Xwayland not using XAUTHORITY, prevents root applications from connecting

Bug #1652282 reported by Nikita Yerenkov-Scott on 2016-12-23
88
This bug affects 18 people
Affects Status Importance Assigned to Milestone
GParted
Fix Released
High
Ubuntu GNOME
High
Unassigned
gdm
Confirmed
Medium
gdm3 (Ubuntu)
Undecided
Unassigned
gparted (Ubuntu)
High
Unassigned

Bug Description

When running wayland, GDM fails to set up an XAUTHORITY file and instead
relies on the process UID for authentication. This prevents
applications run as root, like gparted or synaptic from connecting to
the server. GDM needs to set up the XAUTHORITY file when running
Xwayland just like it does when it runs the conventional Xorg.

A large list of applications broken by this can be found here:

https://codesearch.debian.net/search?q=Exec%3Dsu-to-root+filetype%3Adesktop+path%3A*%2Fapplications%2F*&perpkg=1

Changed in gparted:
importance: Unknown → Medium
status: Unknown → Confirmed
Phillip Susi (psusi) wrote :

And can you run any other Xwindows app as root? What if you try running gpartedbin directly from a root shell?

Changed in gparted (Ubuntu):
status: New → Incomplete

No, this is a security feature in Wayland, it's not meant to allow windows to run as root. This has already been established in the upstream report.

Phillip Susi (psusi) on 2017-02-07
summary: - GParted fails to run as root under Wayland
+ Wayland default policy prohibits root applications
affects: gparted (Ubuntu) → wayland (Ubuntu)
Changed in wayland (Ubuntu):
status: Incomplete → New

@Phillip, This is an intended policy and it is there for security reasons so rather than decreasing security standards, I think it would be best for GParted to simply meet them.

Jeremy Bicha (jbicha) wrote :

It was announced today that the Ubuntu Desktop Team currently intends to default to GNOME on Wayland for Ubuntu 18.04 LTS.

tags: added: wayland
removed: gnome3-ppa third-party-packages yakkety
affects: wayland (Ubuntu) → gparted (Ubuntu)
Changed in gparted (Ubuntu):
importance: Undecided → High
status: New → Triaged
summary: - Wayland default policy prohibits root applications
+ GParted does not work in GNOME on Wayland
Changed in ubuntu-gnome:
status: New → Triaged
importance: Undecided → High
Changed in gparted:
importance: Medium → High
Phillip Susi (psusi) wrote :

GParted, and plenty of other applications must be run as root, period. Wayland needs to accommodate this just as X always has.

summary: - GParted does not work in GNOME on Wayland
+ Wayland default policy prohibits root applications
affects: gparted (Ubuntu) → wayland (Ubuntu)
Jeremy Bicha (jbicha) wrote :

Phillip, please stop changing the bug title because the original bug title was correct.

GParted can be changed to make admin changes without having to run the entire UI as root.

Do you want to discuss this in #ubuntu-desktop on IRC or on the ubuntu-desktop mailing list?

@Phillip, Wayland actually does accommodate it, I have an Arch system where it works perfectly fine with running GParted as root. The reason it doesn't work on Ubuntu is not completely because of Wayland, but rather because of how Wayland has been set up by the Ubuntu GNOME team. Which is intentional for security. I don't know, but you might be able to disable this since it's probably somewhere in the configuration. I don't know, I just know that on Arch there is no issue with this with the standard Wayland.

summary: - Wayland default policy prohibits root applications
+ GParted does not work in GNOME on Wayland
no longer affects: wayland (Ubuntu)
Changed in gparted (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) on 2017-04-24
Changed in gparted (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged

