Unable to launch pkexec'ed applications on Wayland session

Bug #1713313 reported by Norbert
46
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Back In Time
Fix Released
High
Boot-Info
Fix Released
Critical
YannUbuntu
Boot-Repair
Fix Released
Critical
YannUbuntu
GNOME Terminal
New
Undecided
Unassigned
HPLIP
New
Undecided
Unassigned
LightDM GTK Greeter Settings
New
Unknown
OS-Uninstaller
Fix Released
Critical
YannUbuntu
Y PPA Manager
New
Undecided
Unassigned
apport (Ubuntu)
New
Undecided
Unassigned
apt-offline (Ubuntu)
New
Undecided
Unassigned
backintime (Ubuntu)
Fix Released
Undecided
Unassigned
budgie-welcome (Ubuntu)
Invalid
Undecided
Unassigned
caja-admin (Ubuntu)
New
Undecided
Unassigned
cinnamon (Ubuntu)
Invalid
Undecided
Unassigned
ettercap (Ubuntu)
Confirmed
Undecided
Unassigned
gdebi (Ubuntu)
Confirmed
Undecided
Unassigned
gdm3 (Ubuntu)
Won't Fix
Undecided
Unassigned
gnunet-gtk (Ubuntu)
Confirmed
Undecided
Unassigned
gparted (Ubuntu)
Invalid
Undecided
Unassigned
gui-ufw (Ubuntu)
Confirmed
Undecided
Unassigned
guidedog (Ubuntu)
New
Undecided
Unassigned
hplip (Ubuntu)
Confirmed
Undecided
Unassigned
italc (Ubuntu)
New
Undecided
Unassigned
laptop-mode-tools (Ubuntu)
New
Undecided
Unassigned
lightdm-gtk-greeter-settings (Ubuntu)
Confirmed
Undecided
Unassigned
nautilus-admin (Ubuntu)
New
Undecided
Unassigned
needrestart-session (Ubuntu)
Confirmed
Undecided
Unassigned
nemo (Ubuntu)
Confirmed
Undecided
Unassigned
policykit-1 (Ubuntu)
Invalid
Undecided
Unassigned
scanmem (Ubuntu)
Invalid
Undecided
Unassigned
scap-workbench (Ubuntu)
Confirmed
Undecided
Unassigned
sirikali (Ubuntu)
Fix Released
Undecided
Unassigned
synaptic (Ubuntu)
Confirmed
Undecided
Unassigned
thunar (Ubuntu)
New
Undecided
Unassigned
tuned (Ubuntu)
New
Undecided
Unassigned
ubuntustudio-controls (Ubuntu)
Fix Released
Undecided
Len Ovens
update-notifier (Ubuntu)
New
Undecided
Unassigned
xdiagnose (Ubuntu)
Confirmed
Undecided
Unassigned
xubuntu-default-settings (Ubuntu)
Invalid
Undecided
Unassigned
zulucrypt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

*****************************
Main upstream discussion & fixes example to deal with wayland:
https://bugzilla.gnome.org/show_bug.cgi?id=776437
*****************************

********************************************************************************************************************************************

Steps to reproduce:
1. Install Ubuntu 17.10
2. Install backintime-qt4 or gparted application from above list (full may be acquired from https://codesearch.debian.net/search?q=pkexec+filetype%3Adesktop+path%3A*%2Fapplications%2F*&perpkg=1&page=4 )
3a. Try to launch backintime-qt4 from shortcut "Back In Time (root)" (located in /usr/share/applications/backintime-qt4-root.desktop, it uses pkexec
($ cat /usr/share/applications/backintime-qt4-root.desktop | grep Exec
Exec=pkexec backintime-qt4)
3b. Try to launch Gparted from shortcut "GParted" (located in /usr/share/applications/gparted.desktop, it uses gparted-pkexec)
4a.1. Back In Time does not start from GUI.
4a.2. Back In Time shows error message in console:
4b. gparted-pkexec does not start, reports error
$ gparted-pkexec
Created symlink /run/systemd/system/-.mount → /dev/null.
Created symlink /run/systemd/system/run-user-1000.mount → /dev/null.
Created symlink /run/systemd/system/run-user-121.mount → /dev/null.
Created symlink /run/systemd/system/tmp.mount → /dev/null.
No protocol specified

(gpartedbin:12831): Gtk-WARNING **: cannot open display: :0
Removed /run/systemd/system/-.mount.
Removed /run/systemd/system/run-user-1000.mount.
Removed /run/systemd/system/run-user-121.mount.
Removed /run/systemd/system/tmp.mount.

$ pkexec backintime-qt4

Back In Time
Version: 1.1.12

Back In Time comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions; type `backintime --license' for details.

No protocol specified
app.py: cannot connect to X server :0

Expected results:
* backintime-qt4 may be run as root

Actual results:
* unable to run backintime-qt4 as root

Workaround:
* setting "xhost +si:localuser:root" helps.

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: backintime-qt4 1.1.12-2
ProcVersionSignature: Ubuntu 4.12.0-11.12-generic 4.12.5
Uname: Linux 4.12.0-11-generic i686
ApportVersion: 2.20.6-0ubuntu7
Architecture: i386
CurrentDesktop: GNOME
Date: Sun Aug 27 14:23:14 2017
InstallationDate: Installed on 2017-08-26 (0 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha i386 (20170826)
PackageArchitecture: all
SourcePackage: backintime
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Norbert (nrbrtx) wrote :
Norbert (nrbrtx)
summary: - Unable to launch backintime-qt4 as root on Wayland session
+ Unable to launch backintime and gparted as root on Wayland session
description: updated
Revision history for this message
dino99 (9d9) wrote : Re: Unable to launch backintime and gparted as root on Wayland session

This a well known wayland limitation.
The workaround (till the pkexec -> policykit transition is made) is to use xhost script.
Gparted already has an opened bug: https://bugs.launchpad.net/ubuntu/+source/gparted/+bug/1652282
and policykit has to be used, but is not directly concerned as a bug.

