Unable to launch pkexec'ed applications on Wayland session

This a well known wayland limitation.
The workaround (till the pkexec -> policykit transition is made) is to use xhost script.
Gparted already has an opened bug: https://bugs.launchpad.net/ubuntu/+source/gparted/+bug/1652282
and policykit has to be used, but is not directly concerned as a bug.

@dino99
for me it seems that this

cat <<EOF | sudo tee /etc/xdg/autostart/xhost.desktop
[Desktop Entry]
Name=xhost
Comment=Fix graphical root applications
Exec="xhost +si:localuser:root"
Terminal=false
Type=Application
EOF

should be added to the default installation.

Status changed to 'Confirmed' because the bug affects multiple users.

What is interesting `gnome-system-log` depends on `policykit-1`, it has `gnome-system-log-pkexec`, but it works without xhost command!

For those who interested I post my simple script for grepping su-to-root|gksu|pkexec inside application.desktop files in packages here - https://bugs.launchpad.net/ubuntu/+source/gadmin-samba/+bug/1713311/comments/13 .

Gdebi is affected too. Unable to install package with it:

$ gdebi-gtk ~/Downloads/systemd-ui_3-4_i386.deb
No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused
Segmentation fault

Status changed to 'Confirmed' because the bug affects multiple users.

Many other packages are affected via /usr/share/polkit-1/actions/*.policy files with these xml-rules:

      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

And finally with `apt-file search pkexec | grep "pkexec$"`

Here is my simple script for grepping "<allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>" inside /usr/share/polkit-1/actions/*.policy files in packages.

How to use:
1. apt-file search /usr/share/polkit-1/actions/ | grep "\.policy$" | awk '{print $1;}' | sed 's/[:]/ /g' | sort | uniq > polkit.txt
2. execute my script with ./do-pk.sh polkit.txt
4. it will do apt-get download, dpkg-deb -R, grep 'allow_.*auth_admin'&&'allow_gui.*true' and and print
some info:

...
aptdaemon is not affected by polkit
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
apt-offline-gui is affected by polkit
...

Hope it helps.

I don't get where is the problem, wayland or all the applications using policykit?

@LOB

as #2 explain, many gui apps fail to open under wayland (this is expected by wayland design, not working with pkexec)
So the transition to polkit is needed for these apps.

the question is more tricky

ettercap has the pkexec file
#!/bin/sh
pkexec --disable-internal-agent "ettercap" "$@"

but it is using a polkit file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="@PKEXEC_INSTALL_WRAPPER@">
    <message>Authentication is required to run Ettercap</message>
    <icon_name>ettercap</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">@INSTALL_BINDIR@/ettercap</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

so, as upstream, I don't know what to do :(

Greetings,
two of my projects are on the list(SiriKali and zuluCrypt) and latest versions of these projects are not affected by the problem.

The latest version of SiriKali is 1.3.0 but the problem was solved in version 1.2.9. The latest version of zuluCrypt is 5.2.0 and it also does not have the problem.

SiriKali uses pkexec not to root elevate its GUI component but to elevate a CLI background service called "siripolkit".

zuluCrypt uses pkexec not to root elevate its GUI components but to elevate a CLI background service called "zulupolkit".

zuluCrypt 5.2.0-1 in debian/ubuntu is affected by the problem and the problem is due to debian/ubuntu packaging and i already informed the maintainer about it,the old way of raising GUI components in zuluCrypt is no longer supported since version 5.2.0.

The Python/GTK3 GUI GameConqueror uses libscanmem for memory scanning with /proc/$pid/mem or ptrace(). Root privileges are required because of the Yama security module and its ptrace_scope set to 1.

To bypass that, scanmem/GC would have to run the target application. That architecture change cannot be done as the usage would be too complex.

We cannot go back to parsing scanmem output due to performance reasons. The hot scanning path is called several million times. The results list is autoupdated and the hex memory editor receives a bigger amount of data from libscanmem. Running a memory scanning daemon is a security risk as any program might access it.

We expect that this is fixed in Wayland.

Ubuntu 17.10 with all updates, Synaptic still does not start from Wayland.

Looks like all the required work will wait for 18.04, both Debian & Ubuntu have not started working around the pkexec problem not working with wayland.

https://www.neowin.net/news/debian-10-development-builds-switch-to-wayland

@dino99
I understand that we talk about security here.