Same problem on Ubuntu 17.10 gnome wayland

corrado@corrado-HP-aGnome:~$ uname -a
Linux corrado-HP-aGnome 4.10.0-20-generic #22-Ubuntu SMP Thu Apr 20 09:22:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
corrado@corrado-HP-aGnome:~$ gparted
Root privileges are required for running gparted.
corrado@corrado-HP-aGnome:~$ sudo gparted
[sudo] password for corrado:
Created symlink /run/systemd/system/-.mount → /dev/null.
Created symlink /run/systemd/system/boot-efi.mount → /dev/null.
Created symlink /run/systemd/system/run-user-1000.mount → /dev/null.
Created symlink /run/systemd/system/run-user-120.mount → /dev/null.
Created symlink /run/systemd/system/tmp.mount → /dev/null.
No protocol specified

(gpartedbin:2315): Gtk-WARNING **: cannot open display: :0
Removed /run/systemd/system/-.mount.
Removed /run/systemd/system/boot-efi.mount.
Removed /run/systemd/system/run-user-1000.mount.
Removed /run/systemd/system/run-user-120.mount.
Removed /run/systemd/system/tmp.mount.
corrado@corrado-HP-aGnome:~$

Mike Fleetwood (mfleetwo) wrote :

@Nikita, Can you point me at any details on how your Arch Linux system
allows GParted to run as root under Wayland. On my Arch Linux VM with
GNOME on Wayland and GParted package I still have to do
"xhost +SI:localuser:root" to allow root processes to connect to the
XWayland display.

@Mike, I am afraid that I don't know, all I know is it worked as I described previously until a recent update and now GParted no longer runs as root under Wayland. So it was either a bug they fixed, a new feature implemented in some way, or they changed the default configuration. If I find out the answer, I will let you know.

sudodus (nio-wiklund) wrote :

I see the same problem in Ubuntu Artful (to become 17.10), when running with Wayland. See the following links

https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1706146

https://ubuntuforums.org/showthread.php?t=2366995

Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1652282

tags: added: iso-testing
tags: added: artful
Changed in gparted:
status: Confirmed → Fix Released
steve lubbs (slubbs) wrote :

Gparted does not work as of 17.10 with updates up to 10/27/2017. What gives??

Gustav Ekner (gustav-ekner) wrote :

The issue is fixed in gparted version 0.30, but not in the latest ubuntu package which is of version 0.28 in artful. Also, according to https://bugzilla.gnome.org/show_bug.cgi?id=776437, the package must be compiled with --enable-xhost-root. It would be great if the maintainer (Curtis Gedak) could take a look at this.

Jeremy Bicha (jbicha) wrote :

Actually, Ubuntu is unlikely to enable that hack. Please just log in to Ubuntu on Xorg if you want to run GParted. Or try the GNOME Disks app which is installed by default and works with Wayland.

Jose Barakat (josebarakat) wrote :
Download full text (6.5 KiB)

Same thing...

jose@jose-Lenovo-G400s:~$ uname -a
Linux jose-Lenovo-G400s 4.13.4-041304-generic #201709270931 SMP Wed Sep 27 13:35:03 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

jose@jose-Lenovo-G400s:~$ echo $DISPLAY
:0

Phoronix Test Suite v7.4.0
Interactive Benchmarking
System Software / Hardware Information
Hardware:
Processor: Intel Core i3-3110M @ 2.40GHz (4 Cores), Motherboard: LENOVO, Chipset: Intel 3rd Gen Core DRAM, Memory: 6144MB, Disk: 500GB Seagate ST500LT012-9WS14 + 16GB Cruzer Edge, Graphics: Intel Ivybridge Mobile 1536MB (1000MHz), Audio: Conexant CX20757, Network: Qualcomm Atheros QCA8172 Fast + Qualcomm Atheros AR9485 Wireless
Software:
OS: Ubuntu 17.10, Kernel: 4.13.4-041304-generic (x86_64), Desktop: GNOME Shell 3.26.1, Display Server: Wayland, Display Driver: modesetting 1.19.3, OpenGL: 4.2 Mesa 17.2.2, Compiler: GCC 7.2.0, File-System: ext4, Screen Resolution: 1366x768

