaro/xfce/Packages-Desktop:gksu

hits in community repo:

[bernhard@manjaro-sx community]$ grep -re gksu .
./python-xapp/PKGBUILD:            "gksu: Fallback authentication method for the GNOME desktop and derivatives"
./spacefm/PKGBUILD:            'gksu: perform as root functionality'
./sublime-text-dev/PKGBUILD:optdepends=('gksu: sudo-save support')
./snapper-gui/PKGBUILD:optdepends=('gksu: Access snapper-gui from application menu under GTK-base DE'
./snapper-gui/snapper-gui.desktop:Exec=[ -f /usr/bin/gksu ] && exec gksu snapper-gui || exec kdesu snapper-gui
./timeset-gui/PKGBUILD:depends=('gksu' 'python2-gobject' 'ntp')
./mhwd-chroot/PKGBUILD:optdepends=('gksu: gnome gui for su'
./fbmenu-manjaro/schema.pl:{item => ['gksu pcmanfm',        'Root File Manager',    'root-file-manager']},
./fbmenu-manjaro/schema.pl:  {item =>   ['gksu lightdm-gtk-greeter-settings','LightDM Greeter', ]},
./isousb/PKGBUILD:depends=('zenity' 'gksu')
./compiz-manjaro/src/~compiz-team/compiz/0.9.13/plugins/animation/src/animation.cpp:/// like the dimming layer of gksudo and x-session-manager.
./compiz-manjaro/src/~compiz-team/compiz/0.9.13/plugins/animation/src/animation.cpp:    // Never animate screen-dimming layer of logout window and gksu.
./compiz-manjaro/src/~compiz-team/compiz/0.9.13/plugins/animation/src/animation.cpp:    mNeverAnimateMatch |= "title=gksu";
./lxmed/PKGBUILD:depends=('gksu' 'java-runtime')
./octopi/PKGBUILD:              'gksu: for XFCE, Gnome, LXDE, Cinnamon'

[oberon-manjaro]

@Chrysostomus is there a way to store the password in keyring with zensu? Atm it is asking for password every time again ... ?

[Chrysostomus]

Possible? Yes. Possible to do securely? Maybe, I'll have to look into it. Ideas are welcome

[Chrysostomus]

Gnome-keyring could possibly be used for this? It could be added as optdepend.

I wonder if it would be better if zensu checked if there is a polkit agent running, and if so, just prepended pkexec to command instead of sudo with password query? Advent of polkit is why gksu was decrepated in the first place. This would get around the problem of apps that still depend on gksu.

[oberon-manjaro]

Well, I realize that pkexec also normally doesn't remember passwords, or does it? Maybe that's just sudo behaviour? In any case

if so, just prepended pkexec to command

For some applications I have tried sofar that would seem to work, however for some reason:

[bernhard@manjaro-sx ~]$ pkexec pcmanfm
Cannot open display:

[Chrysostomus]

Pass might be another option to store passwords here...

[Ste74]

Pkexec use a xml file wich contain the rules for work.. If app not provide the xml file pkexec not work.. Sudo is not better to run the graphical app for security reason.. Gksu etc. Solve this but again for security reason is not better so wayland and gnome want pkexec as standard...

[Chrysostomus]

I'm in a bit weird place with the adoption of zensu. I wrote it, but if it's going to be used more widely, it needs some significant improvement. It was originally designed to avoid the gtk2 dependency of gksu, then updated to avoid the webkit dependency of zenity. It was a bit of a hack to begin with.

[fhdk]

As long as developers of different apps does not provide the files for polkit it is difficult to launch graphical apps which requires superuser rights.

Recently we have had issues with apps requesting password twice - could this be due to those missing polkit files or maybe poorly written files?

My experience in these authentication situations is that when an app requests password twice it is usually the root password that authenticates.

Wouldn't be reasonable to use pkexec and if that fails use sudo?

For example - on my openbox install

~ >>> pkexec thunar                                                                                                  
Thunar: Failed to initialize Xfconf: Cannot autolaunch D-Bus without X11 $DISPLAY

Unable to init server: Could not connect: Connection refused

(thunar:7049): Gtk-WARNING **: 18:24:51.771: cannot open display: 
~ >>> 

[Chrysostomus]

If a password can be piped to pkexec, then that would be viable:

1) test for polkit agent 2) if available, pipe the password to pkexec and fall back to sudo if necessary 3) if no polkit agent running, use sudo

[fhdk]

https://wiki.archlinux.org/index.php/Polkit

It appears it is possible to pipe to pkexec

https://code.launchpad.net/~roadmr/checkbox/1097816-pkexec/+merge/171930

Another thing maybe related to my experience of being requested password twice

https://www.freedesktop.org/software/polkit/docs/0.111/pkexec.1.html

pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

So if pkexec is called without --user $USER then root is assumed!

pkexec thunar

versus

pkexec --user fh thunar

More promising is the return value

Upon successful completion, the return value is the return value of PROGRAM. If the calling process is not authorized or an authorization could not be obtained through authentication or an error occured, pkexec exits with a return value of 127. If the authorization could not be obtained because the user dismissed the authentication dialog, pkexec exits with a return value of 126.

[fhdk]

So to make any program able to run with elevated rights, as @Ste74 already noted, it requires the presence of a policy file.