But users may want to use for example Synaptic on default Wayland installation. What should they do?

You already have "xhost +si:localuser:`id -un`"
in
/etc/X11/Xsession.d/35x11-common_xhost-local , /etc/X11/Xsession.d/60x11-common_localhost
and
/etc/gdm3/Xsession

Is it possible to add new file with "xhost +si:localuser:root" here? Or .desktop file (see comment #3 here). It will fix many user problems.

@Norbert

the full solution is not so easy; so be patient.
Several thinks can be done:
- run xhost script into a terminal each time a session is opened
- insert the xhost script into .bashrc file
- and/or test some more propositions:
   * https://unix.stackexchange.com/questions/317282/set-environment-variables-for-gnome-on-wayland-and-bash-on-virtual-terminals-or#326161
   * https://ask.fedoraproject.org/en/question/108631/running-command-after-gnome-login/
   * https://unix.stackexchange.com/questions/118811/why-cant-i-run-gui-apps-from-root-no-protocol-specified

And for non techy people or those still satisfied with X, then choose X at login time (still prefer lightdm myself for the moment)

Budgie welcome in its current form will never be run on a Wayland session. Marked as invalid

Gufw is really affected.
See below:

$ apt-cache policy gufw
gufw:
  Installed: 17.10.0-0ubuntu1
  Candidate: 17.10.0-0ubuntu1
  Version table:
 *** 17.10.0-0ubuntu1 500
        500 http://ru.archive.ubuntu.com/ubuntu artful/universe i386 Packages
        100 /var/lib/dpkg/status

artful@artful:~$ dpkg -L gufw | grep desktop
/etc/gufw/app_profiles/remote-desktop-protocol.jhansonxi
/usr/share/applications/gufw.desktop
artful@artful:~$ cat /usr/share/applications/gufw.desktop | grep Exec
Exec=gufw
artful@artful:~$ gufw
# !!! # enter password here # !!! #
No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITI...

Norbert, yes but the package name was wrong. There already is LP: #1713238

It's difficult to manage a single bug affecting large number of packages like this in Launchpad in my opinion.

@Jeremy Bicha (jbicha)
As you may know I created script for automation - see my comment #20 https://bugs.launchpad.net/ubuntu/+source/gui-ufw/+bug/1713313/comments/20 ). And I collected all found problems here.

I added more affected packages here:
* `apport` because of /usr/share/apport/root_info_wrapper and /usr/share/apport/apport-gtk .
* `cinnamon` and `cinnamon-common` because of /usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py .
* `caja-admin` because of /usr/bin/caja as root.
* `guidedog` because of "Authentication is required to run Guidedog script" /bin/sh.
* `update-notifier-common` because of /usr/lib/update-notifier/cddistupgrader and /usr/lib/update-notifier/package-system-locked .

It was too difficult to create separate bug reports for each application for me. I hope that community may help here. I hope that all we make Ubuntu better.

It doesn't make sense to run cinnamon inside GNOME on Wayland.

@Jeremy Bicha (jbicha)
FYI on other similar bug report dino99 was pleasant about one big bug report (see his comment - https://bugs.launchpad.net/ubuntu/+source/nmap/+bug/1713311/comments/4 ). So we can choose this bug-report style here too.

This appears to be a false positive.

The wayland package just needs to change its absurd default security policy back to the one that X has used.

Source: zulucrypt
Source-Version: 5.2.0-2

We believe that the bug you reported is fixed in the latest version of
zulucrypt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Format: 1.8
Date: Sun, 10 Sep 2017 23:32:46 +0000
Source: zulucrypt
Binary: zulucrypt-cli zulumount-cli zulucrypt-gui zulumount-gui zulupolkit zulusafe-cli libzulucrypt-exe1.2.0 libzulucrypt-exe-dev libzulucrypt1.2.0 libzulucrypt-dev libzulucryptpluginmanager1.0.0 libzulucryptpluginmanager-dev libzulucrypt-plugins
Architecture: source amd64
Version: 5.2.0-2
Distribution: unstable
Urgency: medium
Maintainer: Marcio de Souza Oliveira <email address hidden>
Changed-By: Marcio de Souza Oliveira <email address hidden>
Description:
 libzulucrypt-dev - development files for libzulucrypt-1.2.0
 libzulucrypt-exe-dev - development files for the libzulucrypt-exe
 libzulucrypt-exe1.2.0 - provide the main functions of zulucrypt
 libzulucrypt-plugins - collection of plugins for zulucrypt
 libzulucrypt1.2.0 - provide the functions of zulumount
 libzulucryptpluginmanager-dev - development files for libzulucryptpluginmanager
 libzulucryptpluginmanager1.0.0 - provides support for plugins
 zulucrypt-cli - tool for encrypting volumes
 zulucrypt-gui - graphical front end for zulucrypt-cli
 zulumount-cli - tool that manages encrypted volumes
 zulumount-gui - graphical front end for zulumount-cli
 zulupolkit - handler the polkit privileges
 zulusafe-cli - cli that manages encrypted volumes

