🚀 go-pugleaf

On Sun, Jun 14, 2009 at 11:47 AM, Osamu Aoki<osamu@debian.org> wrote:
> On Sun, Jun 14, 2009 at 10:27:56AM -0400, Patrick Wiseman wrote:
>> On Sun, Jun 14, 2009 at 8:16 AM, Patrick Wiseman<pwiseman@gmail.com> wrote:
>> > On Sun, Jun 14, 2009 at 4:19 AM, Andrei Popescu<andreimpopescu@gmail.com> wrote:
>> >> On Sat,13.Jun.09, 09:32:52, Patrick Wiseman wrote:
>> >>> Running 'sudo gnome-terminal' (which is the equivalent) reports
>> >> How do you know that? I thought gksu was used for that. Try:
>> >> gksu gnome-terminal
>> > ** (gnome-terminal:14228): WARNING **: Failed to connect to the
>> > session manager: Authentication Rejected, reason : None of the
>> > authentication protocols specified are supported and host-based
>> > authentication failed
>> >
>> > Failed to contact the GConf daemon; exiting.
>> >
>> > Which, I suppose, is slightly more informative.  But the fact remains
>> > that Root Terminal in the Accessories menu is, for some reason,
>> > disabled.  (This is on a fully up-to-date, amd64, testing system.)
>>
>> Further Googling informs me that "the result [of Gconf using D-Bus] is
>> that root applications can’t use the user’s GConf settings anymore.
>> This is a design restriction in D-Bus."
>> [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390]  Well,
>> that's just stupid, especially for experienced users like myself; I
>> NEED to be able to use gnome-terminal as root.  I don't want a hackish
>> workaround, I just want it to work as it always has.  Is there ANY way
>> to make D-Bus less restrictive?
>
> Well, does this problem happens if user uses sudo mode for gksu.
>
> Application-> System Tools-> Configuration Editor:
> /apps/gksu/sudo-mode

Makes no difference; 'gksu gnome-terminal' fails without a message.

> Also question is what happens if you enter followings in terminal.
>
>  $ su -c   gnome-terminal
>  $ sudo    gnome-terminal
>  $ sudo -H gnome-terminal

All fail with "Failed to contact the GConf daemon; exiting."

Apparently, dbus will accept changes in a system-local.conf file, so
I'll see if I can figure out what I need to do in there.

Patrick

Bug reported as Bug#533089

Sadly, if your diagnosis is correct, it may not be fixable...

Oh well, I guess that's what "sudo -i" in a normal terminal is for...

Rick

On Sun, Jun 14, 2009 at 3:13 PM, Rick Thomas<rbthomas55@pobox.com> wrote:
>
> Bug reported as Bug#533089
>
> Sadly, if your diagnosis is correct, it may not be fixable...
>
> Oh well, I guess that's what "sudo -i" in a normal terminal is for...

'sudo -l' you mean?  That (or just 'su' alone) gives me root access
within a gnome-terminal, at which point I can do what I need to do.
But that also demonstrates that whatever security concerns are driving
the disabling of 'Root Terminal' from the menu are completely bogus.
And it has conveniences (not having to provide a password every time I
open a new tab, for example) which this workaround doesn't.  Oh, well,
indeed ....

Patrick

On Jun 14, 2009, at 8:24 PM, Patrick Wiseman wrote:

> On Sun, Jun 14, 2009 at 3:13 PM, Rick Thomas<rbthomas55@pobox.com>
> wrote:
>>
>> Bug reported as Bug#533089
>>
>> Sadly, if your diagnosis is correct, it may not be fixable...
>>
>> Oh well, I guess that's what "sudo -i" in a normal terminal is for...
>
> 'sudo -l' you mean?  That (or just 'su' alone) gives me root access
> within a gnome-terminal, at which point I can do what I need to do.
> But that also demonstrates that whatever security concerns are driving
> the disabling of 'Root Terminal' from the menu are completely bogus.
> And it has conveniences (not having to provide a password every time I
> open a new tab, for example) which this workaround doesn't.  Oh, well,
> indeed ....


I meant "-i" -- from the man page for sudo(8)

>  -i  The -i (simulate initial login) option runs the shell specified
> in
>      the passwd(5) entry of the user that the command is being run as.
>      The command name argument given to the shell begins with a `-' to
>      tell the shell to run as a login shell.  sudo attempts to
> change to
>      that user's home directory before running the shell.  It also
> ini-
>      tializes the environment, leaving TERM unchanged, setting HOME,
>      SHELL, USER, LOGNAME, and PATH, and unsetting all other
> environment
>      variables.  Note that because the shell to use is determined
> before
>      the sudoers file is parsed, a runas_default setting in sudoers
> will
>      specify the user to run the shell as but will not affect which
>      shell is actually run.

