- This topic has 18 replies, 7 voices, and was last updated Jan 26-4:07 pm by Robin.
-
Posts
-
mikey777
While in another distro forum recently, I learned from someone that when I want to edit a file (within the file system), I should be using pkexec instead of sudo. When I asked “why”, the nebulous answer I got was that, if I continue using sudo, it will mess up permissions, but when pressed they seemed unable to explain why. Is this merely scaremongering? I’m sure I’m not the only linux-user stuck in this pkexec vs. sudo dilemma.
I’d appreciate any feedback on the following two points:
(1) Editing the File System:
E.g. for editing the grub file, I have always used the following, without any apparent problems:
sudo gedit /etc/default/grubBut now, I’ve been advised to use:
pkexec leafpad /etc/default/grub(2) Opening Graphical Applications
I also learned (from the same person) that I shouldn’t use sudo in the terminal for opening many graphical applications. That I can appreciate, as the point of the gui is to provide an easy-point-and-click alternative to the terminal, and a password isn’t required for many of them, e.g. libreoffice, chromium, etc. However, opening some apps does require a password, e.g. gparted and synaptic, but when you mouse-click on these in the menu, isn’t this the same as evoking sudo?Many thanks in advance for any clarification on the above.
- This topic was modified 1 year, 11 months ago by mikey777.
- This topic was modified 1 year, 11 months ago by mikey777.
- This topic was modified 1 year, 11 months ago by mikey777.
▪ 32-bit antix19.4-core+LXDE installed on :
- (2011) Samsung NP-N145 Plus (JP04UK) – single-core CPU Intel Atom N455@1.66GHz, 2GB RAM, integrated graphics.
▪ 64-bit antix21-base+LXDE installed on:
- (2008) Asus X71Q (7SC002) – dual CPU Intel T3200@2.0GHz, 4GB RAM. Graphics: Intel Mobile 4 Series, integrated graphics
- (2007) Packard Bell Easynote MX37 (ALP-Ajax C3) – dual CPU Intel T2310@1.46GHz, 2GB RAM. Graphics: Silicon Integrated Systems.Anonymous
I should be using pkexec
The effect from using sudo will (does) vary across O/Ses.
What the pkexec advocate “knows to be true” may, or may not, be identically applicable on antiX.
Stock antiX.
You are free to administer your system however you choose, editing sudoers policy to suit your needs.gedit
Not a gedit user, so I’ll just advise you to test ~~ test the outcome of using pkexec vs sudo, specific to to gedit.
toward gauging “which end is UP”, here’s a quick demonstration:
$sudo leafpad /tmp/shoe ### now edit and save the file, then exit leafpad. $stat /tmp/shoe | grep Uid ### ^---> note that the created-via-sudo "shoe" file is owned by "root" ### now, take ownership of this file... $sudo chown $USER:$USER /tmp/shoe ### ...and again open the "shoe" file, edit its content, save, exit leafpad. $sudo leafpad /tmp/shoe $stat /tmp/shoe | grep Uid ### ^---> note that an EDITED-via-sudo "shoe" file is (still) owned by $USERwhen you mouse-click on these in the menu, isn’t this the same as
evokinginvoking sudo?When discussing this, to ensure accuracy, we need to be careful, be specfic.
Each time sudo is invoked, the result can vary, depending on with which commandline options are passed
https://manpages.debian.org/testing/sudo/sudo.8.en.htmlsudo -h | -K | -k | -V sudo -v [-AknS] [-g group name | #gid] [-p prompt] [-u user name | #uid] sudo -l[l] [-AknS] [-g group name | #gid] [-p prompt] [-U user name] [-u user name | #uid] [command] sudo [-AbEHnPS] [-C fd] [-g group name | #gid] [-p prompt] [-r role] [-t type] [-u user name | #uid] [VAR=value] -i | -s [command] sudoedit [-AnS] [-C fd] [-g group name | #gid] [-p prompt] [-u user name | #uid] file ...synaptic
gparted
isn’t this the same$locate synaptic.desktop /usr/share/applications/synaptic.desktop $grep Exec= /usr/share/applications/synaptic.desktop Exec=su-to-root -X -c /usr/sbin/synaptic $locate gparted.desktop /usr/share/applications/gparted.desktop /usr/share/applications/antix/gparted.desktop $grep Exec= /usr/share/applications/gparted.desktop Exec=su-to-root -X -c /usr/sbin/gparted %f $grep Exec= /usr/share/applications/antix/gparted.desktop Exec=gksu gparted $which su-to-root /usr/bin/su-to-rootYou can examine the su-to-root (bash script) in a text editor
to confirm what I’m describing here.su-to-root -X
passes the commandstring to the gksu utility.you can use the “debug” option to check what gksu “is doing, behind the scenes”.