jose@jose-Lenovo-G400s:~$ sudo gparted
[sudo] password for jose:
Created symlink /run/systemd/system/-.mount → /dev/null.
Created symlink /run/systemd/system/media-jose-myData.mount → /dev/null.
Created symlink /run/systemd/system/media-jose-SanDisk16GB.mount → /dev/null.
Created symlink /run/systemd/system/run-user-1000.mount → /dev/null.
Created symlink /run/systemd/system/snap-anbox\x2dinstaller-17.mount → /dev/null.
Created symlink /run/systemd/system/snap-core-2898.mount → /dev/null.
Created symlink /run/systemd/system/snap-core-3017.mount → /dev/null.
Created symlink /run/systemd/system/snap-core-3247.mount → /dev/null.
Created symlink /run/systemd/system/snap-wavebox-26.mount → /dev/null.
Created symlink /run/systemd/system/snap-wavebox-32.mount → /dev/null.
Created symlink /run/systemd/system/tmp.mount → /dev/null.
No protocol specified

(gpartedbin:12371): Gtk-WARNING **: cannot open display: :0
Removed /run/systemd/system/-.mount.
Removed /run/systemd/system/media-jose-myData.mount.
Removed /run/systemd/system/media-jose-SanDisk16GB.mount.
Removed /run/systemd/system/run-user-1000.mount.
Removed /run/systemd/system/snap-anbox\x2dinstaller-17.mount.
Removed /run/systemd/system/snap-core-2898.mount.
Removed /run/systemd/system/snap-core-3017.mount.
Removed /run/systemd/system/snap-core-3247.mount.
Removed /run/systemd/system/snap-wavebox-26.mount.
Removed /run/systemd/system/snap-wavebox-32.mount.
Removed /run/systemd/system/tmp.mount.

jose@jose-Lenovo-G400s:~$ sudo synaptic
No protocol specified
Unable to init server: No se pudo conectar: Conexión rehusada

(synaptic:12450): Gtk-WARNING **: cannot open display: :0

jose@jose-Lenovo-G400s:~$ synaptic
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
Violación de segmento (`core' generado)

[Note: Synaptic without sudo didn't started, but crashed]

jose@jose-Lenovo-G400s:~$ sudo nautilus
No protocol specified
Unable to init server: No se pudo conectar: Conexión rehusada

jose@jose-Lenovo-G400s:~$ nautilus
sys:1: PyGIWarning: Nautilus was imported without specifying a version first. Use gi.require_version('Nautilus', '3.0') before import to ensure that the right version gets loaded.
Nautilus-Share-Message: Called "net usershare info" but it failed: Falló a...

Read more...

Phillip Susi (psusi) wrote :

It appears to me that the issue is with gdm3. Its man page says it is supposed to create an XAUTHORITY file and set the environment variable to point to it. When running wayland, it does not do this and instead relies on authenticating clients by the UID of the process. It should not be doing this.

Changed in gparted (Ubuntu):
status: Triaged → Invalid
summary: - GParted does not work in GNOME on Wayland
+ Xwayland not using XAUTHORITY, prevents root applications from
+ connecting
description: updated
Jeremy Bicha (jbicha) wrote :

Philip, please file a bug with GNOME about that issue.

Dave Stroud (bigdavesr) wrote :

(xhost si:localuser:root) Is a work around I found on fedora forum. Only problem is it has to be used every time you boot up.This is happening with any program that uses root. It is a game breaker for wayland.

sudodus (nio-wiklund) wrote :

@Dave Stroud,

If you spend a few minutes to create/install/modify some file(s), for example 'gks' according to my previous comment, you need not type 'xhost si:localuser:root' every time you boot up.

1. Some of us think that this is an unnecessary complication or worse,

2. Some of us think that it is an important step to increase the security,

to prevent GUI programs to run with elevated permissions. The developers of Wayland belong to the second group ;-)

-o-

I think that the main linux distros will gradually adjust to the opinion of their users ...

