pkexec vs kdesu

Martin Gräßlin mgraesslin at kde.org
Thu Dec 11 13:29:10 UTC 2014 

On Thursday 11 December 2014 14:06:59 Harald Sitter wrote:
> On Mon, Nov 24, 2014 at 10:31 AM, Martin Gräßlin <mgraesslin at kde.org> wrote:
> > On Sunday 23 November 2014 17:14:02 Harald Sitter wrote:
> >> On Sun, Nov 23, 2014 at 4:50 PM, David Edmundson
> >> 
> >> <david at davidedmundson.co.uk> wrote:
> >> > You will probably get massively different behaviour regarding your env.
> >> > 
> >> > pkexec won't copy anything, sudo will.
> >> > Without $DISPLAY graphical apps are out.
> 
> So, I had a brief look.
> 
> Documentation has the following to say:
> As a result,pkexec will not allow you to run X11 applications as
> another user since the $DISPLAY and $XAUTHORITY environment variables
> are not set. These two variables will be retained if the
> org.freedesktop.policykit.exec.allow_gui annotation on an action is
> set to a nonempty value; this is discouraged, though, and should only
> be used for legacy programs.
> 
> So right now DISPLAY is not an unsolvable problem, it's just very annoying.
> 
> Additionally with frameworks there seem to be more problems as for
> some reason kxmlgui assets do not get loaded on my system, so I
> suppose it's lookup path is also retrieved from the env somehow.
> 
> >> Surely not an unsolvable problem. Clearly wayland fixes this ;)
> > 
> > even if it's meant as a joke, I must point out that the opposite is the
> > case here: it will horribly fail on Wayland if it assumes a $DISPLAY!
> 
> It's the applications wanting DISPLAY (qxcb), not pkexec. That being
> said, not knowing anything about wayland I presume one would still
> have to handover some sort of identifier in a wayland world? If so,
> the restrictiveness of pkexec concerning the environment would
> probably become a problem that will at least want to have allow_gui
> expanded to forward more of the envrionment.

on Wayland the variable is WAYLAND_DISPLAY pointing to a socket in 
XDG_RUNTIME_DIR. I have no idea what that would mean for having an application 
from another user connect. Personal opinion: I wouldn't mind if it just 
doesn't work anymore to run gui applications as other users.

> 
> > Also I must point out that there are horrible interaction problems on the
> > X11 platform. KWin does not get enough information to prevent focus
> > stealing prevention from kicking in and thus the dialogs do not get
> > focus. This problem (to my knowledge) does not appear with kdesu. Thus I
> > would consider switching all kdesu to polkit as a regression. This is a
> > long standing issue which must be fixed by polkit and hasn't been
> > addressed in years although the problem and how to solve had been
> > explained by the current and previous KWin maintainer.
> > 
> > This problem is not unique to polkit, to be fair. We see the same problem
> > with akonadi asking for passwords and also with the GPG ask dialog.
> 
> Do we have documentation on this somewhere?

Well actually everything that's needed is passing a startup notification 
around, so that when the application is created it can set the appropriate 
timestamp and KWin can notice that the window should get focused. It just 
needs an env variable being passed to the process. KRun does that. 
Documentation on that process is on freedesktop.org

Cheers
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20141211/9663a60b/attachment.sig>

More information about the Kde-frameworks-devel mailing list