Changes:
 zulucrypt (5.2.0-2) unstable; urgency=medium
 .
   * Created the files zulupolkit.install and zuluPolkit.1.
   * debian/control:
       - Bumped Standards-Version to 4.1.0.
       - Created the package zulupolkit to acomodated the new tool
         zuluPolkit.
       - Removed qtkeychain-dev from Build-Depends.
         Thanks Mhogo Mchungu (Closes: #875291).
   * debian/rules:
       - Enabled the polkit support at build time.
       - Updated file.
   * Removed the files because are unnecessary with zulupolkit:
       - The files zulu*-gui-pkexec and zulu*-gui-pkexec.1.
       - The files org.debian.pkexec.zulu*-gui.policy.
       - The files zulu*-gui.links.
   * Removed the files zulu*-gui.menu.
   * Updated the files zulu*-gui.desktop.
   * Updated the files zulu*-gui.install.

Raised https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/1724748 which I think is actually a dup of this existing bug. Here's what I'm seeing:

All (most?) gui apps fail to launch when using sudo, out-of-box, desktop 17.10 install. For example, gparted and virt-manager, which both require sudo, are not usable without a work-around.

#### Out-of-box experience
rbeisner@vistula:~⟫ sudo gedit
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:32146): Gtk-WARNING **: cannot open display: :0

rbeisner@vistula:~⟫ xhost
access control enabled, only authorized clients can connect
SI:localuser:rbeisner

#### Work-around:

rbeisner@vistula:~⟫ xhost si:localuser:root
localuser:root being added to access control list

rbeisner@vistula:~⟫ xhost
access control enabled, only authorized clients can connect
SI:localuser:root
SI:localuser:rbeisner

rbeisner@vistula:~⟫ sudo gedit
rbeisner@vistula:~⟫ # (it launches ok)

Please do not use sudo to run gedit. Just use admin:/// URIs.

For instance, open admin:///etc/default/grub if you want to change a grub bootloader setting with gedit. You can use those admin:// URIs in most apps (it works in nautilus). The admin gvfs backend is a new feature in Ubuntu 17.04.

Right, it's just an example. Replace with `sudo virt-manager` equally.

At least `gparted` and `synaptic` do not run on default fresh clean installation of Ubuntu 17.10.

On Sat, 21 Oct 2017, Norbert wrote:
> At least `gparted` and `synaptic` do not run on default fresh clean
> installation of Ubuntu 17.10.
And as standard software installer does not:
a) pass on querries from the package install (so that jackd can be
properly installed for example)
b) does not alert the user that a package they are installing has to
remove another package the user still needs. This can leave the user with
a crippled system.

I have personally helped a number of people fix botched installs. I have
never had complaints after the user installs synaptic.

synaptic, though old and worn, is the only GUI installer that is safe to
use in my experience. It is also fast and provides package information
that allows trouble shooting package problems.

These extras may be confusing for a new computer user or someone coming
from windows, but points a and b above need to be addressed if new users
are to keep using Ubuntu longer than a quick try.

--
Len Ovens
www.ovenwerks.net

Just a heads up, you do understand that this is a feature , not a bug ?

https://bugzilla.redhat.com/show_bug.cgi?id=1274451

That bug is 2 years old and marked as "Status: CLOSED WONTFIX" both with Fedora and upstream with Wayland

See https://fedoraproject.org/wiki/How_to_debug_Wayland_problems#Graphical_applications_can.27t_be_run_as_root_from_terminal

And

https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/A6VXI4WAGSIIWGOTAVNDBVS4VFYXITHA/#2YU2RBYCXQSCGHGP772W5LRXUMTSINHA

XWayland bug report (from 2015) https://bugs.freedesktop.org/show_bug.cgi?id=91071

Bottom line: This is considered a part of wayland security and will not be resolved upstream. The upstream solution is to run graphical apps from the menu, not the command line.