And you can configure /etc/sudoers so that you never have to provide
a password.  Read the sudoers(5) man page.

I'm not clear on whether the security concerns driving this issue extend
to sub-processes running as root, or just those started as root.
I'll leave that explanation to those with a better understanding of the
issue.

Rick

On Sun, Jun 14, 2009 at 10:27:56AM -0400, Patrick Wiseman wrote:
> On Sun, Jun 14, 2009 at 8:16 AM, Patrick Wiseman<pwiseman@gmail.com> wrote:
> > On Sun, Jun 14, 2009 at 4:19 AM, Andrei Popescu<andreimpopescu@gmail.com> wrote:
> >> On Sat,13.Jun.09, 09:32:52, Patrick Wiseman wrote:
> >>> Running 'sudo gnome-terminal' (which is the equivalent) reports
> >> How do you know that? I thought gksu was used for that. Try:
> >> gksu gnome-terminal
> > ** (gnome-terminal:14228): WARNING **: Failed to connect to the
> > session manager: Authentication Rejected, reason : None of the
> > authentication protocols specified are supported and host-based
> > authentication failed
> >
> > Failed to contact the GConf daemon; exiting.
> >
> > Which, I suppose, is slightly more informative.  But the fact remains
> > that Root Terminal in the Accessories menu is, for some reason,
> > disabled.  (This is on a fully up-to-date, amd64, testing system.)
> 
> Further Googling informs me that "the result [of Gconf using D-Bus] is
> that root applications can’t use the user’s GConf settings anymore.
> This is a design restriction in D-Bus."
> [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390]  Well,
> that's just stupid, especially for experienced users like myself; I
> NEED to be able to use gnome-terminal as root.  I don't want a hackish
> workaround, I just want it to work as it always has.  Is there ANY way
> to make D-Bus less restrictive?

Well, does this problem happens if user uses sudo mode for gksu.

Application-> System Tools-> Configuration Editor:
/apps/gksu/sudo-mode

Also question is what happens if you enter followings in terminal.

 $ su -c   gnome-terminal
 $ sudo    gnome-terminal
 $ sudo -H gnome-terminal

(I think we do not need gconf settings for root.  If one of above works,
gnome just need to change default mode for gksu.)

Osamu

On Mon, Jun 15, 2009 at 8:19 AM, Osamu Aoki<osamu@debian.org> wrote:
> On Sun, Jun 14, 2009 at 11:59:56AM -0400, Patrick Wiseman wrote:
> ...
>> >> This is a design restriction in D-Bus."
>> >> [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390]  Well,
>> >> that's just stupid, especially for experienced users like myself; I
>> >> NEED to be able to use gnome-terminal as root.  I don't want a hackish
>> >> workaround, I just want it to work as it always has.  Is there ANY way
>> >> to make D-Bus less restrictive?
>> >
>> > Well, does this problem happens if user uses sudo mode for gksu.
>> >
>> > Application-> System Tools-> Configuration Editor:
>> > /apps/gksu/sudo-mode
>>
>> Makes no difference; 'gksu gnome-terminal' fails without a message.
>>
>> > Also question is what happens if you enter followings in terminal.
>> >
>> >  $ su -c   gnome-terminal
>> >  $ sudo    gnome-terminal
>> >  $ sudo -H gnome-terminal
>
> Hmmm ... so this
>
>> All fail with "Failed to contact the GConf daemon; exiting."
>
> are coming not from gksu but from gnome-terminal.
>
> How about
>
>   $ su -c   xterm

That gives me this warning:

Warning: Tried to connect to session manager, Authentication Rejected,
reason : None of the authentication protocols specified are supported
and host-based authentication failed

but the xterm opens anyway.

>   $ sudo    xterm

Opens the root xterm without warning.

>   $ sudo -H xterm

Likewise.

> If this works, this bug needs to be assigned to gnome-terminal.
>
> It should drop privilidge to use $SUDO_USER for sudo or $USERNAME for su
> which ever is not root before accessing GConf.
>

There is already a bug filed against gnome-terminal on this issue; I
added my 2 cents to that bug.

>> Apparently, dbus will accept changes in a system-local.conf file, so
>> I'll see if I can figure out what I need to do in there.
>
> This path may work but is not generic solution for all of us to live with.

The problem is, I think, that someone upstream thinks that this
limitation is a feature not a bug, and so it's unlikely to get fixed.

Patrick

On Mon, Jun 15, 2009 at 10:08 AM, Osamu Aoki<osamu@debian.org> wrote:
> On Mon, Jun 15, 2009 at 08:59:59AM -0400, Patrick Wiseman wrote:
>> The problem is, I think, that someone upstream thinks that this
>> limitation is a feature not a bug, and so it's unlikely to get fixed.
>
> I am not the right person to judge this.  It may be a right decision and
> it is a feature.
>
> But advanced cordination with popular existing tools should have
> happened before implimenting this feature for sure.
>
> Well, this is typical when using "unstable".  At this moment, we do not
> even have testing security support.  You should see quite a bit of these
> despite we most DD tries to keep such incident as few as possible.