Demonstration:
run the terminal commandline “gksu leafpad”
(FWIW, instead of actually launching leafpad here, you can just press escape to cancel.)cmd[0]: /usr/bin/sudo cmd[1]: -H cmd[2]: -S cmd[3]: -p cmd[4]: GNOME_SUDO_PASS cmd[5]: -u cmd[6]: root cmd[7]: --We note that gksu is, essentially, talking to sudo via stdin and asking sudo to preserve $HOME env variable. Whether or not the request to preserve HOME is granted depends on the current sudoers policy on the system.
sudo -H -S -- leafpadI’ve been advised to use:
pkexec leafpad /etc/default/grubI would anticipate two potential problems related to attempting to follow that advice.
1) The debian package doesn’t install a polkit rule for gedit ?
https://packages.debian.org/buster/amd64/gedit/filelist2) On your antiX system, is an (autostarted?) polkit authentication agent running, availble to handle the pkexec request?
seaken64
I am wondering then if the person(s) on the other forums know what distro you are using? Or do they assume you are using the same distro as them and answering from that perspective?
I do see antiX as a more DIY type of distro and the user is expected to set up sudo, pkexec policy kit, etc. themselves. In other distros this is all setup by the developers and can influence our “habits” for launching programs. I would follow the advice of the particular distro developers as to which approach is best for their distro. Or learn how to change it yourself so that you end up with the results you need/want.
I would listen to skidoo on this rather than the other forum’s helpers, even if they have good intentions.
Seaken64
mikey777
@skidoo
Many thanks for both of your replies.
Your first reply left me floundering – my linux skills aren’t advanced enough to understand what you said, but will attempt to look at this again when I have a bit more free time.All I really would like to know is if I need to be using pkexec or not with antix-core+LXDE, when editing files like the grub file, etc. I’ve always used sudo, without problem, but of course that doesn’t mean there aren’t any. I haven’t modified the sudoer permissions, in the antix-core19.4 package – they have been left at their default settings, whatever that is. Many thanks again.
Cheers
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
▪ 32-bit antix19.4-core+LXDE installed on :
- (2011) Samsung NP-N145 Plus (JP04UK) – single-core CPU Intel Atom N455@1.66GHz, 2GB RAM, integrated graphics.
▪ 64-bit antix21-base+LXDE installed on:
- (2008) Asus X71Q (7SC002) – dual CPU Intel T3200@2.0GHz, 4GB RAM. Graphics: Intel Mobile 4 Series, integrated graphics
- (2007) Packard Bell Easynote MX37 (ALP-Ajax C3) – dual CPU Intel T2310@1.46GHz, 2GB RAM. Graphics: Silicon Integrated Systems.mikey777
I am wondering then if the person(s) on the other forums know what distro you are using? Or do they assume you are using the same distro as them and answering from that perspective?
Thanks for your reply seaken64. Yes, they had assumed I was using their distro (Ubuntu-based), which I was.
I do see antiX as a more DIY type of distro and the user is expected to set up sudo, pkexec policy kit, etc. themselves. In other distros this is all setup by the developers and can influence our “habits” for launching programs. I would follow the advice of the particular distro developers as to which approach is best for their distro. Or learn how to change it yourself so that you end up with the results you need/want.
Yes, I agree. Sometimes, it’s a case of just wanting to know “am I doing the right thing or not?” Antix is now my day-to-day OS, as my hardware is now ageing (up to 14 years old), and to be quite honest nothing seems to run as efficiently on it as antix.