Phillip Susi (psusi) wrote :

It is a shame that you are unwilling to make a simple configuration change to prevent a completely broken experience for your users. People get very frustrated when they try to open an application and nothing happens. No error message; nothing. All because of a silly default policy. This is not a very Ubuntu thing to do.

I am afraid that this is a Wayland security feature and that it is not going to be removed just because some users don't like it or don't understand why it is there. As a workaround you can just carry on using Xorg, but under Wayland the program has to be adapted in order not to run the whole program and GUI as root but rather just the specific things within it that need that.

I'm not sure that there actually is anything the Ubuntu people can actually do about this though unless they hack at Wayland and make it less secure. If you want to change Wayland then file an upstream report about this. Ubuntu is really just packaging and redistributing this stuff.

Changed in gparted (Ubuntu):
status: Invalid → Confirmed
summary: - Xwayland not using XAUTHORITY, prevents root applications from
- connecting
+ GParted does not work in GNOME on Wayland
tags: added: yakkety
description: updated

So, basically, Wayland doesn't allow something really insecure where the whole GUI and everything has root privileges, so it doesn't allow insecure applications to gain root access, however a program can be easily adapted (depending on how it's written) in order to be secure and then you will be able to run it as normal under Wayland. For instance etherape recently got adapted and you just have to now run it like so "sudo etherape -Z username" and then it runs in a way Wayland finds secure and thus it runs as normal as a GUI program but it just runs the GUI as the normal specified user and only the necessary components as root.

Anyway, has GParted upstream released a fix for this? Programs just have to match the new security standards in order to run. That's all, they will have to change and then your experience will be fine again. But I don't think you're going to be able to lessen the Wayland standards, instead take this up with the other developers so that they make their programs meet those standards.

sudodus (nio-wiklund) wrote :

@Nikita Yerenkov-Scott,

I think your comments about Wayland and security are explaining things in a very good way.

I have already tried to think and act along these ideas: the current version of mkusb works in Wayland. Originally I made it work remotely via ssh by running things that need elevated permissions in text mode (simply by calling sub-shellsripts with sudo), while the main shellscript is using a GUI. It was not too difficult to do. The mileage might vary depending on the structure of the software.

Dave Stroud (bigdavesr) wrote :

when has synaptic package manager ever been a security risk?Waylan allows software updater to work so should it allow synaptic to work in root.You cant even get root terminal to work.I do not believe that I should to have do work arounds to make it work. It just should work like it always has.

Jeremy Bicha (jbicha) wrote :

Dave, if you want things to work exactly as they used to work, just log out and log in to the 'Ubuntu on Xorg' session.

Changed in gdm:
importance: Unknown → Medium
status: Unknown → Confirmed
Phillip Susi (psusi) wrote :

No, you misunderstand. Wayland applications running as root work just fine under Wayland. It is X11 applications that do not work, and the reason it does not work is because gdm misconfigures Xwayland. The gdm man page says it does one thing, but it in fact does another, therefore, it is broken.

Changed in gparted (Ubuntu):
status: Confirmed → Invalid
description: updated
Phillip Susi (psusi) on 2017-11-16
summary: - GParted does not work in GNOME on Wayland
+ Xwayland not using XAUTHORITY, prevents root applications from
+ connecting

@Phillip,

Oh, sorry, for some reason the interface messed up and only showed me that you changed the title. Sorry about that, it's now seemingly preventing me for some silly reason from changing the title back. Wonder if you could do that again? Sorry this is a little awkward.

summary: - Xwayland not using XAUTHORITY, prevents root applications from
- connecting
+ GParted does not work in GNOME on Wayland
summary: - GParted does not work in GNOME on Wayland
+ Xwayland not using XAUTHORITY, prevents root applications from
+ connecting

Ok, it worked now.

Jeremy Bicha (jbicha) wrote :

> Wayland applications running as root work just fine under Wayland. It is X11 applications that do not work

I don't think that's true.