Changed in gparted (Ubuntu):
status: New → Invalid
Changed in policykit-1 (Ubuntu):
status: New → Invalid
Norbert (nrbrtx)
summary: - Unable to launch backintime and gparted as root on Wayland session
+ Unable to launch pkexec application on Wayland session
description: updated
Norbert (nrbrtx)
summary: - Unable to launch pkexec application on Wayland session
+ Unable to launch pkexec'ed applications on Wayland session
description: updated
Revision history for this message
Norbert (nrbrtx) wrote :

@dino99
for me it seems that this

cat <<EOF | sudo tee /etc/xdg/autostart/xhost.desktop
[Desktop Entry]
Name=xhost
Comment=Fix graphical root applications
Exec="xhost +si:localuser:root"
Terminal=false
Type=Application
EOF

should be added to the default installation.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in backintime (Ubuntu):
status: New → Confirmed
Changed in hplip (Ubuntu):
status: New → Confirmed
Changed in lightdm-gtk-greeter-settings (Ubuntu):
status: New → Confirmed
Changed in nemo (Ubuntu):
status: New → Confirmed
Changed in scap-workbench (Ubuntu):
status: New → Confirmed
dino99 (9d9)
description: updated
description: updated
description: updated
dino99 (9d9)
description: updated
Revision history for this message
Norbert (nrbrtx) wrote :

What is interesting `gnome-system-log` depends on `policykit-1`, it has `gnome-system-log-pkexec`, but it works without xhost command!

Revision history for this message
Norbert (nrbrtx) wrote :

For those who interested I post my simple script for grepping su-to-root|gksu|pkexec inside application.desktop files in packages here - https://bugs.launchpad.net/ubuntu/+source/gadmin-samba/+bug/1713311/comments/13 .

Revision history for this message
Norbert (nrbrtx) wrote :

Gdebi is affected too. Unable to install package with it:

$ gdebi-gtk ~/Downloads/systemd-ui_3-4_i386.deb
No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused
Segmentation fault

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ettercap (Ubuntu):
status: New → Confirmed
Changed in gdebi (Ubuntu):
status: New → Confirmed
Changed in gnunet-gtk (Ubuntu):
status: New → Confirmed
Changed in needrestart-session (Ubuntu):
status: New → Confirmed
Changed in synaptic (Ubuntu):
status: New → Confirmed
Changed in xdiagnose (Ubuntu):
status: New → Confirmed
Revision history for this message
Norbert (nrbrtx) wrote :

Many other packages are affected via /usr/share/polkit-1/actions/*.policy files with these xml-rules:

      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

Revision history for this message
Norbert (nrbrtx) wrote :

And finally with `apt-file search pkexec | grep "pkexec$"`

Jeremy Bícha (jbicha)
tags: added: wayland
Revision history for this message
Norbert (nrbrtx) wrote :

Here is my simple script for grepping "<allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>" inside /usr/share/polkit-1/actions/*.policy files in packages.

How to use:
1. apt-file search /usr/share/polkit-1/actions/ | grep "\.policy$" | awk '{print $1;}' | sed 's/[:]/ /g' | sort | uniq > polkit.txt
2. execute my script with ./do-pk.sh polkit.txt
4. it will do apt-get download, dpkg-deb -R, grep 'allow_.*auth_admin'&&'allow_gui.*true' and and print
some info:

...
aptdaemon is not affected by polkit
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
apt-offline-gui is affected by polkit
...

Hope it helps.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

I don't get where is the problem, wayland or all the applications using policykit?

Revision history for this message
dino99 (9d9) wrote :

@LOB

as #2 explain, many gui apps fail to open under wayland (this is expected by wayland design, not working with pkexec)
So the transition to polkit is needed for these apps.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

the question is more tricky

ettercap has the pkexec file
#!/bin/sh
pkexec --disable-internal-agent "ettercap" "$@"

but it is using a polkit file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="@PKEXEC_INSTALL_WRAPPER@">
    <message>Authentication is required to run Ettercap</message>
    <icon_name>ettercap</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">@INSTALL_BINDIR@/ettercap</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

so, as upstream, I don't know what to do :(

Revision history for this message
mhogo mchungu (mhogomchungu) wrote :

Greetings,
two of my projects are on the list(SiriKali and zuluCrypt) and latest versions of these projects are not affected by the problem.

The latest version of SiriKali is 1.3.0 but the problem was solved in version 1.2.9. The latest version of zuluCrypt is 5.2.0 and it also does not have the problem.

SiriKali uses pkexec not to root elevate its GUI component but to elevate a CLI background service called "siripolkit".

zuluCrypt uses pkexec not to root elevate its GUI components but to elevate a CLI background service called "zulupolkit".

zuluCrypt 5.2.0-1 in debian/ubuntu is affected by the problem and the problem is due to debian/ubuntu packaging and i already informed the maintainer about it,the old way of raising GUI components in zuluCrypt is no longer supported since version 5.2.0.

Revision history for this message
Sebastian Parschauer (s-parschauer) wrote :

The Python/GTK3 GUI GameConqueror uses libscanmem for memory scanning with /proc/$pid/mem or ptrace(). Root privileges are required because of the Yama security module and its ptrace_scope set to 1.

To bypass that, scanmem/GC would have to run the target application. That architecture change cannot be done as the usage would be too complex.

We cannot go back to parsing scanmem output due to performance reasons. The hot scanning path is called several million times. The results list is autoupdated and the hex memory editor receives a bigger amount of data from libscanmem. Running a memory scanning daemon is a security risk as any program might access it.

We expect that this is fixed in Wayland.

Revision history for this message
Norbert (nrbrtx) wrote :

Ubuntu 17.10 with all updates, Synaptic still does not start from Wayland.

Revision history for this message
dino99 (9d9) wrote :

Looks like all the required work will wait for 18.04, both Debian & Ubuntu have not started working around the pkexec problem not working with wayland.

https://www.neowin.net/news/debian-10-development-builds-switch-to-wayland

Revision history for this message
Norbert (nrbrtx) wrote :

@dino99
I understand that we talk about security here.

But users may want to use for example Synaptic on default Wayland installation. What should they do?

You already have "xhost +si:localuser:`id -un`"
in
/etc/X11/Xsession.d/35x11-common_xhost-local , /etc/X11/Xsession.d/60x11-common_localhost
and
/etc/gdm3/Xsession

Is it possible to add new file with "xhost +si:localuser:root" here? Or .desktop file (see comment #3 here). It will fix many user problems.

