Open Fred-Barclay opened 7 years ago
It sounds like gksu
doesn't depend on DBus whereas pkexec
does. firejail --noprofile
likely blocks access to the system DBus socket. A new network namespace might also do it.
It sounds like gksu doesn't depend on DBus whereas pkexec does.
Interestingly, I get a different error when allowing dbus access:
$ firejail --protocol=unix --noprofile
Parent pid 4095, child pid 4096
Child process initialized in 12.97 ms
$ pkexec /bin/bash
pkexec must be setuid root
So it looks like it does need at least some access to dbus.
Yes, pkexec needs DBus access. It uses PolicyKit, which is a DBus-only service that someone thought was somehow a better idea than sudo when dealing with command execution (it's great for rights delegation when dealing with DBus services, because there really isn't any other option, but it's overkill for regular command execution). On the other hand, gksu is just a graphical frontend for sudo, so it just needs access to X11 to work.
In my case (Debian stretch), running "pkexec ls /root" in a "firejail --noprofile" crashes. I get this in syslog:
Aug 18 08:59:39 debian kernel: [69861.953292] pkexec[1600]: segfault at 18 ip 00007fc867f01097 sp 00007fc8635ef180 error 4 in libpolkit-agent-1.so.0.0.0[7fc867efb000+9000]
lol PolicyKit is a mess and is half-broken on my end even without using firejail
(although maybe it's because of hidepid
in my case...). It uses a security-hole-ridden mess called DBus and is somehow supposed to be better than sudo. Ugh.
When I run it, I get the following:
$ firejail --noprofile
$ pkexec ls /root
Error checking for authorization org.freedesktop.policykit.exec: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: process with PID 2 has been replaced
By the way, gksu
and gksudo
have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well), and apparently the recommended way is to use pkexec
now, which currently doesn't work within firejail
. I suspect it's due to the PID namespace...
Any update on this? pkexec
not working with firejail
there's no way to run applications that require it, such as GameHub.
By the way, gksu and gksudo have been removed entirely (at least from Debian and Ubuntu, and probably other Debian derivatives as well)
Also on Fedora systems with F29+RPMFusion there is no gksu
, gksudo
, kdesudo
.
just saw that etcher is stated in this issue by @Fred-Barclay
I'm trying to stop etcher from doing calls to networks/internet but I'm not able to get it running properly with firejail (the gui doesn't load properly). Here is my etcher issue witch a screenshot: https://github.com/balena-io/etcher/issues/2772
Based on @rradar's comment, I presume this still an issue with pkexec
and we should figure out what to do about it.
8204822861fe997328c94b74a16436d64bfd6eed
$ firejail --noprofile /usr/bin/pkexec
pkexec must be setuid root
# removing force-nonewprivs yes
$ firejail --noprofile /usr/bin/pkexec
Refusing to render service to dead parents.
Is this still unresolved or is it just me?
% firejail --noprofile /usr/bin/pkexec
Parent pid 463947, child pid 463948
Child process initialized in 9.08 ms
Refusing to render service to dead parents.
Parent is shutting down, bye...
firejail --version
firejail version 0.9.58.2
Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is disabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
I’m not a fan of polkit either, but it seems that it is here to stay and it would be useful if it could be called from within a firejail.
I noticed this when trying to build a profile for a program that uses polkit for authentication control.
Running
pkexec
normally in terminal (not in firejail), I get the standard gui dialog.Switching to
firejail --noprofile
, there is no dialog window, and the authentication attempt in the console fails:However, gksu still provides its standard dialog and allows privilege escalation:
(Strangely, bash seems to freeze at this point. But the privileges have definitely been elevated, as this output shows:)
This isn't ideal, IMHO. Some programs (like etcher) rely on pkexec, and we should probably support allowing privilege escalation with pkexec as well as gksu (though only super-loose sandboxes like
firejail --noprofile
, of course. 😄)Cheers!