Just as an aside, I'm on a testing system, and just got two security
updates this morning.

Patrick

--j3olVFx0FsM75XyV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon,15.Jun.09, 08:59:59, Patrick Wiseman wrote:
 
> The problem is, I think, that someone upstream thinks that this
> limitation is a feature not a bug, and so it's unlikely to get fixed.

Writing an app to be run as root is not a trivial thing. Too many things 
can go wrong. Did you investigate Daniel's suggestion about running a 
custom command?

You could also try sux.

Regards,
Andrei
-- 
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)

--j3olVFx0FsM75XyV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBCAAGBQJKNnhBAAoJEHNWs3jeoi3pcP4IAIioUxDEwWAi4TBWf0wWS5YV
A2w0jKkla5L1gvveNZgjnvb8eMq6tB997JlTxoCXciXeNNLntAtsH+EU0nW/YMz3
3M8SpX/w1F7cYz087oRXg2Bxaa5pFXTLsGVIRdPe/yE9lI+QTY1QTUpZxTQKbdkb
GCNAdbpxj8Xtef8ED1TKFzSLxj1vIQl4wZ2EmznCzQJsw4mfXorFc1rA08erYg+3
0EShGsgeSx0Ku+8+bqxEmhetINZ66UgrymX3FGskVkBnzhlsVAHyFNSqj9kayibm
h8gmqYEWLTBriJIym53LT9zufpNO1vfCpSiKtnTvacvsm4Mq784pZfHbuFR1EHc=t3Lx
-----END PGP SIGNATURE-----

--j3olVFx0FsM75XyV--

On Sun, Jun 14, 2009 at 11:59:56AM -0400, Patrick Wiseman wrote:
...
> >> This is a design restriction in D-Bus."
> >> [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518390]  Well,
> >> that's just stupid, especially for experienced users like myself; I
> >> NEED to be able to use gnome-terminal as root.  I don't want a hackish
> >> workaround, I just want it to work as it always has.  Is there ANY way
> >> to make D-Bus less restrictive?
> >
> > Well, does this problem happens if user uses sudo mode for gksu.
> >
> > Application-> System Tools-> Configuration Editor:
> > /apps/gksu/sudo-mode
> 
> Makes no difference; 'gksu gnome-terminal' fails without a message.
> 
> > Also question is what happens if you enter followings in terminal.
> >
> >  $ su -c   gnome-terminal
> >  $ sudo    gnome-terminal
> >  $ sudo -H gnome-terminal

Hmmm ... so this 
 
> All fail with "Failed to contact the GConf daemon; exiting."

are coming not from gksu but from gnome-terminal.

How about 

  $ su -c   xterm
  $ sudo    xterm
  $ sudo -H xterm

If this works, this bug needs to be assigned to gnome-terminal.

It should drop privilidge to use $SUDO_USER for sudo or $USERNAME for su
which ever is not root before accessing GConf.

> Apparently, dbus will accept changes in a system-local.conf file, so
> I'll see if I can figure out what I need to do in there.

This path may work but is not generic solution for all of us to live with.

> Patrick
> 
> 
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Jun 15, 2009 at 08:59:59AM -0400, Patrick Wiseman wrote:
> The problem is, I think, that someone upstream thinks that this
> limitation is a feature not a bug, and so it's unlikely to get fixed.

I am not the right person to judge this.  It may be a right decision and
it is a feature.

But advanced cordination with popular existing tools should have
happened before implimenting this feature for sure.

Well, this is typical when using "unstable".  At this moment, we do not
even have testing security support.  You should see quite a bit of these
despite we most DD tries to keep such incident as few as possible.

Osamu

On Mon, Jun 15, 2009 at 10:12:08AM -0400, Patrick Wiseman wrote:
> On Mon, Jun 15, 2009 at 10:08 AM, Osamu Aoki<osamu@debian.org> wrote:
> > On Mon, Jun 15, 2009 at 08:59:59AM -0400, Patrick Wiseman wrote:
> >> The problem is, I think, that someone upstream thinks that this
> >> limitation is a feature not a bug, and so it's unlikely to get fixed.
> >
> > I am not the right person to judge this.  It may be a right decision and
> > it is a feature.
> >
> > But advanced cordination with popular existing tools should have
> > happened before implimenting this feature for sure.
> >
> > Well, this is typical when using "unstable".  At this moment, we do not
> > even have testing security support.  You should see quite a bit of these
> > despite we most DD tries to keep such incident as few as possible.
> 
> Just as an aside, I'm on a testing system, and just got two security
> updates this morning.
Good

I may have missed announcement but I thought it is not yet official.