Revision history for this message
dino99 (9d9) wrote :

@Norbert

the full solution is not so easy; so be patient.
Several thinks can be done:
- run xhost script into a terminal each time a session is opened
- insert the xhost script into .bashrc file
- and/or test some more propositions:
   * https://unix.stackexchange.com/questions/317282/set-environment-variables-for-gnome-on-wayland-and-bash-on-virtual-terminals-or#326161
   * https://ask.fedoraproject.org/en/question/108631/running-command-after-gnome-login/
   * https://unix.stackexchange.com/questions/118811/why-cant-i-run-gui-apps-from-root-no-protocol-specified

And for non techy people or those still satisfied with X, then choose X at login time (still prefer lightdm myself for the moment)

Jeremy Bícha (jbicha)
no longer affects: gufw (Ubuntu)
Revision history for this message
fossfreedom (fossfreedom) wrote :

Budgie welcome in its current form will never be run on a Wayland session. Marked as invalid

Changed in budgie-welcome (Ubuntu):
status: New → Invalid
Revision history for this message
Norbert (nrbrtx) wrote :
Download full text (5.0 KiB)

Gufw is really affected.
See below:

$ apt-cache policy gufw
gufw:
  Installed: 17.10.0-0ubuntu1
  Candidate: 17.10.0-0ubuntu1
  Version table:
 *** 17.10.0-0ubuntu1 500
        500 http://ru.archive.ubuntu.com/ubuntu artful/universe i386 Packages
        100 /var/lib/dpkg/status

artful@artful:~$ dpkg -L gufw | grep desktop
/etc/gufw/app_profiles/remote-desktop-protocol.jhansonxi
/usr/share/applications/gufw.desktop
artful@artful:~$ cat /usr/share/applications/gufw.desktop | grep Exec
Exec=gufw
artful@artful:~$ gufw
# !!! # enter password here # !!! #
No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITICAL **: _gtk_replace_virtual_modifiers: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_modifier_mask: assertion 'GDK_IS_KEYMAP (keymap)' failed

(gufw.py:3873): Gdk-CRITICAL **: gdk_keymap_get_for_display: assertion 'GDK_IS_DISPLAY (display)' failed

(gufw.py:3873): Gtk-CRITI...

Read more...

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Norbert, yes but the package name was wrong. There already is LP: #1713238

It's difficult to manage a single bug affecting large number of packages like this in Launchpad in my opinion.

Revision history for this message
Norbert (nrbrtx) wrote :

@Jeremy Bicha (jbicha)
As you may know I created script for automation - see my comment #20 https://bugs.launchpad.net/ubuntu/+source/gui-ufw/+bug/1713313/comments/20 ). And I collected all found problems here.

I added more affected packages here:
* `apport` because of /usr/share/apport/root_info_wrapper and /usr/share/apport/apport-gtk .
* `cinnamon` and `cinnamon-common` because of /usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py .
* `caja-admin` because of /usr/bin/caja as root.
* `guidedog` because of "Authentication is required to run Guidedog script" /bin/sh.
* `update-notifier-common` because of /usr/lib/update-notifier/cddistupgrader and /usr/lib/update-notifier/package-system-locked .

It was too difficult to create separate bug reports for each application for me. I hope that community may help here. I hope that all we make Ubuntu better.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

It doesn't make sense to run cinnamon inside GNOME on Wayland.

Changed in cinnamon (Ubuntu):
status: New → Invalid
Revision history for this message
Norbert (nrbrtx) wrote :

@Jeremy Bicha (jbicha)
FYI on other similar bug report dino99 was pleasant about one big bug report (see his comment - https://bugs.launchpad.net/ubuntu/+source/nmap/+bug/1713311/comments/4 ). So we can choose this bug-report style here too.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

This appears to be a false positive.

Changed in ubuntustudio-default-settings (Ubuntu):
status: New → Invalid
Changed in xubuntu-default-settings (Ubuntu):
status: New → Invalid
Revision history for this message
Phillip Susi (psusi) wrote :

The wayland package just needs to change its absurd default security policy back to the one that X has used.

Jeremy Bícha (jbicha)
no longer affects: wayland (Ubuntu)
tags: added: rls-aa-incoming
costales (costales)
Changed in gui-ufw (Ubuntu):
status: New → Confirmed
Revision history for this message
m.desouza20 (m-desouza20) wrote :

Source: zulucrypt
Source-Version: 5.2.0-2

We believe that the bug you reported is fixed in the latest version of
zulucrypt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Format: 1.8
Date: Sun, 10 Sep 2017 23:32:46 +0000
Source: zulucrypt
Binary: zulucrypt-cli zulumount-cli zulucrypt-gui zulumount-gui zulupolkit zulusafe-cli libzulucrypt-exe1.2.0 libzulucrypt-exe-dev libzulucrypt1.2.0 libzulucrypt-dev libzulucryptpluginmanager1.0.0 libzulucryptpluginmanager-dev libzulucrypt-plugins
Architecture: source amd64
Version: 5.2.0-2
Distribution: unstable
Urgency: medium
Maintainer: Marcio de Souza Oliveira <email address hidden>
Changed-By: Marcio de Souza Oliveira <email address hidden>
Description:
 libzulucrypt-dev - development files for libzulucrypt-1.2.0
 libzulucrypt-exe-dev - development files for the libzulucrypt-exe
 libzulucrypt-exe1.2.0 - provide the main functions of zulucrypt
 libzulucrypt-plugins - collection of plugins for zulucrypt
 libzulucrypt1.2.0 - provide the functions of zulumount
 libzulucryptpluginmanager-dev - development files for libzulucryptpluginmanager
 libzulucryptpluginmanager1.0.0 - provides support for plugins
 zulucrypt-cli - tool for encrypting volumes
 zulucrypt-gui - graphical front end for zulucrypt-cli
 zulumount-cli - tool that manages encrypted volumes
 zulumount-gui - graphical front end for zulumount-cli
 zulupolkit - handler the polkit privileges
 zulusafe-cli - cli that manages encrypted volumes

Changes:
 zulucrypt (5.2.0-2) unstable; urgency=medium
 .
   * Created the files zulupolkit.install and zuluPolkit.1.
   * debian/control:
       - Bumped Standards-Version to 4.1.0.
       - Created the package zulupolkit to acomodated the new tool
         zuluPolkit.
       - Removed qtkeychain-dev from Build-Depends.
         Thanks Mhogo Mchungu (Closes: #875291).
   * debian/rules:
       - Enabled the polkit support at build time.
       - Updated file.
   * Removed the files because are unnecessary with zulupolkit:
       - The files zulu*-gui-pkexec and zulu*-gui-pkexec.1.
       - The files org.debian.pkexec.zulu*-gui.policy.
       - The files zulu*-gui.links.
   * Removed the files zulu*-gui.menu.
   * Updated the files zulu*-gui.desktop.
   * Updated the files zulu*-gui.install.