Up to Ubuntu how to "resolve" this "problem" but Fedora decided 2 years ago to work on the grahpical tools.

xhost is a work around for now and will remain so as long as apps have xwayland support.

https://bugs.launchpad.net/ubuntu/+source/sirikali/+bug/1713313/comments/24

Y PPA Manager seems to be affected because of 'auth_admin' in /usr/share/polkit-1/actions/org.freedesktop.pkexec.y-ppa-manager.policy .

Excuse my language Bodhi, but bull shit. You actually can run wayland apps as root just fine. It is only X11 apps running under wayland that no longer run as root, and the reason is simply that gdm3 fails to configure Xwayland with a proper Xauthority policy, the way its man page says it should. It isn't doing what its documentation says it should, so it's a bug.

Some idiots who think they are the end all know it alls are simply seizing on the opportunity to push their agenda that GUI applications should not be run as root.

Obviously Phillip you are shooting off your foul mouth without knowing a
dammed thing you are talking about. It is obvious from your comments you
know nothing about wayland or wayland security and that you are just
spewing shit on the bug report.

Wayland , upstream, does not and will not support running graphical
applications, as root, from the terminal using sudo , period, end of story.
There are other mechanisms to grant graphical applications root access, but
again the application itself is not going to run as root.

Perhaps you should read the documentation and security discussions before
you put your foot so far into your mouth it comes out your ass and back in
again.

https://lwn.net/Articles/589147/

http://www.mupuf.org/blog/2014/02/19/wayland-compositors-why-and-how-to-handle/

https://lwn.net/Articles/517375/

And if you take your fat head out of your ass and look upstream you will
see every bug files against wayland regarding the problem of running
graphical applications with sudo has been closed as either not a bug or
wont fix.

https://bugs.freedesktop.org/show_bug.cgi?id=99371

"Wayland dont support sudo users!"

Status <https://bugs.freedesktop.org/page.cgi?id=fields.html#bug_status>:
RESOLVED
NOTOURBUG

The is not all in any way claiming you can not run graphical apps as root,
you just need to use another method.

And your comment has nothing to do with running graphical apps in X .

On Wed, Dec 6, 2017 at 7:11 AM, Phillip Susi <email address hidden> wrote:

> Excuse my language Bodhi, but bull shit. You actually can run wayland
> apps as root just fine. It is only X11 apps running under wayland that
> no longer run as root, and the reason is simply that gdm3 fails to
> configure Xwayland with a proper Xauthority policy, the way its man page
> says it should. It isn't doing what its documentation says it should,
> so it's a bug.
>
> Some idiots who think they are the end all know it alls are simply
> seizing on the opportunity to push their agenda that GUI applications
> should not be run as root.
>
>
> ** Also affects: gdm3 (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1713313
>
> Title:
> Unable to launch pkexec'ed applications on Wayland session
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/backintime/+bug/1713313/+subscriptions
>

First, let me say, I apologize for the tone of my last post.

As an explanation, I have a long history with psusi. Phillip is very intelligent and can, at times, be very helpful.

Phillip, however, also has serious issues. He is arrogant and will never admit he is wrong.

He also has his moods, I suspect he either has a personality disorder or is bipolar. When he gets in his moods he rants with blatant violations of the Ubuntu Code of Conduct. At these times he is impossible to reason with and usually escalates the situation.

How do I know you might ask ?

Because I served for some time as an Administrator on the Ubuntu Forums. Phillip was banned more than once for violations of the Ubuntu code of Conduct. I strongly suspect he has been banned for similar violations from other ubuntu sites / IRC as well.

https://www.ubuntu.com/about/about-ubuntu/conduct

On the forums, we would ban him for a period of time, 1-3 months depending on his behavior. Often we would start with a week or a month, but on his return he would start right back up with his violations, and we would extend the ban. Eventually he would cool down and we would restore his privileges.

He would behave himself for a few weeks or months and then start to slip. We, the Ubuntu Forums Admins, would send a few PM to him, but his behavior would again escalate and he would again be banned.

