pkexec vs kdesu

Harald Sitter sitter at kde.org
Thu Dec 11 13:06:59 UTC 2014 

On Mon, Nov 24, 2014 at 10:31 AM, Martin Gräßlin <mgraesslin at kde.org> wrote:
> On Sunday 23 November 2014 17:14:02 Harald Sitter wrote:
>> On Sun, Nov 23, 2014 at 4:50 PM, David Edmundson
>>
>> <david at davidedmundson.co.uk> wrote:
>> > You will probably get massively different behaviour regarding your env.
>> >
>> > pkexec won't copy anything, sudo will.
>> > Without $DISPLAY graphical apps are out.

So, I had a brief look.

Documentation has the following to say:
As a result,pkexec will not allow you to run X11 applications as
another user since the $DISPLAY and $XAUTHORITY environment variables
are not set. These two variables will be retained if the
org.freedesktop.policykit.exec.allow_gui annotation on an action is
set to a nonempty value; this is discouraged, though, and should only
be used for legacy programs.

So right now DISPLAY is not an unsolvable problem, it's just very annoying.

Additionally with frameworks there seem to be more problems as for
some reason kxmlgui assets do not get loaded on my system, so I
suppose it's lookup path is also retrieved from the env somehow.

>> Surely not an unsolvable problem. Clearly wayland fixes this ;)
>
> even if it's meant as a joke, I must point out that the opposite is the case
> here: it will horribly fail on Wayland if it assumes a $DISPLAY!

It's the applications wanting DISPLAY (qxcb), not pkexec. That being
said, not knowing anything about wayland I presume one would still
have to handover some sort of identifier in a wayland world? If so,
the restrictiveness of pkexec concerning the environment would
probably become a problem that will at least want to have allow_gui
expanded to forward more of the envrionment.

> Also I must point out that there are horrible interaction problems on the X11
> platform. KWin does not get enough information to prevent focus stealing
> prevention from kicking in and thus the dialogs do not get focus. This problem
> (to my knowledge) does not appear with kdesu. Thus I would consider switching
> all kdesu to polkit as a regression. This is a long standing issue which must
> be fixed by polkit and hasn't been addressed in years although the problem and
> how to solve had been explained by the current and previous KWin maintainer.
>
> This problem is not unique to polkit, to be fair. We see the same problem with
> akonadi asking for passwords and also with the GPG ask dialog.

Do we have documentation on this somewhere?

HS

More information about the Kde-frameworks-devel mailing list