Changed in zulucrypt (Ubuntu):
status: New → Fix Released
Will Cooke (willcooke)
tags: added: rls-aa-notfixing
removed: rls-aa-incoming
Revision history for this message
Ryan Beisner (1chb1n) wrote :

Raised https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/1724748 which I think is actually a dup of this existing bug. Here's what I'm seeing:

All (most?) gui apps fail to launch when using sudo, out-of-box, desktop 17.10 install. For example, gparted and virt-manager, which both require sudo, are not usable without a work-around.

#### Out-of-box experience
rbeisner@vistula:~⟫ sudo gedit
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:32146): Gtk-WARNING **: cannot open display: :0

rbeisner@vistula:~⟫ xhost
access control enabled, only authorized clients can connect
SI:localuser:rbeisner

#### Work-around:

rbeisner@vistula:~⟫ xhost si:localuser:root
localuser:root being added to access control list

rbeisner@vistula:~⟫ xhost
access control enabled, only authorized clients can connect
SI:localuser:root
SI:localuser:rbeisner

rbeisner@vistula:~⟫ sudo gedit
rbeisner@vistula:~⟫ # (it launches ok)

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Please do not use sudo to run gedit. Just use admin:/// URIs.

For instance, open admin:///etc/default/grub if you want to change a grub bootloader setting with gedit. You can use those admin:// URIs in most apps (it works in nautilus). The admin gvfs backend is a new feature in Ubuntu 17.04.

Revision history for this message
Ryan Beisner (1chb1n) wrote :

Right, it's just an example. Replace with `sudo virt-manager` equally.

Revision history for this message
Norbert (nrbrtx) wrote :

At least `gparted` and `synaptic` do not run on default fresh clean installation of Ubuntu 17.10.

Revision history for this message
Len Ovens (len-ovenwerks) wrote : Re: [Bug 1713313] Re: Unable to launch pkexec'ed applications on Wayland session

On Sat, 21 Oct 2017, Norbert wrote:
> At least `gparted` and `synaptic` do not run on default fresh clean
> installation of Ubuntu 17.10.
And as standard software installer does not:
a) pass on querries from the package install (so that jackd can be
properly installed for example)
b) does not alert the user that a package they are installing has to
remove another package the user still needs. This can leave the user with
a crippled system.

I have personally helped a number of people fix botched installs. I have
never had complaints after the user installs synaptic.

synaptic, though old and worn, is the only GUI installer that is safe to
use in my experience. It is also fast and provides package information
that allows trouble shooting package problems.

These extras may be confusing for a new computer user or someone coming
from windows, but points a and b above need to be addressed if new users
are to keep using Ubuntu longer than a quick try.

--
Len Ovens
www.ovenwerks.net

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :

Just a heads up, you do understand that this is a feature , not a bug ?

https://bugzilla.redhat.com/show_bug.cgi?id=1274451

That bug is 2 years old and marked as "Status: CLOSED WONTFIX" both with Fedora and upstream with Wayland

See https://fedoraproject.org/wiki/How_to_debug_Wayland_problems#Graphical_applications_can.27t_be_run_as_root_from_terminal

And

https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/A6VXI4WAGSIIWGOTAVNDBVS4VFYXITHA/#2YU2RBYCXQSCGHGP772W5LRXUMTSINHA

XWayland bug report (from 2015) https://bugs.freedesktop.org/show_bug.cgi?id=91071

Bottom line: This is considered a part of wayland security and will not be resolved upstream. The upstream solution is to run graphical apps from the menu, not the command line.

Up to Ubuntu how to "resolve" this "problem" but Fedora decided 2 years ago to work on the grahpical tools.

xhost is a work around for now and will remain so as long as apps have xwayland support.

Changed in backintime:
importance: Unknown → High
status: Unknown → Fix Released
dino99 (9d9)
description: updated
YannUbuntu (yannubuntu)
Changed in boot-repair:
assignee: nobody → YannUbuntu (yannubuntu)
importance: Undecided → Critical
status: New → In Progress
Changed in boot-info:
assignee: nobody → YannUbuntu (yannubuntu)
importance: Undecided → Critical
status: New → In Progress
Changed in os-uninstaller:
assignee: nobody → YannUbuntu (yannubuntu)
importance: Undecided → Critical
status: New → In Progress
YannUbuntu (yannubuntu)
Changed in boot-info:
status: In Progress → Fix Committed
Changed in boot-repair:
status: In Progress → Fix Committed
Changed in os-uninstaller:
status: In Progress → Fix Committed
Revision history for this message
Dave Steele (dsteele-gmail) wrote :
Changed in sirikali (Ubuntu):
status: New → Fix Released
Revision history for this message
Norbert (nrbrtx) wrote :

Y PPA Manager seems to be affected because of 'auth_admin' in /usr/share/polkit-1/actions/org.freedesktop.pkexec.y-ppa-manager.policy .

Revision history for this message
Phillip Susi (psusi) wrote :

Excuse my language Bodhi, but bull shit. You actually can run wayland apps as root just fine. It is only X11 apps running under wayland that no longer run as root, and the reason is simply that gdm3 fails to configure Xwayland with a proper Xauthority policy, the way its man page says it should. It isn't doing what its documentation says it should, so it's a bug.

Some idiots who think they are the end all know it alls are simply seizing on the opportunity to push their agenda that GUI applications should not be run as root.

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :

Obviously Phillip you are shooting off your foul mouth without knowing a
dammed thing you are talking about. It is obvious from your comments you
know nothing about wayland or wayland security and that you are just
spewing shit on the bug report.