Frankly, I was shocked his post was not moderated and after 24 hours I over reacted. My over reaction is partially because of my history with Phillip, I endured endless personal insults and foul language from him during my time as an administrator on the Ubuntu Forms.

My reaction is also because of the fact that I am no longer an Administrator on the Ubuntu Forums and, so I thought, if Launchpad is not going to enforce the Ubuntu Code of Conduct and regulate Phillip Susi (psusi) and his violations, I am not going to allow him to bully me.

Last, I would also like to point out, I know a fair amount about Wayland. I have been using wayland for a few years now and was testing it in Fedora before it became default. I am very familiar with Wayland Security Development and having Phillip Susi (psusi) make a wild claim "Excuse my language Bodhi, but bull shit. You actually can run wayland apps as root just fine." shows his ignorance on wayland as well as a clear violation of the Code of conduct. This is an example of the behavior I have seen from Phillip in the past. He thinks he knows something, and rather than taking the time to explain his position, he resorts to personal insults and intimidation. When he acts this way he is 9 times out of 10 wrong, as he is in this case.

Again, although Phillip has much to contribute he has major personality flaws and violates the Ubuntu Code of Conduct and I ask you to monitor his behavior very close.

@psusi - Perhaps you can also add a few launchpad bug reports to your reading list:

https://bugs.launchpad.net/debian/+source/synaptic/+bug/1551951

PeterPall (peterpall) wrote on 2017-02-28: #3
According to https://bugzilla.redhat.com/show_bug.cgi?id=1274451 not allowing graphical user interfaces to run as root is a design decision of wayland. The way to go fo...

Because lanuchpad clips comments I am re-posting so it does not so easily get lost

@psusi - Perhaps you can also add a few launchpad bug reports to your reading list:

https://bugs.launchpad.net/debian/+source/synaptic/+bug/1551951

PeterPall (peterpall) wrote on 2017-02-28: #3
According to https://bugzilla.redhat.com/show_bug.cgi?id=1274451 not allowing graphical user interfaces to run as root is a design decision of wayland. The way to go for synaptic would be to run the graphical user interface as the unprivileged user who has called the program and then to use polkit in order to gain root rights for the portion of the program that does the actual installation and uninstallation of packages.

Mark (1aunchpad-nct) wrote on 2017-10-30: #7
I have removed the duplicate marking on this bug. The bug this was marked as a duplicate of, bug #1712089, is a general report about the inability to run graphical applications as root under Wayland. As noted in comment #3, this is a Wayland design decision and Synaptic needs to be changed.

I am concerned that if this bug remains as a duplicate it will be invisible to the Synaptic maintainers, delaying a fix.

Absent objections to this change, I will change the duplicate settings on the other Synaptic related bugs currently dup'ed to bug #1712089 to be dup's of this.

Importance needs to be set to High but I don't have permission to do that.

And if we follow the bug reports

https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/1712089

List of pkexec'ed applications is located in bug 1713313.
List of packages which use su-to-root and gksu/gksudo is located in bug 1713311

NOTE: THIS IS BUG 1713311

Also in but 171089

Jean-Baptiste Lallement (jibel) wrote on 2017-08-21: #3
Thanks for your report.

This is a known issue with wayland and documented on https://fedoraproject.org/wiki/How_to_debug_Wayland_problems#Graphical_applications_can.27t_be_run_as_root_from_terminal

And from that Fedora link

Graphical applications can't be run as root from terminal

It is not possible to start graphical apps under the root account from terminal when using su or sudo. Apps which use polkit to request administrator permissions for just certain operations and only when needed are not affected (they are not started as root right away). The discussion is ongoing about the best approach to take, see bug 1274451 and "On running gui applications as root" thread in fedora-devel mailing list.

Which links once again as a "Wont fix" bug report

https://bugzilla.redhat.com/show_bug.cgi?id=1274451

There is a lot if information on that bug report as well, including links to the upstream source code.

Olivier Fourdan 2015-10-30 05:43:14 EDT
And this is on purpose obviously, I should have mentioned:

http://cgit.freedesktop.org/xorg/xserver/commit/?id=c4534a3
http://cgit.freedesktop.org/xorg/xserver/commit/?id=4b4b908
http://cgit.freedesktop.org/xorg/xserver/commit/?id=76636ac

Michael Catanzaro 2016-11-28 15:58:23 EST
OK, to avoid the potential for misunderstood expectations: there are currently no plans to support running graphical apps with sudo under Wayland, and it seems quite unlikely that this will change anytime soon, s...

