Can't run apps requiring elevated privileges on artful

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't run apps requiring elevated privileges on artful

Gilles Gravier-2
Hello all!

Have you noticed this: On a clean artful install, running an app that will require elevated privileges (like Synapic) won't work. You get the pop-up asking for your password, you enter it, then nothing happens.

If you do this from a terminal by typing "sudo" and your command "sudo synaptic" or "sudo gnome-terminal" or any other graphical command you wish to run with elevated privileges, you always get the same error :
  Unable to init server: Could not connect: Connection refused
  Failed to parse arguments: Cannot open display:

If you first open a terminal window and run "xhost +" then you can run these apps. But that's a kludgy workaround... and not easy to implement for apps that need to be launched at start of the graphical desktop session.

Any ideas? I think it's a new bug (all this was working fine in 17.04).

Gilles
--
Gilles Gravier - [hidden email]


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Colin Law
On 25 October 2017 at 07:42, Gilles Gravier <[hidden email]> wrote:
> Hello all!
>
> Have you noticed this: On a clean artful install, running an app that will
> require elevated privileges (like Synapic) won't work. You get the pop-up
> asking for your password, you enter it, then nothing happens.

Are you using Wayland? This should not be the default I believe
(unless something has changed). You can select which you want from the
login screen.
The technique for running as root is different in Wayland and
apparently individual apps must be updated to allow for this. See bug
[1] where there is more information.

[1] https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1706146

Colin

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Oliver Grawert
hi,
Am Mittwoch, den 25.10.2017, 08:50 +0100 schrieb Colin Law:

> On 25 October 2017 at 07:42, Gilles Gravier <[hidden email]>
> wrote:
> >
> > Hello all!
> >
> > Have you noticed this: On a clean artful install, running an app
> > that will
> > require elevated privileges (like Synapic) won't work. You get the
> > pop-up
> > asking for your password, you enter it, then nothing happens.
> Are you using Wayland? This should not be the default I believe
> (unless something has changed).
wayland is the default in the artful desktop and this behaviour is
known (and wanted) by upstream [1]. the apps need to be fixed to use
policykit before 18.04 ... if there is no bug yet for the app you are
using, please file one...

ciao
        oli

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1274451
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Oliver Grawert
hi,
Am Mittwoch, den 25.10.2017, 11:23 +0200 schrieb Oliver Grawert:
> if there is no bug yet for the app you are
> using, please file one...
>
> ...
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1274451

oops ... forgot the reference to the launchpad bug for this, the list
of apps to be fixed is collected at:

https://bugs.launchpad.net/ubuntu/+source/backintime/+bug/1713313

ciao
        oli
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Gilles Gravier-2
Thanks!

Well. Synaptic definitely broken. Gnome terminal as well...

Gilles

On Wed, Oct 25, 2017 at 11:27 AM, Oliver Grawert <[hidden email]> wrote:
hi,
Am Mittwoch, den 25.10.2017, 11:23 +0200 schrieb Oliver Grawert:
> if there is no bug yet for the app you are
> using, please file one...
>
> ...
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1274451

oops ... forgot the reference to the launchpad bug for this, the list
of apps to be fixed is collected at:

https://bugs.launchpad.net/ubuntu/+source/backintime/+bug/1713313

ciao
        oli
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




--
Gilles Gravier - [hidden email]
Using Google Apps web mail

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Oliver Grawert
hi,
Am Mittwoch, den 25.10.2017, 12:38 +0200 schrieb Gilles Gravier:
> Thanks!
>
> Well. Synaptic definitely broken. Gnome terminal as well...
>

i highly doubt anyone will consider "sudo gnome-terminal" or "pkexec
gnome-terminal" not working a bug ... you really do not want to run the
whole app as root here but instead have a root shell available inside
it. so the right way to use it would be:

gnome-terminal -e "sudo -s"

which will give you a root shell just fine but only elevate privileges
inside the spawned terminal ...

ciao
        oli
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Gilles Gravier-2
Hi, Oli!

On 25/10/2017 13:04, Oliver Grawert wrote:

> hi,
> Am Mittwoch, den 25.10.2017, 12:38 +0200 schrieb Gilles Gravier:
>> Thanks!
>>
>> Well. Synaptic definitely broken. Gnome terminal as well...
>>
> i highly doubt anyone will consider "sudo gnome-terminal" or "pkexec
> gnome-terminal" not working a bug ... you really do not want to run the
> whole app as root here but instead have a root shell available inside
> it. so the right way to use it would be:
>
> gnome-terminal -e "sudo -s"
>
> which will give you a root shell just fine but only elevate privileges
> inside the spawned terminal ...
While I *FULLY" agree with you on the principle... I also think that, on
the principle, any graphical application needs to be fixed to operate
fully under the new model. Because somebody some day will try to use it
that way and it will break when it was working before...