Wayland , upstream, does not and will not support running graphical
applications, as root, from the terminal using sudo , period, end of story.
There are other mechanisms to grant graphical applications root access, but
again the application itself is not going to run as root.

Perhaps you should read the documentation and security discussions before
you put your foot so far into your mouth it comes out your ass and back in
again.

https://lwn.net/Articles/589147/

http://www.mupuf.org/blog/2014/02/19/wayland-compositors-why-and-how-to-handle/

https://lwn.net/Articles/517375/

And if you take your fat head out of your ass and look upstream you will
see every bug files against wayland regarding the problem of running
graphical applications with sudo has been closed as either not a bug or
wont fix.

https://bugs.freedesktop.org/show_bug.cgi?id=99371

"Wayland dont support sudo users!"

Status <https://bugs.freedesktop.org/page.cgi?id=fields.html#bug_status>:
RESOLVED
NOTOURBUG

The is not all in any way claiming you can not run graphical apps as root,
you just need to use another method.

And your comment has nothing to do with running graphical apps in X .

On Wed, Dec 6, 2017 at 7:11 AM, Phillip Susi <email address hidden> wrote:

> Excuse my language Bodhi, but bull shit. You actually can run wayland
> apps as root just fine. It is only X11 apps running under wayland that
> no longer run as root, and the reason is simply that gdm3 fails to
> configure Xwayland with a proper Xauthority policy, the way its man page
> says it should. It isn't doing what its documentation says it should,
> so it's a bug.
>
> Some idiots who think they are the end all know it alls are simply
> seizing on the opportunity to push their agenda that GUI applications
> should not be run as root.
>
>
> ** Also affects: gdm3 (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1713313
>
> Title:
> Unable to launch pkexec'ed applications on Wayland session
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/backintime/+bug/1713313/+subscriptions
>

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :
Download full text (11.3 KiB)

First, let me say, I apologize for the tone of my last post.

As an explanation, I have a long history with psusi. Phillip is very intelligent and can, at times, be very helpful.

Phillip, however, also has serious issues. He is arrogant and will never admit he is wrong.

He also has his moods, I suspect he either has a personality disorder or is bipolar. When he gets in his moods he rants with blatant violations of the Ubuntu Code of Conduct. At these times he is impossible to reason with and usually escalates the situation.

How do I know you might ask ?

Because I served for some time as an Administrator on the Ubuntu Forums. Phillip was banned more than once for violations of the Ubuntu code of Conduct. I strongly suspect he has been banned for similar violations from other ubuntu sites / IRC as well.

https://www.ubuntu.com/about/about-ubuntu/conduct

On the forums, we would ban him for a period of time, 1-3 months depending on his behavior. Often we would start with a week or a month, but on his return he would start right back up with his violations, and we would extend the ban. Eventually he would cool down and we would restore his privileges.

He would behave himself for a few weeks or months and then start to slip. We, the Ubuntu Forums Admins, would send a few PM to him, but his behavior would again escalate and he would again be banned.

Frankly, I was shocked his post was not moderated and after 24 hours I over reacted. My over reaction is partially because of my history with Phillip, I endured endless personal insults and foul language from him during my time as an administrator on the Ubuntu Forms.

My reaction is also because of the fact that I am no longer an Administrator on the Ubuntu Forums and, so I thought, if Launchpad is not going to enforce the Ubuntu Code of Conduct and regulate Phillip Susi (psusi) and his violations, I am not going to allow him to bully me.

Last, I would also like to point out, I know a fair amount about Wayland. I have been using wayland for a few years now and was testing it in Fedora before it became default. I am very familiar with Wayland Security Development and having Phillip Susi (psusi) make a wild claim "Excuse my language Bodhi, but bull shit. You actually can run wayland apps as root just fine." shows his ignorance on wayland as well as a clear violation of the Code of conduct. This is an example of the behavior I have seen from Phillip in the past. He thinks he knows something, and rather than taking the time to explain his position, he resorts to personal insults and intimidation. When he acts this way he is 9 times out of 10 wrong, as he is in this case.

Again, although Phillip has much to contribute he has major personality flaws and violates the Ubuntu Code of Conduct and I ask you to monitor his behavior very close.

@psusi - Perhaps you can also add a few launchpad bug reports to your reading list:

https://bugs.launchpad.net/debian/+source/synaptic/+bug/1551951

PeterPall (peterpall) wrote on 2017-02-28: #3
According to https://bugzilla.redhat.com/show_bug.cgi?id=1274451 not allowing graphical user interfaces to run as root is a design decision of wayland. The way to go fo...

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :
Download full text (8.6 KiB)

Because lanuchpad clips comments I am re-posting so it does not so easily get lost

@psusi - Perhaps you can also add a few launchpad bug reports to your reading list:

https://bugs.launchpad.net/debian/+source/synaptic/+bug/1551951

PeterPall (peterpall) wrote on 2017-02-28: #3
According to https://bugzilla.redhat.com/show_bug.cgi?id=1274451 not allowing graphical user interfaces to run as root is a design decision of wayland. The way to go for synaptic would be to run the graphical user interface as the unprivileged user who has called the program and then to use polkit in order to gain root rights for the portion of the program that does the actual installation and uninstallation of packages.

Mark (1aunchpad-nct) wrote on 2017-10-30: #7
I have removed the duplicate marking on this bug. The bug this was marked as a duplicate of, bug #1712089, is a general report about the inability to run graphical applications as root under Wayland. As noted in comment #3, this is a Wayland design decision and Synaptic needs to be changed.

I am concerned that if this bug remains as a duplicate it will be invisible to the Synaptic maintainers, delaying a fix.

Absent objections to this change, I will change the duplicate settings on the other Synaptic related bugs currently dup'ed to bug #1712089 to be dup's of this.

Importance needs to be set to High but I don't have permission to do that.

And if we follow the bug reports

https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/1712089

List of pkexec'ed applications is located in bug 1713313.
List of packages which use su-to-root and gksu/gksudo is located in bug 1713311

NOTE: THIS IS BUG 1713311

Also in but 171089

Jean-Baptiste Lallement (jibel) wrote on 2017-08-21: #3
Thanks for your report.

