Author: tempforever Date: To: dng Subject: Re: [DNG] pkexec in Chimaera
Lars Noodén via Dng wrote: > On 11/8/21 05:12, tempforever wrote:
> [snip]> Lars Noodén via Dng wrote:
>>> You could consider running sudoedit instead. That will allow you to
>>> edit a file as root (or any other designated account) while still
>>> running the editor itself under the unprivileged account. One should
>>> not run graphical programs as root, if it can be avoided.
>>>
>> Thank you for the help also. sudoedit requires user "a" to be in sudo
>> group, which I'd prefer not to do. A non-gui text editor invoked with
>> su -c will work for now.
>
> Please take another look at /etc/sudoers because the system is allowed
> to have more than one group and users may be in more than one group at a
> time. Also, there can be more than one single line in /etc/sudoers or
> in any of the files beneath /etc/sudoers.d/
>
> Thus you can have a group for account "a" which allows it to run
> sudoedit but nothing else, and it doesn't even have to be a new group:
>
> %a ALL=(ALL:ALL) sudoedit
>
> See "man sudoers" for that. sudo is certanly one of the most
> misunderstood and misused utilities around, in part because of the
> tragic default settings spread by the Ubuntu distros, an affliction it
> gets from Debian's default settings.
> Thanks again for pointing me to sudoers. I was (mistakenly) under the
impression that the user had to be in the sudo group. And yes, I did
previously use mint/ubuntu. I had played around with sudoers previously
for a different system (including once when I messed it up badly, not
using visudo; had to boot from a live disk to fix it).
You say that sudoedit will run the editor itself under the unprivileged
account; however, it appears it does run as root:
tempo@dev1:~$ ps aux|grep sudoedit
root 3167 0.0 0.1 11176 5332 pts/0 S+ 13:42 0:00
sudoedit /etc/hosts
tempo 3177 0.0 0.0 6180 664 pts/1 S+ 13:42 0:00 grep
sudoedit
Le 08/11/2021 à 14:16, Didier Kryn a écrit :
> There is a hand-made replacement for pkexec and the good old gksu
> and gksudo:
>
> In your sudoers file (edited with visudo), put the following line
>
> Defaults env_keep = "XAUTHORITY DISPLAY"
>
> Note there can be other variables in the list, like EDITOR, but the
> above are the ones which will allow you to run GUIs under root priviledge.
>
> Then allow yourself to run foo with sudo (also by editing your sudoers
> file vith visudo) and then
>
> sudo foo
Nice to know this also; I can now verify that it does indeed work as you describe.