Differences between gksudo/kdesudo, sudo, and su

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
User avatar
xenopeek
Level 24
Level 24
Posts: 22763
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Differences between gksudo/kdesudo, sudo, and su

Post by xenopeek » Sat Sep 16, 2017 2:40 am

vladtepes wrote:Perhaps for the sake of clarity you could more precisely define what you mean by "graphical programs" please?


(Do you mean any programs that have a GUI, and if so why would you be running these from the command line anyway?)
Programs with a graphical user interface, as opposed to programs that only output text on the terminal window.

Sometimes you may need to run a graphical program as root, for example your file manager to be able to move files in system directories. You could start such a program from the terminal with a command like "gksudo program" to run it as root. Unfortunately some people obliviously use, or recommend others to use, "sudo program" to run graphical programs as root. As explained above, using "sudo program" to run a graphical program as root can change ownership of files in your how directory to root, which can then lead to problems if you run the program normally (not as root). See the forums for examples :wink:

This topic summarizes the differences and can be linked to as explanation.
Image

vladtepes
Level 3
Level 3
Posts: 169
Joined: Sat Feb 25, 2012 7:48 am
Location: Brisbane, Australia
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by vladtepes » Tue Sep 19, 2017 1:52 am

Thank you. :)
Keep Calm
and
Impale Your Enemies

User avatar
Pjotr
Level 20
Level 20
Posts: 10791
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Pjotr » Sun Apr 29, 2018 3:00 pm

How does pkexec fit into this comparison?
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
xenopeek
Level 24
Level 24
Posts: 22763
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Differences between gksudo/kdesudo, sudo, and su

Post by xenopeek » Sun Apr 29, 2018 4:34 pm

It kinda doesn't. pkexec can be used to run command line programs as another user, similar to how sudo does it though likely your desktop environment will come with a GUI password prompt for polkit (the "authentication agent") like gksudo. It can also be used to run GUI programs as another user but only if there is a configured policy specifically for that program that allows for this. On that respect it differs from gksudo which works for any GUI program without need for policy configuration per program. Note that the pkexec manual discourages configuring policies for GUI programs to allow for this; it is only intended for legacy programs.

polkit goes much further than sudo and gksudo though. Instead of running the entire program as root because it may need to do some user requested action for which it needs privileges, the program would be written such that those actions would be in a separate daemon process. The program can then just run as the user themselves (not needing sudo, gksudo or pkexec) and only when the user requests that action would the unprivileged program communicate with the privileged daemon process (e.g., through D-Bus) to request that action on the user's behalf and the polkit authentication agent would prompt the user to authorize the action.

The default pkexec policy is configured in /usr/share/polkit-1/actions/org.freedesktop.policykit.policy. It allows for pkexec to run non-GUI programs as other users. Same as sudo but with a GUI password prompt like gksudo. But ideally programs actually use polkit and thus split code that needs to run with privileges off into a separate daemon process so that the bulk of program can always run unprivileged and there's no need for pkexec.

Anyway, that's my understanding of polkit right now for going through https://www.freedesktop.org/software/po ... cs/latest/. I likely mixed some things up here so any feedback is welcome.
Image


User avatar
Flemur
Level 16
Level 16
Posts: 6061
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Flemur » Sun Apr 29, 2018 7:36 pm

I've been useing this in fluxbox menus as a replacement for "gksudo", also tested in terminal, and it seems to act just like "gksudo" ("sudo -H" did not):

Code: Select all

#!/bin/sh
#
# Use this when gksu goes away.
#
xfce4-terminal --command="sudo -H -i -u root bash -c '$*' &" --geometry=45x10
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Mint 18.3 Xfce/fluxbox/pulse-less
Xubuntu 17.10/fluxbox/pulse-less

User avatar
Pjotr
Level 20
Level 20
Posts: 10791
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Pjotr » Mon Apr 30, 2018 6:07 am

Thanks for answering! So roughly: pkexec behaves like gksudo, but it does require a previous authorization file (policy) for each application in /usr/share/polkit-1/actions/.

In essence, pkexec seems to be a sort of a "hack" for legacy applications that can't use the fine-grained security options (mainly the limitation of the root authority to the processes that need them) that PolicyKit offers. Like gksudo, pkexec makes all processes of the application run as root. So pkexec is not safer than gksudo.

admin:// allows for an easy way to use text editor Gedit (and so far, only Gedit) with root permissions in order to edit existing system configuration files, and also operates roughly the same as gksudo.

An interesting difference with gksudo: for pkexec and admin://, apparently you don't need to be part of the "sudo" group.
Last edited by Pjotr on Mon Apr 30, 2018 7:48 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 23
Level 23
Posts: 17829
Joined: Sat Dec 06, 2014 7:34 am

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Cosmo. » Mon Apr 30, 2018 7:24 am

Pjotr wrote:
Mon Apr 30, 2018 6:07 am
An interesting difference with gksudo: for pkexec and admin://, apparently you don't need to be part of the "sudo" group.
Yes and no. If the user is not member of sudo, he gets asked for the password of a sudo member - which he should not have, otherwise he could also use this account directly from the login window and the account differentiation has lost its meaning. (Tested with synaptic in LM 18.3.)