This is a known issue with wayland and documented on https://fedoraproject.org/wiki/How_to_debug_Wayland_problems#Graphical_applications_can.27t_be_run_as_root_from_terminal

And from that Fedora link

Graphical applications can't be run as root from terminal

It is not possible to start graphical apps under the root account from terminal when using su or sudo. Apps which use polkit to request administrator permissions for just certain operations and only when needed are not affected (they are not started as root right away). The discussion is ongoing about the best approach to take, see bug 1274451 and "On running gui applications as root" thread in fedora-devel mailing list.

Which links once again as a "Wont fix" bug report

https://bugzilla.redhat.com/show_bug.cgi?id=1274451

There is a lot if information on that bug report as well, including links to the upstream source code.

Olivier Fourdan 2015-10-30 05:43:14 EDT
And this is on purpose obviously, I should have mentioned:

http://cgit.freedesktop.org/xorg/xserver/commit/?id=c4534a3
http://cgit.freedesktop.org/xorg/xserver/commit/?id=4b4b908
http://cgit.freedesktop.org/xorg/xserver/commit/?id=76636ac

Michael Catanzaro 2016-11-28 15:58:23 EST
OK, to avoid the potential for misunderstood expectations: there are currently no plans to support running graphical apps with sudo under Wayland, and it seems quite unlikely that this will change anytime soon, s...

Read more...

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Please could both of you take a deep breath and stop the personal attacks and aggressive language?

Revision history for this message
ԜаӀtеr Ⅼарсһуnѕkі (wxl) wrote :

Speaking as a member of the Ubuntu Community Council, I'm going to have to ask that we dial down the tone here. As you know, the Code of Conduct (https://www.ubuntu.com/about/about-ubuntu/conduct) means that we should act with respect and consideration, act collaboratively and work towards consensus and clarity. That's sadly not what I'm seeing in this discussion and we need to put an end to it.

I will also comment that if anyone sees a violation of this, the appropriate action is not to escalate the language, but to take it down a notch. If you don't feel like you can do that, that's what the Community Council is for. Discussing someone's personal history publicly not to mention speculating about someone's medical conditions, however appropriate it is in regards to a violation of the CoC, is not in any way respectful or considerate.

That said, let's keep any further discussion about people directed towards <email address hidden> and let's keep the bug report for talking about the actual software.

Speaking of the bug, some things to point out:

 1. I note that this is a known issue in the 17.10 release (https://wiki.ubuntu.com/ArtfulAardvark/ReleaseNotes#Desktop) with a note suggesting that Fedora is the upstream. That said, if the problem is an issue of upstream Wayland security policy, then, this is a bug report that should be filed upstream. In other words, it is not an Ubuntu problem.
 2. If the issue is how Ubuntu deals with this, there are currently several documented workaround to fixing the problem as above, and it's clear that other work is being done (PolicyKit, admin URIs, etc.) to try to solve this problem once and for all.

Thank you all.

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :

I did not start the personal attacks, I did not reply until you all allowed
his comment to stand for a full 24 hours, and I already apologized for my
posts. However, I will not allow psusi to bully me on launchpad either. If
he posts personal attacks here I will defend myself.

On Fri, Dec 8, 2017 at 8:33 AM, Jeremy Bicha <email address hidden> wrote:

> Please could both of you take a deep breath and stop the personal
> attacks and aggressive language?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1713313
>
> Title:
> Unable to launch pkexec'ed applications on Wayland session
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/backintime/+bug/1713313/+subscriptions
>

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :

Frankly, his first post is not only wrong regarding wayland, but it is also
a clear violation of the Ubuntu code of conduct.

https://www.ubuntu.com/about/about-ubuntu/conduct

I am surprised you let his comment stand and I am shocked you allow such
behavior from one of your developers. I have seen people reprimanded and
banned for such behavior, yet you do nothing.

As long as you tolerate his behavior you by default have to also tolerate
the response he evokes, you can not have it both ways.

Having a developer behave this way undercuts all of Ubuntu.

On Fri, Dec 8, 2017 at 8:33 AM, Jeremy Bicha <email address hidden> wrote:

> Please could both of you take a deep breath and stop the personal
> attacks and aggressive language?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1713313
>
> Title:
> Unable to launch pkexec'ed applications on Wayland session
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/backintime/+bug/1713313/+subscriptions
>

Revision history for this message
ԜаӀtеr Ⅼарсһуnѕkі (wxl) wrote :

Again: let's keep any further discussion about people directed towards <email address hidden> and let's keep the bug report for talking about the actual software. In other words, no more comments about the CoC violations in this bug report. Let's get back to talking about the software.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I'm wontfixing the gdm3 component. See LP: #1652282

Changed in gdm3 (Ubuntu):
status: New → Won't Fix
Revision history for this message
Jan Claeys (janc) wrote :

Folks, let's all calm down a bit and try to cooperate...

One of the problems here is that several very useful GUI applications which have always run as root don't have alternatives to replace them, but also they don't have the developers available to convert to a non-root frontend + root backend architecture (this is far from a trivial change to a application!).

Is there any way we can solve this issue *together*, somehow solving the potential security issues of running a GUI application as root, as well as preserving the functionality these applications provide for our users?

Where/how can we find people experienced & willing to do these changes?

Is there any funding available for such conversions?

Instead of blaming each other, please let's work together on a solution...

Revision history for this message
Phillip Susi (psusi) wrote :

On 12/7/2017 8:15 PM, bodhi.zazen wrote:
> Wayland , upstream, does not and will not support running graphical
> applications, as root, from the terminal using sudo , period, end of story.
> There are other mechanisms to grant graphical applications root access, but
> again the application itself is not going to run as root.

Yes, it does, as you can easily test by suing to root and running gedit.

> And if you take your fat head out of your ass and look upstream you will
> see every bug files against wayland regarding the problem of running
> graphical applications with sudo has been closed as either not a bug or
> wont fix.

https://bugs.freedesktop.org/show_bug.cgi?id=91071 is not.

Neither is https://bugzilla.gnome.org/show_bug.cgi?id=789867

And there it is noted that wayland does not explicitly allow or deny
root applications.

> On the forums, we would ban him for a period of time, 1-3 months
> depending on his behavior. Often we would start with a week or a month,
> but on his return he would start right back up with his violations, and
> we would extend the ban. Eventually he would cool down and we would
> restore his privileges.