I would listen to skidoo on this rather than the other forum’s helpers, even if they have good intentions.
Yes, skidoo is clearly very knowledgeable & experienced. All advice to me is welcomed & encouraged, but bear in mind I’m not an advanced user – sometimes I’m unable to understand some of the replies as they are too technical. Sometimes, as an intermediate-skills-user, I feel like a forever-newbie as there is so much to take on board and have limited time to allocate to going deeper, but will do my best where possible, my skills level allowing. As I said above, sometimes it’s just a case of wanting to know if I’m doing the right thing, and if not, pointing me to a tutorial which I can use to fix things. Thanks again seaken64.
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
▪ 32-bit antix19.4-core+LXDE installed on :
- (2011) Samsung NP-N145 Plus (JP04UK) – single-core CPU Intel Atom N455@1.66GHz, 2GB RAM, integrated graphics.
▪ 64-bit antix21-base+LXDE installed on:
- (2008) Asus X71Q (7SC002) – dual CPU Intel T3200@2.0GHz, 4GB RAM. Graphics: Intel Mobile 4 Series, integrated graphics
- (2007) Packard Bell Easynote MX37 (ALP-Ajax C3) – dual CPU Intel T2310@1.46GHz, 2GB RAM. Graphics: Silicon Integrated Systems.
Dave
Yes, I agree. Sometimes, it’s a case of just wanting to know “am I doing the right thing or not?”
Well that depends on what you would like to do. All of the programs are to allow your user to execute a command as another user. All can be setup differently between distributions; even within a distribution. I do not really hold any authoritative knowledge on the subject but…
Log in as root -> not “safe” you always have system admin access
Log in as root via su -> “safer” from but still have system admin access to everything during the time you are using su.
Log in as root via sudo -> “safe” as defined in sudoers file, you only have access to the root programs your uses is allowed to access by the system admin (root user) and times out after some time period
Log in as root via pkexec -> “safe” in the same way as sudoers, only the system admin (root user) can restrict your users actions more finely. (Only this command within this program, not the whole program, and only that command within that program not by itself. May / may not be with a password)There is alot more to each, a bit of a moving target. So as skidoo is showing… probably best to know what is what.
When you ask the question from developers as a system admin which way is better for you to use, you are really asking to childproof the system for you.
So as with android, why don’t we lock you out of root and only allow you to do what we say? It would be the safest for you as it would be difficult for you to break your install. If it breaks, it is time to buy a new system anyway….Computers are like air conditioners. They work fine until you start opening Windows. ~Author Unknown
I [..] have limited time to allocate to going deeper, but
but chose to install (or inquire about) ‘gedit’,
which is not among the applications pre-installed in antiX…
and expect others to install it in antiX, study the effect of “with sudo, vs with pkexec”
when gedit is run on an antiX system, then post a definitive answer.^— in case that sounds antagonistic, just know that is not my intent in typing this post.
In my earlier “way too much detail” post, I strived to explain why a simple, definitive, answer is elusive.
A shorter, and arguably “correct”, brushoff answer stating that “either one, sudo or pkexec, should be fine” would not have been definitive. In fact, a short answer likely would have bred a string of follow-on posts.
“Hey, no, pkexec is not working.”
“Well, hmmm… have you confirmed that an authentication agent for pkexec is running?”
“What’s an ostrich-ification agent?”
. . .…childproof the system…
;^)
I’m guessing this post omitted an implied winking sarcastic smilie.
As a reminder, and for the benefit of “folks who just (recently) tuned into the show”, I’ll mention that https://gitlab.com/skidoo/slimski slimski, capable of disallowing root user login to graphical session, stands as a ready replacement for SLiM.
Dave
Indeed, I forgot/should have added the sarcastic winking smile 😀
I do not really make the call as to what goes in and what stays out. Maybe it is a testing thing? I do not know… I have not really been in much of the development over the past year +.Computers are like air conditioners. They work fine until you start opening Windows. ~Author Unknown
mikey777
@Dave
Many thanks for explaining the differences in the use of su and sudo.Well that depends on what you would like to do. All of the programs are to allow your user to execute a command as another user.
