[solved] gksu (gksudo) issues plus other comments

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post please read how to get help
patday8472
Level 2
Level 2
Posts: 56
Joined: Mon Dec 24, 2018 2:08 pm

Re: gksu (gksudo) issues plus other comments

Post by patday8472 »

redlined wrote:
Sat Jan 26, 2019 2:54 pm
zcot wrote:
Sat Jan 26, 2019 2:31 pm
patday8472 wrote:
Fri Jan 25, 2019 7:27 am

Why would you give that advice? Being in root all the time is dangerous.
I would not give that as advice actually, but it was the question of it. It just feels like the goal is convenience overall, and above progress and security which probably are not a factor. -or do I mistake that?

If the pc has no banking, purchases, nothing work-related, there's offsite backups, if there's nothing really important that's not public-ready on the machine then really even basic security is a non issue anyway I guess in which case "danger" isn't even an issue.

Once the decision goes from "how likely is it that I will be hit with that specific known gksudo exploit", to "ahh, we have no risk, it's a non issue", then using root full time isn't a step away.

It looks like there's 2 directions.. either accept and move forward in whatever ways are possible, which didn't seem like it's happening, or go moving backward, in which case the very easiest thing is to just run as root which actually makes all parts of all of this numerous levels of easier.
well said zcot!

ps. bolded text in quote I added for emphasis and what I also consider the decision really is all about, and since gksu/gksudo is deprecated due to a remotely exploitable network accessible vulnerability, definitely makes for the argument to 'why not just run as root always'...
So if I am understanding you correctly. You both are saying any distro not just Mint that has gksu installed, should be run as root. That makes no sense to me. Couldn't you just block gksu from communicating with a firewall?


When I had 18.3 Linux mint xfce on both systems. I did banking with gksu installed.
redlined

Re: gksu (gksudo) issues plus other comments

Post by redlined »

patday8472 wrote:
Sat Jan 26, 2019 7:13 pm
So if I am understanding you correctly. You both are saying any distro not just Mint that has gksu installed, should be run as root. That makes no sense to me. Couldn't you just block gksu from communicating with a firewall?


When I had 18.3 Linux mint xfce on both systems. I did banking with gksu installed.
First, "You both are saying any distro not just Mint that has gksu installed, should be run as root." is not something I said, zcot said, nor did either of us imply. reread the part I bolded from my quote of zcot a bunch of times- it will eventually become clearer, i swaer... the hypothetical situational question (if that makes sense to you, it does to me and I can elaborate if you need me to) is:

"Why not just run as root instead?" (sans sarcasm, it is a totally legit question, reread it!)

and really, why not? if you have determined you will never be vulnerable to the exploit behind a package that basically gets it pulled from huge base distros (e.g. ermmm/gosh, Debian and Ubuntu) then why not take full responsibility for your decision and simply run all as root.

Please know I do not care what you do and will support you(r) decisions regardless, even help you do something entire community demeans or cautions against because I am not your system vigilance, you are... ask me how and I will do my best to help, and explain my thought process (which makes for very long threads at times;) since I do not have Linux experience. but for sure I have some common sense and honesty in ability and I do try to clearly communicate both every time I initially respond to any on these forums.

next:

Speaking for myself only, if other distros are running critical level vulnerable packages then shame is on the distro devs, primarily, as well on the user for continuing to do so- especially when made aware of such a remote&network exploitable package, if precautions are not taken and enforced.

Firewalling may be an option, but really- what makes you think even a simple and semi-safe task such as browsing internets with an internet browser doesn't subject you to dangerous scripts (which could evoke the vulnerability). My questions are to the general populace, if you have protections setup and working on your own then it simply does not apply... but these forums are public readable and built in to Linux Mint on where to go to get help.

for me it is not a race to patch and protect any more, it is simple- there are other options...and they may not be as convenient but you are no longer vulnerable due to outdated and unmaintained packages designed to give a user (any user) root level privileges...

and really, what could be the issue over inconvenience? with gksu wrappers in pkexec or other commands to do what you wanted to do before? It sounds more like an exercise in laziness to avoid change, while taking on the burden of security for system by self instead of package and distro maintainers doing it for you. Trust Linux, trust Windows, trust Mac, it don't matter who you trust, but you are going to need to trust someone- or validate all the code yourself and compile your own version of secure OS.

