I just heard that it isn't recommended to use sudo -i
on GUI programs – because it's less secure.
Is there any truth here – is there an advantage to this:
sudo -i gedit /random/file.name
over
pkexec gedit /random/file.name
I used to use gksudo, but that's been phased out, so now I use sudo -i
to prevent root owning files in my home area. But should I really be using pkexec
?
Here is a reason:
The environment that PROGRAM will run [in], will be set to a minimal known and safe environment in order to avoid injecting code through
LD_LIBRARY_PATH
or similar mechanisms. In addition thePKEXEC_UID
environment variable is set to the user id of the process invokingpkexec
.
Best Answer
I think the security concern you are referring to comes from the fact that if you use sudo, with or without the -i, you have an active permission to run sudo commands, for 5 minutes. If you were to do
sudo vim /file.txt
then leave, your computer unattended the sudo session would still be active. someone could come along and typesudo rm /file.txt
or worse.pkexec will prompt you for a password every-time, which would seem a little more secure.
I think Elementary OS is intended for schools, where the physical environment shouldn’t be considered secure. Students may well show up at your desk moments after you leave. Comparatively, in my Business office, where only 3 folks have the key, and my computer is moderately secure in the physical sense, I'm less concerned with untrusted individuals running in and using my PC unsupervised. If I run sudo command, then leave, I'm assuming no one will come in and give malicious sudo commands.
I make no claim to be a security expert, but I think that is what the elementary OS folks are thinking.