That’s very easy to answer, Dave. I use permissions (sudo) for things like editing grub or fstab files, or using apt when updating or upgrading, or installing software that’s not in cli-aptiX. All basic stuff – nothing fancy.
Since I’m the only user for my machine, my user and root passwords are the same, though I’ll guess you or skidoo will tell me this is unsafe practice – please do tell me if that’s the case!
The only time I’ve used su, was when doing a fresh install of antix-core, which was used in an antiX tutorial.
I’ll cut to the chase. No, I’m not looking for “a childproof system”. All I really wanted to know is how most folk here in the antix forum approach this, for the basic uses I’ve just outlined above, i.e. “do antix folk use pkexec or sudo?” I’m now a bit more confused than before, lol. I didn’t mean to step into a philosophical minefield, which goes above my head anyway (lol) …
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
▪ 32-bit antix19.4-core+LXDE installed on :
- (2011) Samsung NP-N145 Plus (JP04UK) – single-core CPU Intel Atom N455@1.66GHz, 2GB RAM, integrated graphics.
▪ 64-bit antix21-base+LXDE installed on:
- (2008) Asus X71Q (7SC002) – dual CPU Intel T3200@2.0GHz, 4GB RAM. Graphics: Intel Mobile 4 Series, integrated graphics
- (2007) Packard Bell Easynote MX37 (ALP-Ajax C3) – dual CPU Intel T2310@1.46GHz, 2GB RAM. Graphics: Silicon Integrated Systems.>>> my user and root passwords are the same
Considering that, per default antiX sudo policy, each login account automatically recieves (sudo group membership and) nearly carte blanche access to all system commands via sudo… on a single-user system, setting an identical root password and user password does not undermine security. A bad actor — malware, or an unwanted, silent, “connect to remote servers, download and auto-update stuff” program operation — armed with your user password [[[ or, during the pre-configured sudo timeout grace period ]]] essentially has full system-wide root privileges.
All I really wanted to know is [..] do folk use pkexec
It’s probably a safe bet to guess that few (extremely few) antiX users are intentionally choosing to use it.
anticapitalista
As a reminder, and for the benefit of “folks who just (recently) tuned into the show”, I’ll mention that https://gitlab.com/skidoo/slimski slimski, capable of disallowing root user login to graphical session, stands as a ready replacement for SLiM.
Apart from skidoo, has anyone else been using slimski?
Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
ModdIt
Slimski Looks interesting but compile and setup for a non standard test system put me and users off. Just reaching end of possibly
Life changing final exams here, on top of months of home schooling due covid. School is no 1 Priority.If a pre configured alternative (in a beta) was offered for download I think it would find interested users more readily.
Maybe skidoo can help out there, certainly above what I am able to do at present.Certainly I would then setup a live system to see how it works, pass it to others if I meet no major understanding or usage
issues- This reply was modified 1 year, 11 months ago by ModdIt.
mikey777
>>>
It’s probably a safe bet to guess that few (extremely few) antiX users are intentionally choosing to use it.That’s helpful to know – I’ll do the same i.e. avoid pkexec, and just continue using sudo for terminal based applications/operations. And thanks skidoo (as well as others on this thread) for being so patient with my relatively low level of knowledge on how these things work …
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
- This reply was modified 1 year, 11 months ago by mikey777.
▪ 32-bit antix19.4-core+LXDE installed on :
- (2011) Samsung NP-N145 Plus (JP04UK) – single-core CPU Intel Atom N455@1.66GHz, 2GB RAM, integrated graphics.
▪ 64-bit antix21-base+LXDE installed on:
- (2008) Asus X71Q (7SC002) – dual CPU Intel T3200@2.0GHz, 4GB RAM. Graphics: Intel Mobile 4 Series, integrated graphics
- (2007) Packard Bell Easynote MX37 (ALP-Ajax C3) – dual CPU Intel T2310@1.46GHz, 2GB RAM. Graphics: Silicon Integrated Systems.
- You must be logged in to reply to this topic.