as far as using gksu in LM18.3 XFCE I cannot comment. I do clearly recall having to interpret commands I was seeing in these forums when I was a brand new install fella of LM18.3 Cinnamon (and later 18.3 Mate) because I did not have gksu and gedit (two commands I recall trouble doing from last Spring, first install of Linux in ten years, being LM18.3).
I do not know why nor how you were able to gksu your banking needs in 18.3 XFCE, unless you had a wrapper effect for some other command underneath which you were unawares of. I'd consult the various packages and all change logs to determine if I need to yell at someone for leaving me vulnerable for so long, or humble down and see how dev's smoothed the transition of an insecure package out to a more secure package in. Otherwise I have no experience with the old ways and feel fresh, and safe(r) knowing the new ways require an additional step- or a change in command, to keep my system safe(r).
:idea: hope this helps~
patday8472
Level 2
Level 2
Posts: 56
Joined: Mon Dec 24, 2018 2:08 pm

Re: [solved] gksu (gksudo) issues plus other comments

Post by patday8472 »

I am not trying to be rude. I am just trying to understand. I obviously misunderstanding redlined & zcot posting. I am totally confused.

LuvNix it is not a drama, I am just trying to understand their running as root example if gksu is installed. Like I said, I am totally confused.

However, if firewall or any program will block gksu from the web. I see no issue. The Debian bug report should be change to install a firewall or program that blocks gksu from the web.
User avatar
smurphos
Level 17
Level 17
Posts: 7332
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [solved] gksu (gksudo) issues plus other comments

Post by smurphos »

patday8472 wrote:
Fri Jan 25, 2019 3:34 pm
Some people like MDM themes. I liked Spacerace login-theme.
I've modded the guide to install mdm on 19.x so it no longer requires gksu at all and uses pkexec - viewtopic.php?p=1507275#p1507275
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
patday8472
Level 2
Level 2
Posts: 56
Joined: Mon Dec 24, 2018 2:08 pm

Re: [solved] gksu (gksudo) issues plus other comments

Post by patday8472 »

LuvNix & others. There is fix for the MDM themes here that doesn't use gksu in 19.x viewtopic.php?f=90&t=274884

I also made a tip to getting it working in Xubuntu 18.04 as well without gksu installed.

Edit to add this:

Create a blank file tittled .bash_aliases in /home/user/
Open .bash_aliases (You may need to unhide files)
Put this there in the file including the ' this will need to be done for each user.

Code: Select all

alias gksu='pkexec'
alias gksudo='pkexec'
Reboot
User avatar
MtnDewManiac
Level 6
Level 6
Posts: 1478
Joined: Fri Feb 22, 2013 5:18 pm
Location: United States

Re: [solved] gksu (gksudo) issues plus other comments

Post by MtnDewManiac »

LuvNix wrote:
Sun Jan 27, 2019 1:50 pm
Which believe they are referring to people installing a malicious extension pack for Virtualbox from some unknown source.
Doesn't it (the existence of a means for elevating privileges) apply more generally here, too? By that I mean wouldn't any piece of code that someone can convince the user to give root privileges to be a potential entry for "maliciousness?" If I created something that recorded all your keystrokes and then packaged it and sent it off to my email address, convinced you to run it with root privileges, something like that? (I can't, and wouldn't even if I could!)

IF that's the case, then, yes, we should depend only on trusted sources. But here's a thing. The version of Mint that I am currently running shows 50,175 packages listed in Synaptic Package Manager, although some of that comes from PPAs(*). Are ALL 50,175 (less the PPA content) vetted by someone? If so, who? Is all of it compiled from source by that someone, or...? If the answer is, "YES," and the someone is Clem and his team of Mint developers, whoever the Ubuntu developers are, whoever the Debian developers are, or some combination of them then... Well, I suppose we're already trusting those folks, lol, because we are running their software right now, the OS/DE/etc. But is that really how it works, someone or some combination of someones from those three groups of people personally vets all the source code for ALL of those files, compiles same, and that's what makes up our repository content? If not, WHY not?