User avatar
Pjotr
Level 20
Level 20
Posts: 10791
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Differences between gksudo/kdesudo, sudo, and su

Post by Pjotr » Mon Apr 30, 2018 7:52 am

Cosmo. wrote:
Mon Apr 30, 2018 7:24 am
Pjotr wrote:
Mon Apr 30, 2018 6:07 am
An interesting difference with gksudo: for pkexec and admin://, apparently you don't need to be part of the "sudo" group.
Yes and no.
In German: jein. :lol:
I use the expression "jein" quite a lot, because I like it. In Dutch it would be "jeen" or "jee", but those don't exist....
If the user is not member of sudo, he gets asked for the password of a sudo member - which he should not have, otherwise he could also use this account directly from the login window and the account differentiation has lost its meaning. (Tested with synaptic in LM 18.3.)
Correct. It's not a security difference; only a usability difference...
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

pgmer6809
Level 3
Level 3
Posts: 145
Joined: Sun Mar 04, 2012 9:06 pm

Re: Differences between gksudo/kdesudo, sudo, and su MINT19 ??

Post by pgmer6809 » Fri Sep 21, 2018 2:23 am

As of Mint19 there is no mention in synaptic of any of gksudo or gksu or pkexec. So what are we supposed to use instead?
pgmer6809

User avatar
smurphos
Level 6
Level 6
Posts: 1425
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: Differences between gksudo/kdesudo, sudo, and su MINT19 ??

Post by smurphos » Fri Sep 21, 2018 2:46 am

pgmer6809 wrote:
Fri Sep 21, 2018 2:23 am
As of Mint19 there is no mention in synaptic of any of gksudo or gksu or pkexec. So what are we supposed to use instead?
pgmer6809
pkexec is preinstalled in Mint 19 as part of the policykit-1 package

Code: Select all

$ whereis pkexec
pkexec: /usr/bin/pkexec /usr/share/man/man1/pkexec.1.gz
$ dpkg -S /usr/bin/pkexec
policykit-1: /usr/bin/pkexec
$ apt show policykit-1
Package: policykit-1
Version: 0.105-20ubuntu0.18.04.1
Priority: optional
Section: admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 446 kB
Depends: dbus, libpam-systemd, libc6 (>= 2.7), libglib2.0-0 (>= 2.37.3), libpam0g (>= 0.99.7.1), libpolkit-agent-1-0 (= 0.105-20ubuntu0.18.04.1), libpolkit-backend-1-0 (= 0.105-20ubuntu0.18.04.1), libpolkit-gobject-1-0 (= 0.105-20ubuntu0.18.04.1)
Breaks: gdm3 (<< 3.8.4-7~)
Homepage: https://www.freedesktop.org/wiki/Software/polkit/
Task: ubuntu-desktop, print-server, cloud-image, server, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-gtk-core, lubuntu-desktop-share, lubuntu-gtk-desktop, lubuntu-gtk-desktop, lubuntu-core, lubuntu-core, lubuntu-desktop, lubuntu-qt-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop
Supported: 5y
Download-Size: 53.4 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
Description: framework for managing administrative policies and privileges
 PolicyKit is an application-level toolkit for defining and handling the policy
 that allows unprivileged processes to speak to privileged processes.
 .
 It is a framework for centralizing the decision making process with respect to
 granting access to privileged operations for unprivileged (desktop)
 applications.

N: There is 1 additional record. Please use the '-a' switch to see it

pgmer6809
Level 3
Level 3
Posts: 145
Joined: Sun Mar 04, 2012 9:06 pm

Re: Differences between gksudo/kdesudo, sudo, and su

Post by pgmer6809 » Fri Sep 21, 2018 8:34 pm

How about MINT19?
synaptic shows no hits looking for gksu, gksudo, or pkexec?
So what should we use instead?
pgmer6809

User avatar
smurphos
Level 6
Level 6
Posts: 1425
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: Differences between gksudo/kdesudo, sudo, and su

Post by smurphos » Sat Sep 22, 2018 1:00 am

pgmer6809 wrote:
Fri Sep 21, 2018 8:34 pm
How about MINT19?
synaptic shows no hits looking for gksu, gksudo, or pkexec?
So what should we use instead?
pgmer6809
Refer to my post above and read through the whole thread. You've already got pkexec preinstalled in Mint 19 - it is provided by the policykit-1 package in synaptic. Also read here - viewtopic.php?f=61&t=268140

pgmer6809
Level 3
Level 3
Posts: 145
Joined: Sun Mar 04, 2012 9:06 pm

Re: Differences between gksudo/kdesudo, sudo, and su

Post by pgmer6809 » Sat Sep 22, 2018 10:21 pm

OK Thanks. Sorry for the dbl post, I did not see my first one (or your reply) show up so I entered the same content again.
pgmer6809

User avatar
BG405
Level 6
Level 6
Posts: 1372
Joined: Fri Mar 11, 2016 3:09 pm
Location: England

Re: Differences between gksudo/kdesudo, sudo, and su

Post by BG405 » Sun Sep 23, 2018 11:02 am

smurphos wrote:
Sat Sep 22, 2018 1:00 am
You've already got pkexec preinstalled in Mint 19
Seems it's also present by default in Mint 18.x and also 17.3 - just checked using man pkexec - possibly all the 17.x series, so it's been around for a while, just that it hasn't really been utilized until now.
Dell Inspiron 1525 - LM17.3 CE 64-------------------Acer D255E 2GB - Manjaro KDE, LM17.3 KDE 32
Toshiba NB305 - LM17.3 Xfce 32---------------------K7S5A AMD 1.2GHz - LM17.3 Xfce 32 & WinXP-Pro
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----Dell PII 350 64MB - Puppy 4.3 & Win98-SE

Post Reply

Return to “Tutorials”