---

https://askubuntu.com/questions/287845/how-to-configure-pkexec

This one works

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY thunar

This will probably make pkexec as unsafe as gksu

If executed with a user argument and trying to access e.g. gparted

pkexec --user fh env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gparted

will result in an error and a new prompt saying - root credentials is needed - superuser is not enough.

---

[fhdk]

Wayland + Gnome

https://ubuntuforums.org/showthread.php?t=2374812

if [ $XDG_SESSION_TYPE = "wayland" ]; then xhost +si:localuser:root; fi

[fabiscafe]

Why do we need a gksu replacement in the first place? I mean there is a good reason that it's not here anymore and linux moves on to polkit. Also I dont like the approach to hijack pkexec, just to make something run on xwayland

[Chrysostomus]

1) repos and AUR still have some packages that use gksu internally even though they should not 2) some editions don't use polkit by default

That's the use case: transition period

[fabiscafe]

To be realistic, ask yourself: Is there any progress for these missing parts to do the change to polkit? If yes -> transitioning phase is OK, if no: remove them from the repo, put them to the AUR.

gksu is in !aur, so thats nothing we have to care about.

For root terminal stuff we really should write bugreports, because calling them with gksu directly seems to be wrong, when its so easy to just run sudo -i, pkexec inside them and get root permissions

for gnome terminal gnome-terminal -- pkexec And gnome-terminal will actn as a root terminal.

For a polkit wrapper: please make sure you dont make things worse for wayland users, we dont want to start apps via Xwayland, because of something. One of the next steps on the wayland roadmap is to remove the xwayland dependency, so if we create here new dependencies for X, someone has to work on it later again.

That transitioning period is ongoing for about 10years and we're already at stage 4 (or somewhere at stage 6 of 10 in the real list, but I cant find this list anymore :-1:)

1. make polkit work (including pkexec)
2. integrate polkit into applications
3. make polkit necessary for the desktop (thats wayland)
4. remove support for sudo helpers

[fhdk]

@Chrysostomus

http://aur.archlinux.org/packages/gksu-polkit-git

@Tids Does work with Wayland?

Add: https://wiki.gnome.org/Attic/gksu

@oberon2007 I have build the gksu-polkit package - could you test it - have an opinion maybe.

In unstable as gksu-polkit and source at https://github.com/fhdk/gksu-polkit

[oberon-manjaro]

This looks great, I like! :smiley: :+1: How did you manage to inherit this repo? I was already looking at the AUR package and couldn't find anything useful via debian as it looks like they have restructured there git and also abandoned the package. With versioning we normally don't necessarily follow the AUR at all costs. At the same time we try to avoid epoch if possible. So I would suggest you drop the epoch and bump version to 0.0.3, including the latest commits. Also I'd suggest to include a link /usr/bin/gksu > /usr/bin/gsku-polkit It conflicts gksu anyway and typing 'gksu-polkit' is a little unpractical. Also like that existing config and scripts will contiune to work without modification :nerd_face:

[fhdk]

On Fri, 01 Jun 2018 06:08:49 -0700 Bernhard Landauer notifications@github.com wrote:

This looks great, I like! :smiley: :+1: How did you manage to inherit this repo? I was already looking at the AUR package and couldn't find anything useful via debian as it looks like they have restructured there git and also abandoned the package. With versioning we normally don't necessarily follow the AUR at all costs. At the same time we try to avoid epoch if possible. So I would suggest you drop the epoch and bump version to 0.0.3, including the latest commits. Also I'd suggest to include a link /usr/bin/gksu > /usr/bin/gsku-polkit It conflicts gksu anyway and typing 'gksu-polkit' is a little unpractical. Also like that existing config and scripts will contiune to work without modification :nerd_face:

Already ahead of you.

I have already made an gksu-polkit.install which conflicts gksu and zensu and creates a symlink as you suggested.

-- FH fh@uex.dk

[oberon-manjaro]

an gksu-polkit.install which conflicts gksu and zensu and creates a symlink

Both needs to be done in the PKGBUILD, not an .install. Otherwise pacman will not know of the symlink's existence!

[fhdk]

The .install script has both post_install() and post_remove() which is where it happens

post_install() {
    ln -s /usr/bin/gsku-polkit /usr/bin/gksu
}

post_remove() {
    rm -f /usr/bin/gksu
}

[philmmanjaro]

@fhdk symlink needs to be added to PKGBUILD and not to the post install script. Also a replace and conflicts with gksu is in order.

[oberon-manjaro]

That's what I mean, yes. It goes inside package() function. In general, please push your files so we can actually see what we are discussing :smiley:

[fhdk]

Like this?

package() {
  cd $pkgname
  make DESTDIR="$pkgdir" install
  install -Dm644 "$srcdir/gksu-polkit.service" \
    "$pkgdir/$(pkg-config systemd --variable=systemdsystemunitdir )/gksu.service"
  ln -s gksu-polkit $pkgdir/usr/bin/gksu
}

[oberon-manjaro]

ln -s gksu-polkit $pkgdir/usr/bin/gksu :wink:

[fhdk]

I noticed that pkg-config was replaced by pkgconf?

The package() function uses pkg-config - should I change it?

[fhdk]

https://github.com/aarnt/octopi/issues/380#issuecomment-503769593

[fhdk]

https://github.com/aarnt/octopi/issues/380#issuecomment-503769593