(*)PPAs :roll: . The maintainers of those things are presumed to be as pure as the driven snow, so to speak - but it's really anyone's guess unless/until someone (again, someone we trust) vets the stuff. And even if every single file in every single PPA is checked, tested, et cetera... That process cannot happen in an instant, lol, so it seems to me that there will always be some kind of window during which the possibility exists that someone will spike our wheels before they are discovered. Yes? No?

I just found myself typing this in another thread here: The more I think about this stuff, the LESS secure I feel. I do at least try to wait a few days before installing updates via mintUpdate, but I don't really know if that helps.

Regards,
MDM
Mint 18 Xfce 4.12.

If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.
patday8472
Level 2
Level 2
Posts: 56
Joined: Mon Dec 24, 2018 2:08 pm

Re: [solved] gksu (gksudo) issues plus other comments

Post by patday8472 »

At first people has issues with github but it is gaining better support. I have used github few times.

I also installed grub-customizer, palemoon, seamonkey all from a 3rd party PPA. Even Google Chrome and Opera Browser use PPA. I now even use wineHQ PPA.

I personally think ppas should be ok to install. Try to make sure they are reputable if at all possible. I think I asked on another forum, what if you want the software that not available on your distro. Their answer was to compile it. I always have trouble compiling. I can't remember what other software I did. Most times I failed. I did firefox or seamonkey but that worked because it was already partial compiled.


Edited-to be more clear.
Last edited by patday8472 on Mon Jan 28, 2019 10:43 pm, edited 2 times in total.
User avatar
smurphos
Level 17
Level 17
Posts: 7332
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [solved] gksu (gksudo) issues plus other comments

Post by smurphos »

patday8472 wrote:
Sun Jan 27, 2019 9:28 pm
At first people has issues with github but it is gaining better support. I have used github few times.

I also installed grub-customizer, palemoon, seamonkey all from a 3rd party PPA. Even Google Chrome and Opera Browser use PPA. I know even use wineHQ PPA.
There is are subtle differences between a PPA (Personal Package Archive) and a third party repository. The former may or may not be an official (i.e endorsed or maintained by the original developer(s)) distribution method for a particular piece of software, the latter is more likely to be (although again not always although most of the big alternative third party repos like removed have died). PPA maintainers are normally individuals not organisations. For me that has an impact on how critically I examine the contents/maintainer's credentials before installing the PPA (i.e. I'll look more closely at a PPA than an official repo). It's always going to be a gamble though. As is turning on your PC in the morning, eating a meal cooked by someone else, crossing the road, or jumping in your car to drive to work :wink: All things people do having (normally sub-consciously) risk assessed the situation based on their knowledge and prior experience. Same goes for software from sources both official and unofficial and whether or not to trust it but your risk assessment should be a conscious one.

Moving back to the original topic of this thread - there is another thread on the go where a user is desperate to get another abandoned third party app installed on 19.x - Peerguardian. It's got a PPA but development stopped at xenial. It's debs install fine in 19.x though. And guess what - out of the box it wants gksu and it uses it to elevate privileges to download block-lists from the internet and apply them as ip-table rules. The user never sees the file names. Sounds like it might be a scenario where this vulnerability could potentially be exploited.

Now looking at the changelogs I think the latest libgksu versions from Ubuntu were hardened slightly against this security vulnerability but I don't have the necessary expertise to fully understand the security vulnerability, whether my understanding of the changelogs is correct, or to tear down the Peerguardian source to see if they override the measures in their use of gksu. Given my limited knowledge my personal risk assessment says 'No' to advising the user to find and install gksu as a solution to getting it working on 19.x. Luckily the app in it's settings allows to set an alternative and a pkexec based alternative seems to work OK.

And in general why install gksu with a known vulnerability when there is a perfectly working if unfamiliar to many alternative. One that is actually quite end-user configurable and versatile. E.g never want to have to enter your password to open nemo as root? Easily done - https://wiki.archlinux.org/index.php/Po ... ord_prompt
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
Post Reply

Return to “Other topics”