Well now you're just lieing. You banned me permanently one time because
I dared to point out that you incorrectly closed another user's thread
for breaking the rules when he did no such thing.

> reference 32 is here https://lwn.net/Articles/517375/

This talks about weston not having to be run as root; not disallowing
client applications running as root.

> The blog is here http://mupuf.org/blog/2014/02/19/wayland-compositors-
> why-and-how-to-handle/

This talks about having weston be able to isolate different clients from
interfering with one another. Nowhere does it talk about refusing
clients with uid=0.

> Please could both of you take a deep breath and stop the personal
> attacks and aggressive language?

I haven't made any personal attacks. What I have done is point out that
this misconception that disallowing root applications is not true; that
gdm fails to perform its job as described by its man page. This
therefore is, ipso facto, a bug, whether or not you agree with the
terrible user facing consequences it has.

Revision history for this message
ԜаӀtеr Ⅼарсһуnѕkі (wxl) wrote :

We need to talk about software here, not personal issues. You both are going to stop attacking each other, defending yourself against each other, and talk about software. If you cannot talk about the software without getting these other issues intermingled here, do not comment at all.

Since you seem to be concerned about the user experience, please recognize the user experience for all the people looking at this bug reports. Be nice.

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :
Download full text (3.4 KiB)

Phillip:

You were banned from the Ubuntu Forms not by me personally, but rather by the Forums Council after repeated violations of the CoC and difficult interactions with the Forums Staff including both moderators and Forums Council Members.

You appealed your ban to the Community Council, and your ban was upheld.

This is not the appropriate place to protest you ban. I am no longer an active staff member, please contact the current Forums Council if you wish to discuss any potential future use of the Forums

https://wiki.ubuntu.com/ForumCouncil

As far as the technical discussion I am afraid we will have to agree to disagree.

I can not always follow what you are saying, but I have the impression, perhaps falsely, you do not understand or that you intermingle issues of Wayland, X (XWayland, Xhost), and Weston, those are fairly diverse features / functions.

At any rate, I also think you do not understand that Wayland is in rapid development and not all the mechanisms of security have been agreed on up stream or resolved.

I believe Upstream has made their security intentions very clear in their mailing list and security blog, which I have provided for your consideration.

The fedora experience makes this very clear in their bug reports as well. The Fedora project has raised most if not all of your issues, and as they are a bit further ahead, the Fedora Bug Reports are referenced here.

This thread makes it clear that Ubuntu is working not on revamping wayland security, but by rewriting applications and the way they obtain elevated privileges.

I also see your bugs getting closed as "wont fix" here on Ubuntu.

My best suggestion would be that you engage into a technical discussion with your LP mentor, the community council, perhaps Norbert, or one of the Gnome Developers whom you respect rather than continue a discussion with myself, here, on this bug report.

I suggest you conduct such a technical discussion outside this bug report, perhaps on the gnome or wayland mailing list or IRC or whatever channel you feel benefits you most. I have given you the Wayland mailing list and links to security discussions and can send them again if you would like.

I believe this bug report is not the best place to obtain the clarification and answers to your questions and I have in good faith provided you and others what I would hope would be helpful information and sources of further information.

bodhi@daemon:~$sudo gedit
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:7374): Gtk-WARNING **: cannot open display: :0
bodhi@daemon:~$sudo su -

root@daemon:~#gedit
Unable to init server: Could not connect: Connection refused

(gedit:7346): Gtk-WARNING **: cannot open display:

I believe once Upstream (Wayland) feels the wayland code has matured their long term intentions will be to drop XWayland and support for circumventing wayland security via the mechanisms you currently use / exploit such as Xhost , su - , etc.

I believe Xwayland and Xhost are intended to give downstream projects such a Fedora and Ubuntu time to transition from X to Wayland and time for Wayland to mature. Obviously this is a large project, bo...

Read more...

Revision history for this message
Norbert (nrbrtx) wrote :

Problem with `nemo` "Open as Root" is confirmed on 18.04.

tags: added: bionic
Revision history for this message
Norbert (nrbrtx) wrote :

synaptic confirmed on 18.04.

Revision history for this message
Len Ovens (len-ovenwerks) wrote :

Gui no longer run su

Changed in ubuntustudio-controls (Ubuntu):
assignee: nobody → Len Ovens (len-ovenwerks)
status: New → Fix Released
Revision history for this message
PeterPall (peterpall) wrote :

This isn't a bug but a major feature of wayland: If you have root rights you no more get access to the graphical user interface which makes it harder for a gui application to spy on another application's keyboard input. The backdraw of this is that every application that needs root rights for its work has to be re-written to have 2 parts:

 - the actual gui application and
 - a small helper that gets root access using pkgkit

The second advantage of this security measure is that now no more the whole application that might suffer from security flaws has root access, but only the part that really needs root rights.

td;lr: The fact that gui applications no more run when given root rights won't change. It is the applications that have to adapt.

Revision history for this message
Franck (alci) wrote :

Are there any plans to move forward and try to coordinate applications rewrite/adaptation ?
I'm not in love with wayland, but isolating graphical applications for each other seems a legitimate concern (see https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html for example).

Now that Ubuntu has given up on Wayland by default, I'm afraid there is now less incentive for transitioning to the security model wayland wants to impose. So what? Should we use firewalld instead of ufw?

Revision history for this message
Oliver Grawert (ogra) wrote :

> Now that Ubuntu has given up on Wayland by default

Ubuntu has not given up on Wayland by default but delayed it by one more LTS (particulary because of bugs like this one).

Wayland by default is still the plan for the next LTS (and the interim releases between 18.04 and 20.04). The incentive for transitioning the apps has not dropped but it was clear that it could not be finished by 18.04.

Revision history for this message
A. Denton (aquina) wrote :

Franck, I liked your post, because I think you addressed a serious issue. As Joanna R. (Invisible Things Lab) pointed out repeatedly, X is not secure by design.

However, I don't understand your question whether one should use firewalld instead of ufw? Isn't that an entirely different matter?

