Differences between gksudo/kdesudo, sudo, and su

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
User avatar
xenopeek
Level 24
Level 24
Posts: 22469
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Differences between gksudo/kdesudo, sudo, and su

Post by xenopeek » Sat Sep 16, 2017 2:40 am

vladtepes wrote:Perhaps for the sake of clarity you could more precisely define what you mean by "graphical programs" please?


(Do you mean any programs that have a GUI, and if so why would you be running these from the command line anyway?)
Programs with a graphical user interface, as opposed to programs that only output text on the terminal window.

Sometimes you may need to run a graphical program as root, for example your file manager to be able to move files in system directories. You could start such a program from the terminal with a command like "gksudo program" to run it as root. Unfortunately some people obliviously use, or recommend others to use, "sudo program" to run graphical programs as root. As explained above, using "sudo program" to run a graphical program as root can change ownership of files in your how directory to root, which can then lead to problems if you run the program normally (not as root). See the forums for examples :wink:

This topic summarizes the differences and can be linked to as explanation.
Image

vladtepes
Level 3
Level 3
Posts: 124
Joined: Sat Feb 25, 2012 7:48 am
Location: Brisbane, Australia
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by vladtepes » Tue Sep 19, 2017 1:52 am

Thank you. :)
Keep Calm
and
Impale Your Enemies

User avatar
Pjotr
Level 20
Level 20
Posts: 10406
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Pjotr » Sun Apr 29, 2018 3:00 pm

How does pkexec fit into this comparison?
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
xenopeek
Level 24
Level 24
Posts: 22469
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Differences between gksudo/kdesudo, sudo, and su

Post by xenopeek » Sun Apr 29, 2018 4:34 pm

It kinda doesn't. pkexec can be used to run command line programs as another user, similar to how sudo does it though likely your desktop environment will come with a GUI password prompt for polkit (the "authentication agent") like gksudo. It can also be used to run GUI programs as another user but only if there is a configured policy specifically for that program that allows for this. On that respect it differs from gksudo which works for any GUI program without need for policy configuration per program. Note that the pkexec manual discourages configuring policies for GUI programs to allow for this; it is only intended for legacy programs.

polkit goes much further than sudo and gksudo though. Instead of running the entire program as root because it may need to do some user requested action for which it needs privileges, the program would be written such that those actions would be in a separate daemon process. The program can then just run as the user themselves (not needing sudo, gksudo or pkexec) and only when the user requests that action would the unprivileged program communicate with the privileged daemon process (e.g., through D-Bus) to request that action on the user's behalf and the polkit authentication agent would prompt the user to authorize the action.

The default pkexec policy is configured in /usr/share/polkit-1/actions/org.freedesktop.policykit.policy. It allows for pkexec to run non-GUI programs as other users. Same as sudo but with a GUI password prompt like gksudo. But ideally programs actually use polkit and thus split code that needs to run with privileges off into a separate daemon process so that the bulk of program can always run unprivileged and there's no need for pkexec.

Anyway, that's my understanding of polkit right now for going through https://www.freedesktop.org/software/po ... cs/latest/. I likely mixed some things up here so any feedback is welcome.
Image


User avatar
Flemur
Level 15
Level 15
Posts: 5793
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Flemur » Sun Apr 29, 2018 7:36 pm

I've been useing this in fluxbox menus as a replacement for "gksudo", also tested in terminal, and it seems to act just like "gksudo" ("sudo -H" did not):

Code: Select all

#!/bin/sh
#
# Use this when gksu goes away.
#
xfce4-terminal --command="sudo -H -i -u root bash -c '$*' &" --geometry=45x10
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Mint 18.3 Xfce/fluxbox/pulse-less
Xubuntu 17.10/fluxbox/pulse-less

User avatar
Pjotr
Level 20
Level 20
Posts: 10406
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Pjotr » Mon Apr 30, 2018 6:07 am

Thanks for answering! So roughly: pkexec behaves like gksudo, but it does require a previous authorization file (policy) for each application in /usr/share/polkit-1/actions/.

In essence, pkexec seems to be a sort of a "hack" for legacy applications that can't use the fine-grained security options (mainly the limitation of the root authority to the processes that need them) that PolicyKit offers. Like gksudo, pkexec makes all processes of the application run as root. So pkexec is not safer than gksudo.

admin:// allows for an easy way to use text editor Gedit (and so far, only Gedit) with root permissions in order to edit existing system configuration files, and also operates roughly the same as gksudo.

An interesting difference with gksudo: for pkexec and admin://, apparently you don't need to be part of the "sudo" group.
Last edited by Pjotr on Mon Apr 30, 2018 7:48 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Cosmo. » Mon Apr 30, 2018 7:24 am

Pjotr wrote:
Mon Apr 30, 2018 6:07 am
An interesting difference with gksudo: for pkexec and admin://, apparently you don't need to be part of the "sudo" group.
Yes and no. If the user is not member of sudo, he gets asked for the password of a sudo member - which he should not have, otherwise he could also use this account directly from the login window and the account differentiation has lost its meaning. (Tested with synaptic in LM 18.3.)

User avatar
Pjotr
Level 20
Level 20
Posts: 10406
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Pjotr » Mon Apr 30, 2018 7:52 am

Cosmo. wrote:
Mon Apr 30, 2018 7:24 am
Pjotr wrote:
Mon Apr 30, 2018 6:07 am
An interesting difference with gksudo: for pkexec and admin://, apparently you don't need to be part of the "sudo" group.
Yes and no.
In German: jein. :lol:
I use the expression "jein" quite a lot, because I like it. In Dutch it would be "jeen" or "jee", but those don't exist....
If the user is not member of sudo, he gets asked for the password of a sudo member - which he should not have, otherwise he could also use this account directly from the login window and the account differentiation has lost its meaning. (Tested with synaptic in LM 18.3.)
Correct. It's not a security difference; only a usability difference...
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Tutorials”