Gilles

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Oliver Grawert
hi,
Am Mittwoch, den 25.10.2017, 14:02 +0200 schrieb Gilles Gravier:
> any graphical application needs to be fixed to operate
> fully under the new model. Because somebody some day will try to use
> it
> that way and it will break when it was working before...

i'd disagree here, it is a massive design flaw of xorg that you can run
anything and everything as root in graphical mode, it is insecure and
most of the time graphical apps are neither designed for this nor
tested by their upstreams in such a mode ... 

imagine a file manager app that will automatically try to make sure the
ownership permissions of your trash and Desktop dirs are always
correct, so it checks and re-sets them on every startup (or even just
its own config files) ... it might be a good thing if this app is run
as designed (i.e. as the user) that it makes the config files owned and
only readable by this specific user (there might be credentials for
remote shares in them etc) ... 

now imagine you run the same file manager app under sudo, it re-owns
everything to root and changes it to "only root can read this" ...

you dont want this particular app to ever be run as root and the
upstream developer will likely even tell you she did not design it that
way ... 

another example would be a toolkit that simply routes all your key
presses through a socket to handle specific exotic input methods ...
normally that socket is owned by the user and only accessible by the
user, which is a safe design ... now you run it as root, the socket
goes somewhere system-wide readable and everyone can sniff your online
banking password from the socket while you type it ... 

typically the GUI part of an app should always be run only by the user
and root-like operations should be handled by a privileged backend
instead ... apps requiring privilege elevation should be designed in
this two-part setup since dbus was introduced to desktop linux ... and
apps not originally designed for this should not be run with escalated
privs ... 

wayland (as mir did too) simply takes away one opportunity to shoot
yourself in the foot here ... which ... i understand ... some people
want to do indeed, but xorg is still around for them and wont go away
for a long time ... for all the others, there is 6 months to fix all
the apps that really need escalated privs ... 

if something that "did work before" is now "broken", consider that it
might be because it was initially not actually designed to be used that
way...

ciao
        oli
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Gilles Gravier-2
The mechanism isn't broken, it's changed. The apps are broken now. They will be until they are fixed to work with the new permission model.

Ciao,
Gilles

On Wed, Oct 25, 2017 at 3:54 PM, Oliver Grawert <[hidden email]> wrote:
hi,
Am Mittwoch, den 25.10.2017, 14:02 +0200 schrieb Gilles Gravier:
> any graphical application needs to be fixed to operate
> fully under the new model. Because somebody some day will try to use
> it
> that way and it will break when it was working before...

i'd disagree here, it is a massive design flaw of xorg that you can run
anything and everything as root in graphical mode, it is insecure and
most of the time graphical apps are neither designed for this nor
tested by their upstreams in such a mode ... 

imagine a file manager app that will automatically try to make sure the
ownership permissions of your trash and Desktop dirs are always
correct, so it checks and re-sets them on every startup (or even just
its own config files) ... it might be a good thing if this app is run
as designed (i.e. as the user) that it makes the config files owned and
only readable by this specific user (there might be credentials for
remote shares in them etc) ... 

now imagine you run the same file manager app under sudo, it re-owns
everything to root and changes it to "only root can read this" ...

you dont want this particular app to ever be run as root and the
upstream developer will likely even tell you she did not design it that
way ... 

another example would be a toolkit that simply routes all your key
presses through a socket to handle specific exotic input methods ...
normally that socket is owned by the user and only accessible by the
user, which is a safe design ... now you run it as root, the socket
goes somewhere system-wide readable and everyone can sniff your online
banking password from the socket while you type it ... 

typically the GUI part of an app should always be run only by the user
and root-like operations should be handled by a privileged backend
instead ... apps requiring privilege elevation should be designed in
this two-part setup since dbus was introduced to desktop linux ... and
apps not originally designed for this should not be run with escalated
privs ... 

wayland (as mir did too) simply takes away one opportunity to shoot
yourself in the foot here ... which ... i understand ... some people
want to do indeed, but xorg is still around for them and wont go away
for a long time ... for all the others, there is 6 months to fix all
the apps that really need escalated privs ... 

if something that "did work before" is now "broken", consider that it
might be because it was initially not actually designed to be used that
way...

ciao
        oli
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




--
Gilles Gravier - [hidden email]
Using Google Apps web mail

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Oliver Grawert
Am Mittwoch, den 25.10.2017, 16:07 +0200 schrieb Gilles Gravier:
> The mechanism isn't broken, it's changed. The apps are broken now.
> They will be until they are fixed to work with the new permission
> model.

well, i didn't not say the mechanism is broken, it is more restrictive
so that apps that have never been designed to run as root will actually
not be able to (i.e. nautilus) and that is a good thing ... 

apps that *should* be able to do operations as root will get fixed by
 adding proper back ends to them indeed ...

ciao
        oli
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't run apps requiring elevated privileges on artful

Tom H-4
In reply to this post by Gilles Gravier-2
On Wed, Oct 25, 2017 at 2:42 AM, Gilles Gravier <[hidden email]> wrote:

>
> Have you noticed this: On a clean artful install, running an app that
> will require elevated privileges (like Synapic) won't work. You get
> the pop-up asking for your password, you enter it, then nothing
> happens.
>
> If you do this from a terminal by typing "sudo" and your command "sudo
> synaptic" or "sudo gnome-terminal" or any other graphical command you
> wish to run with elevated privileges, you always get the same error :
> Unable to init server: Could not connect: Connection refused
> Failed to parse arguments: Cannot open display:
>
> If you first open a terminal window and run "xhost +" then you can run
> these apps. But that's a kludgy workaround... and not easy to
> implement for apps that need to be launched at start of the graphical
> desktop session.
>
> Any ideas? I think it's a new bug (all this was working fine in 17.04).

There was a recent thread about this.

Synaptic (and other gui applications that need root privileges) needs
to use the polkit-and-dbus infrastructure under wayland.

[ "sudo gnome-terminal" doesn't make any sense. You can/should run
"sudo command" | "sudo -s" | "sudo su"| "sudo -i" | sudo su -" ]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users