Ubuntu – Is sudo -i less secure than pkexec

pkexecsudo

I just heard that it isn't recommended to use sudo -i on GUI programs – because it's less secure.

Is there any truth here – is there an advantage to this:

sudo -i gedit /random/file.name

over

pkexec gedit /random/file.name

I used to use gksudo, but that's been phased out, so now I use sudo -i to prevent root owning files in my home area. But should I really be using pkexec?

Here is a reason:

The environment that PROGRAM will run [in], will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.

Best Answer

I think the security concern you are referring to comes from the fact that if you use sudo, with or without the -i, you have an active permission to run sudo commands, for 5 minutes. If you were to do sudo vim /file.txt then leave, your computer unattended the sudo session would still be active. someone could come along and type sudo rm /file.txt or worse.

pkexec will prompt you for a password every-time, which would seem a little more secure.

I think Elementary OS is intended for schools, where the physical environment shouldn’t be considered secure. Students may well show up at your desk moments after you leave. Comparatively, in my Business office, where only 3 folks have the key, and my computer is moderately secure in the physical sense, I'm less concerned with untrusted individuals running in and using my PC unsupervised. If I run sudo command, then leave, I'm assuming no one will come in and give malicious sudo commands.

I make no claim to be a security expert, but I think that is what the elementary OS folks are thinking.

How to configure `pkexec` to avoid getting errors when run GUI applications?

I found two possible ways:

As you can see, using the following:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit

will not get you any error. And this is normal because man pkexec is very clear in this matter:

       [...] pkexec will not allow you to run X11 applications
       as another user since the $DISPLAY and $XAUTHORITY environment
       variables are not set.[...]

As result you can create an (permanent) alias (this is the simpliest way):

alias pkexec='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY'

Or, (again) as man pkexec says:

       [...] These two variables will be retained if the
       org.freedesktop.policykit.exec.allow_gui annotation on an action is set
       to a nonempty value; this is discouraged, though, and should only be
       used for legacy programs.[...]

you can create a new policy file in /usr/share/polkit-1/actions named com.ubuntu.pkexec.gedit.policy with the following xml code inside where the most important thing is to set org.freedesktop.policykit.exec.allow_gui to a nonempty value:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.gedit">
    <message gettext-domain="gparted">Authentication is required to run gedit</message>
    <icon_name>gedit</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

How to tell it to not ask for a password after the first time applying it to a command?

For these three setting tags: allow_any, allow_inactive and allow_active from the policy file, the following options are available:

no: The user is not authorized to carry out the action. There is therefore no need for authentication.
yes: The user is authorized to carry out the action without any authentication.
auth_self: Authentication is required but the user need not be an administrative user.
auth_admin: Authentication as an administrative user is require.
auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

^{Source: Polkit - Structure - Actions}

So, if you use auth_admin_keep option (or, as applicable, auth_self_keep), pkexec will not ask for a password again for some time (by default this time is set to 5 minutes as I checked). The disadvantage here is that this thing is applicable only for one - the same - command / application and valid for all users (unless if it is overruled in later configuration).

Where to save the configuration file if not yet existing?

Configuration files or polkit definitions can be divided into two kinds:

Actions are defined in XML .policy files located in /usr/share/polkit-1/actions. Each action has a set of default permissions attached to it (e.g. you need to identify as an administrator to use the GParted action). The defaults can be overruled but editing the actions files is NOT the correct way. The name of this policy file should have this format:
```
com.ubuntu.pkexec.app_name.policy
```
Authorization rules are defined in JavaScript .rules files. They are found in two places: 3rd party packages can use /usr/share/polkit-1/rules.d (though few if any do) and /etc/polkit-1/rules.d is for local configuration. The .rules files designate a subset of users, refer to one (or more) of the actions specified in the actions files and determine with what restrictions these actions can be taken by that/those user(s). As an example, a rules file could overrule the default requirement for all users to authenticate as an admin when using GParted, determining that some specific user doesn't need to. Or isn't allowed to use GParted at all.

^{Source: Polkit - Structure}

Is there a GUI application to configure `pkexec` usage?

From what I know, until now (18.01.2014) doesn't exist something like this. If in the future I will find something, I will not forget to update this answer too.

Ubuntu – How to configure pkexec to not ask for password

It's improper to say that: "It seems that on Ubuntu, calls to sudo from the GUI are somehow being intercepted by pkexec". pkexec doesn't have much in common with sudo. In contrast with sudo, pkexec does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

Now, if you want to run a GUI application without being asked by a password by pkexec, this is not difficult to be done. Let's take for example GParted. When you open it, you will see the following dialog window asking you by a password:

gparted authenticate

Click Details and the dialog window will look now like:

gparted authenticate - details

From here all you have to do is to open /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy file using for example the following command:

gksu gedit /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy

and change the following lines:

      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>

with the followings:

      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>

Save the file and close it. Next, when you will open GParted you will not be asked for a password anymore.

Best Answer

Related Solutions

Ubuntu – How to configure pkexec

How to configure pkexec to avoid getting errors when run GUI applications?

How to tell it to not ask for a password after the first time applying it to a command?

Where to save the configuration file if not yet existing?

Is there a GUI application to configure pkexec usage?

Ubuntu – How to configure pkexec to not ask for password

Related Question

How to configure `pkexec` to avoid getting errors when run GUI applications?

Is there a GUI application to configure `pkexec` usage?