Please could both of you take a deep breath and stop the personal attacks and aggressive language?

Speaking as a member of the Ubuntu Community Council, I'm going to have to ask that we dial down the tone here. As you know, the Code of Conduct (https://www.ubuntu.com/about/about-ubuntu/conduct) means that we should act with respect and consideration, act collaboratively and work towards consensus and clarity. That's sadly not what I'm seeing in this discussion and we need to put an end to it.

I will also comment that if anyone sees a violation of this, the appropriate action is not to escalate the language, but to take it down a notch. If you don't feel like you can do that, that's what the Community Council is for. Discussing someone's personal history publicly not to mention speculating about someone's medical conditions, however appropriate it is in regards to a violation of the CoC, is not in any way respectful or considerate.

That said, let's keep any further discussion about people directed towards <email address hidden> and let's keep the bug report for talking about the actual software.

Speaking of the bug, some things to point out:

 1. I note that this is a known issue in the 17.10 release (https://wiki.ubuntu.com/ArtfulAardvark/ReleaseNotes#Desktop) with a note suggesting that Fedora is the upstream. That said, if the problem is an issue of upstream Wayland security policy, then, this is a bug report that should be filed upstream. In other words, it is not an Ubuntu problem.
 2. If the issue is how Ubuntu deals with this, there are currently several documented workaround to fixing the problem as above, and it's clear that other work is being done (PolicyKit, admin URIs, etc.) to try to solve this problem once and for all.

Thank you all.

I did not start the personal attacks, I did not reply until you all allowed
his comment to stand for a full 24 hours, and I already apologized for my
posts. However, I will not allow psusi to bully me on launchpad either. If
he posts personal attacks here I will defend myself.

On Fri, Dec 8, 2017 at 8:33 AM, Jeremy Bicha <email address hidden> wrote:

> Please could both of you take a deep breath and stop the personal
> attacks and aggressive language?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1713313
>
> Title:
> Unable to launch pkexec'ed applications on Wayland session
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/backintime/+bug/1713313/+subscriptions
>

Frankly, his first post is not only wrong regarding wayland, but it is also
a clear violation of the Ubuntu code of conduct.

https://www.ubuntu.com/about/about-ubuntu/conduct

I am surprised you let his comment stand and I am shocked you allow such
behavior from one of your developers. I have seen people reprimanded and
banned for such behavior, yet you do nothing.

As long as you tolerate his behavior you by default have to also tolerate
the response he evokes, you can not have it both ways.

Having a developer behave this way undercuts all of Ubuntu.

On Fri, Dec 8, 2017 at 8:33 AM, Jeremy Bicha <email address hidden> wrote:

> Please could both of you take a deep breath and stop the personal
> attacks and aggressive language?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1713313
>
> Title:
> Unable to launch pkexec'ed applications on Wayland session
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/backintime/+bug/1713313/+subscriptions
>

Again: let's keep any further discussion about people directed towards <email address hidden> and let's keep the bug report for talking about the actual software. In other words, no more comments about the CoC violations in this bug report. Let's get back to talking about the software.

I'm wontfixing the gdm3 component. See LP: #1652282

Folks, let's all calm down a bit and try to cooperate...

One of the problems here is that several very useful GUI applications which have always run as root don't have alternatives to replace them, but also they don't have the developers available to convert to a non-root frontend + root backend architecture (this is far from a trivial change to a application!).

Is there any way we can solve this issue *together*, somehow solving the potential security issues of running a GUI application as root, as well as preserving the functionality these applications provide for our users?

Where/how can we find people experienced & willing to do these changes?

Is there any funding available for such conversions?

Instead of blaming each other, please let's work together on a solution...

On 12/7/2017 8:15 PM, bodhi.zazen wrote:
> Wayland , upstream, does not and will not support running graphical
> applications, as root, from the terminal using sudo , period, end of story.
> There are other mechanisms to grant graphical applications root access, but
> again the application itself is not going to run as root.

Yes, it does, as you can easily test by suing to root and running gedit.