@Jeremy, Yes, from what I've heard, that doesn't sound quite right either. However I really have no idea so I'll let you guys deal with this.

Dave Stroud (bigdavesr) wrote :

Wayland is now looking into this Dont know what they will do yet.In the meantime I have found that if you insert (xhost si:localuser:root) into start up applications it will work without having to do it in terminal every time you start up.

Phillip Susi (psusi) wrote :

No, it is NOT the new standard since as I have said, wayland apps have no issue running as root. Applications will NOT be totally rewritten to split off the parts that need root into a separate program. YOU stop changing the title, YOU are being a nuisance: this does not just affect gparted. In fact, gparted has now worked around the issue by automatically running xhost to fix the broken configuration.

Jeremy, you can easily see it is true by simply suing to root and running any native wayland ( gdm3 ) application ( like gedit ). It works just fine.

As long as gdm3 continues to NOT perform the Xauthority configuration its man page says it is supposed to, it is a bug in gdm3.

Jeremy Bicha (jbicha) wrote :

$ sudo su
root@mycomputer:/home/me# gedit
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:4492): Gtk-WARNING **: cannot open display: :0

=====
And that's the problem here. When gparted is ported to gtk3, the xhost workaround will stop working. And there's no incentive for GNOME to fix apps to run as root under XWayland, if they won't be able to under Wayland. GNOME wants to *encourage* apps to upgrade from gtk2 to gtk3 to get native Wayland support, better HiDPI support and several other features and improvements.

Therefore, I'm closing this bug. Sorry.

Changed in ubuntu-gnome:
status: Triaged → Invalid
Changed in gdm3 (Ubuntu):
status: New → Won't Fix
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in balsa (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) on 2017-12-07
affects: wayland → balsa (Ubuntu)
no longer affects: balsa (Ubuntu)
Curtis Gedak (gedakc) wrote :

> And that's the problem here. When gparted is ported to gtk3, the
> xhost workaround will stop working.

When/if GParted is ported to gtk3, THEN the work around can be removed.

In the mean time the xhost workaround enables people to continue using GParted.

On 12/7/2017 3:39 PM, Jeremy Bicha wrote:
> $ sudo su
> root@mycomputer:/home/me# gedit
> No protocol specified
> Unable to init server: Could not connect: Connection refused
>
> (gedit:4492): Gtk-WARNING **: cannot open display: :0

sudo defaults to scrubbing the environment; use sudo -E gedit instead of
sudo su. Or on Debian just use su without the - argument. sudo was
explicitly configured to not scrub DISPLAY so that users can still run
X11 applications after sudoing, but has not been updated to include
WAYLAND_DISPLAY in that list. You can also of course, simply set
WAYLAND_DISPLAY after sudoing to root.

> Therefore, I'm closing this bug. Sorry.

I'm sorry, but as long as the man page for gdm says that it will
configure an XAUTHORITY and it does not, this is ipso facto, a bug,
whatever you think about gui applications running as root.

If this really was an intentional change upstream, they should document
it in the NEWS and man page. I certainly have not been able to find
anything in the changelog or git commit history that indicates this was
intentional, and of course, the man page should be updated to match the
new implementation if it was intended.

Changed in gdm3 (Ubuntu):
status: Won't Fix → New
Jeremy Bicha (jbicha) wrote :

It has been widely publicized at least since Fedora 25's release a year ago that GNOME on Wayland does not support running GUI apps as root. It has long been best practice for apps to not do this. Instead of trying to implement clever workarounds, app developers should follow best practice here.

Would you like to submit a patch for sudo? The GDM maintainer Ray Strode rightfully believes that it is wrong (i.e. Won't Fix) to have XWayland support running apps as root as long as Wayland does not. Therefore, someone will need to have a proposed fix for that issue first before worrying about XWayland.

At this point, I don't believe that Ubuntu intends to diverge from upstream on this issue, so to some extent, Won't Fix is appropriate here too. So fix things upstream instead of complaining to Debian and Ubuntu.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.