Revision history for this message
Sebastian Parschauer (s-parschauer) wrote :

At scanmem/GameConqueror we handle this like GParted. Setting this to invalid as no other security model fits our need. Btw.: OpenSUSE Leap 15 managed to provide Wayland with proper pkexec permissions so that GameConqueror runs unchanged on Wayland.

Changed in scanmem (Ubuntu):
status: New → Invalid
Revision history for this message
Franck (alci) wrote :

@aquina I was just pointing ufw vs firewalld as it is the app (gufw) that drove me here. I also wanted to point out that by adopting Gnome / Systemd / Wayland / ... Ubuntu is now dependant and has to keep up with the new upstream, that tends to be RedHat / Fedora.

Revision history for this message
Phillip Susi (psusi) wrote :

On 8/6/2018 12:57 PM, PeterPall wrote:
> This isn't a bug but a major feature of wayland: If you have root rights
> you no more get access to the graphical user interface which makes it
> harder for a gui application to spy on another application's keyboard
> input. The backdraw of this is that every application that needs root
> rights for its work has to be re-written to have 2 parts:

No Peter, this is incorrect. Wayland is just fine with programs running
as root. The bug is in gdm3 which is supposed to generate an Xorg
configuration that sets up XAUTHORITY. Instead when it configures the
Xwayland X11 compatibility server, it configures it to check UID instead
of using XAUTHORITY. The result is that X11 apps running as root fail
to work, but native Wayland/GTK3 applications run as root work just fine.

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :

Phillip: I don't know why they even allow you to speak on this thread. Please stop spreading misinformation .

Your gdm3 / XAUTHORITY "bug" has been closed as obsolete, it does not work the way you envision.

https://bugzilla.gnome.org/show_bug.cgi?id=789867

Yes it was migrated, but there is no acknowledgement in the new location that your gdm3 / XAUTHORITY "bug" is going to get addressed in the new location and, as with your other "bugs", will be closed .

The other "bug" you claimed earlier was closed as "not a bug"

https://bugs.freedesktop.org/show_bug.cgi?id=91071

Your continued comments on the subject are misleading at best

Revision history for this message
Phillip Susi (psusi) wrote :

On 8/15/2018 11:46 AM, bodhi.zazen wrote:
> Phillip: I don't know why they even allow you to speak on this thread.
> Please stop spreading misinformation .

Go stand in front of a mirror. That is the person spreading misinformation.

> Your gdm3 / XAUTHORITY "bug" has been closed as obsolete, it does not
> work the way you envision.
>
> https://bugzilla.gnome.org/show_bug.cgi?id=789867

No, it hasn't... it has been migrated to the new bug tracker.

> Yes it was migrated, but there is no acknowledgement in the new location
> that your gdm3 / XAUTHORITY "bug" is going to get addressed in the new
> location and, as with your other "bugs", will be closed .
>
> The other "bug" you claimed earlier was closed as "not a bug"
>
> https://bugs.freedesktop.org/show_bug.cgi?id=91071

That isn't mine, and it was closed because it was filed against
Xwayland, which is not where the bug is. Xwayland is doing what it was
told to do by gdm3.

Revision history for this message
ԜаӀtеr Ⅼарсһуnѕkі (wxl) wrote :

Phillip and bodhi, I know this is something we have discussed before, but I'm going to say it again and hopefully for the last time: please keep your comments civil. You can disagree with each other all you want, but do it respectfully, please. If you see yourself using the word "you" (or if it's implied) in a comment, that's a sign you're probably doing something wrong.

Revision history for this message
bodhi.zazen (bodhi.zazen) wrote :

@Walter Lapchynski (wxl) please have the technical board review the bullshit Phillip Susi (psusi) posts here and then ask him to stop. Until then, leave me alone and do not include me in your moderation.

Revision history for this message
ԜаӀtеr Ⅼарсһуnѕkі (wxl) wrote :

bodhi, having the Technical Board review Phillip's posts might be completely reasonable so as to finally end this conversation once and for all. That has no bearing on the moderation, though.

The entire Ubuntu Community is bound by the terms of the Code of Conduct, which, in short, means being nice to one another, regardless of our points of view. So, I'm sorry, you don't just get to treat people however you want just because you disagree with them. There is no moderation as it concerns your attempts to correct a confusing technical situation. Where the moderation exists is where it no longer remains technical and especially where it becomes a personal attack.

Revision history for this message
costales (costales) wrote :

Hi,

Would this hack fix the issue? (Add/Remove xhost +si:localuser:root to the launcher)
I don't know if this could means something dangerous in Wayland.

https://bazaar.launchpad.net/~costales/gui-ufw/wayland/revision/19

Thanks in advance.

Revision history for this message
Phillip Susi (psusi) wrote :

costales writes:

> Would this hack fix the issue? (Add/Remove xhost +si:localuser:root to the launcher)
> I don't know if this could means something dangerous in Wayland.

I'm not sure if it will fix things run as root via pkexec but it will if
you manually run gui programs as root. There's no risk involved since
root can already do anything anyhow, including debug the X server and
force it to let them connect.

YannUbuntu (yannubuntu)
Changed in boot-repair:
status: Fix Committed → Fix Released
YannUbuntu (yannubuntu)
Changed in os-uninstaller:
status: Fix Committed → Fix Released
Changed in boot-info:
status: Fix Committed → Fix Released
Sean Davis (bluesabre)
no longer affects: lightdm-gtk-greeter-settings
no longer affects: ubuntustudio-default-settings (Ubuntu)
Changed in lightdm-gtk-greeter-settings:
status: Unknown → New
Norbert (nrbrtx)
tags: removed: artful
Revision history for this message
buhtz (buhtz) wrote :

I'm really new to the "bug"(?) and a bit overwhelmed about all the information here. The last post is over one year ago but the ticket is still open.

Can someone please give a summary about the current state of the problem and maybe a workaround.

I'm not sure but it seems to me that this really fresh upstream ticket (reported by me as one of the upstream maintainers) for "backintime" is related to it.
https://github.com/bit-team/backintime/issues/1348
Can you confirm that this upstream ticket is related to the launchpad ticket here?

Revision history for this message
buhtz (buhtz) wrote :

Please re-open and report back if you can reproduce the problem with the latest upstream(!) version Back In Time.

Be aware that the latest version (1.3.3-4) in Ubuntu is out dated.

Changed in backintime (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.