> And if you take your fat head out of your ass and look upstream you will
> see every bug files against wayland regarding the problem of running
> graphical applications with sudo has been closed as either not a bug or
> wont fix.

https://bugs.freedesktop.org/show_bug.cgi?id=91071 is not.

Neither is https://bugzilla.gnome.org/show_bug.cgi?id=789867

And there it is noted that wayland does not explicitly allow or deny
root applications.

> On the forums, we would ban him for a period of time, 1-3 months
> depending on his behavior. Often we would start with a week or a month,
> but on his return he would start right back up with his violations, and
> we would extend the ban. Eventually he would cool down and we would
> restore his privileges.

Well now you're just lieing. You banned me permanently one time because
I dared to point out that you incorrectly closed another user's thread
for breaking the rules when he did no such thing.

> reference 32 is here https://lwn.net/Articles/517375/

This talks about weston not having to be run as root; not disallowing
client applications running as root.

> The blog is here http://mupuf.org/blog/2014/02/19/wayland-compositors-
> why-and-how-to-handle/

This talks about having weston be able to isolate different clients from
interfering with one another. Nowhere does it talk about refusing
clients with uid=0.

> Please could both of you take a deep breath and stop the personal
> attacks and aggressive language?

I haven't made any personal attacks. What I have done is point out that
this misconception that disallowing root applications is not true; that
gdm fails to perform its job as described by its man page. This
therefore is, ipso facto, a bug, whether or not you agree with the
terrible user facing consequences it has.

We need to talk about software here, not personal issues. You both are going to stop attacking each other, defending yourself against each other, and talk about software. If you cannot talk about the software without getting these other issues intermingled here, do not comment at all.

Since you seem to be concerned about the user experience, please recognize the user experience for all the people looking at this bug reports. Be nice.

Phillip:

You were banned from the Ubuntu Forms not by me personally, but rather by the Forums Council after repeated violations of the CoC and difficult interactions with the Forums Staff including both moderators and Forums Council Members.

You appealed your ban to the Community Council, and your ban was upheld.

This is not the appropriate place to protest you ban. I am no longer an active staff member, please contact the current Forums Council if you wish to discuss any potential future use of the Forums

https://wiki.ubuntu.com/ForumCouncil

As far as the technical discussion I am afraid we will have to agree to disagree.

I can not always follow what you are saying, but I have the impression, perhaps falsely, you do not understand or that you intermingle issues of Wayland, X (XWayland, Xhost), and Weston, those are fairly diverse features / functions.

At any rate, I also think you do not understand that Wayland is in rapid development and not all the mechanisms of security have been agreed on up stream or resolved.

I believe Upstream has made their security intentions very clear in their mailing list and security blog, which I have provided for your consideration.

The fedora experience makes this very clear in their bug reports as well. The Fedora project has raised most if not all of your issues, and as they are a bit further ahead, the Fedora Bug Reports are referenced here.

This thread makes it clear that Ubuntu is working not on revamping wayland security, but by rewriting applications and the way they obtain elevated privileges.

I also see your bugs getting closed as "wont fix" here on Ubuntu.

My best suggestion would be that you engage into a technical discussion with your LP mentor, the community council, perhaps Norbert, or one of the Gnome Developers whom you respect rather than continue a discussion with myself, here, on this bug report.

I suggest you conduct such a technical discussion outside this bug report, perhaps on the gnome or wayland mailing list or IRC or whatever channel you feel benefits you most. I have given you the Wayland mailing list and links to security discussions and can send them again if you would like.

I believe this bug report is not the best place to obtain the clarification and answers to your questions and I have in good faith provided you and others what I would hope would be helpful information and sources of further information.

bodhi@daemon:~$sudo gedit
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:7374): Gtk-WARNING **: cannot open display: :0
bodhi@daemon:~$sudo su -

root@daemon:~#gedit
Unable to init server: Could not connect: Connection refused

(gedit:7346): Gtk-WARNING **: cannot open display:

I believe once Upstream (Wayland) feels the wayland code has matured their long term intentions will be to drop XWayland and support for circumventing wayland security via the mechanisms you currently use / exploit such as Xhost , su - , etc.

I believe Xwayland and Xhost are intended to give downstream projects such a Fedora and Ubuntu time to transition from X to Wayland and time for Wayland to mature. Obviously this is a large project, bo...

Problem with `nemo` "Open as Root" is confirmed on 18.04.

synaptic confirmed on 18.04.