pkexec vs kdesu

Thu Dec 11 13:57:47 UTC 2014

On Thu, Dec 11, 2014 at 2:29 PM, Martin Gräßlin <mgraesslin at kde.org> wrote:
> On Thursday 11 December 2014 14:06:59 Harald Sitter wrote:
>> On Mon, Nov 24, 2014 at 10:31 AM, Martin Gräßlin <mgraesslin at kde.org> wrote:
>> > On Sunday 23 November 2014 17:14:02 Harald Sitter wrote:
>> >> On Sun, Nov 23, 2014 at 4:50 PM, David Edmundson
>> >>
>> >> <david at davidedmundson.co.uk> wrote:
>> >> > You will probably get massively different behaviour regarding your env.
>> >> >
>> >> > pkexec won't copy anything, sudo will.
>> >> > Without $DISPLAY graphical apps are out.
>>
>> So, I had a brief look.
>>
>> Documentation has the following to say:
>> As a result,pkexec will not allow you to run X11 applications as
>> another user since the $DISPLAY and $XAUTHORITY environment variables
>> are not set. These two variables will be retained if the
>> org.freedesktop.policykit.exec.allow_gui annotation on an action is
>> set to a nonempty value; this is discouraged, though, and should only
>> be used for legacy programs.
>>
>> So right now DISPLAY is not an unsolvable problem, it's just very annoying.
>>
>> Additionally with frameworks there seem to be more problems as for
>> some reason kxmlgui assets do not get loaded on my system, so I
>> suppose it's lookup path is also retrieved from the env somehow.
>>
>> >> Surely not an unsolvable problem. Clearly wayland fixes this ;)
>> >
>> > even if it's meant as a joke, I must point out that the opposite is the
>> > case here: it will horribly fail on Wayland if it assumes a $DISPLAY!
>>
>> It's the applications wanting DISPLAY (qxcb), not pkexec. That being
>> said, not knowing anything about wayland I presume one would still
>> have to handover some sort of identifier in a wayland world? If so,
>> the restrictiveness of pkexec concerning the environment would
>> probably become a problem that will at least want to have allow_gui
>> expanded to forward more of the envrionment.
>
> on Wayland the variable is WAYLAND_DISPLAY pointing to a socket in
> XDG_RUNTIME_DIR. I have no idea what that would mean for having an application
> from another user connect. Personal opinion: I wouldn't mind if it just
> doesn't work anymore to run gui applications as other users.

I too would not mind.

>> > Also I must point out that there are horrible interaction problems on the
>> > X11 platform. KWin does not get enough information to prevent focus
>> > stealing prevention from kicking in and thus the dialogs do not get
>> > focus. This problem (to my knowledge) does not appear with kdesu. Thus I
>> > would consider switching all kdesu to polkit as a regression. This is a
>> > long standing issue which must be fixed by polkit and hasn't been
>> > addressed in years although the problem and how to solve had been
>> > explained by the current and previous KWin maintainer.
>> >
>> > This problem is not unique to polkit, to be fair. We see the same problem
>> > with akonadi asking for passwords and also with the GPG ask dialog.
>>
>> Do we have documentation on this somewhere?
>
> Well actually everything that's needed is passing a startup notification
> around, so that when the application is created it can set the appropriate
> timestamp and KWin can notice that the window should get focused. It just
> needs an env variable being passed to the process. KRun does that.
> Documentation on that process is on freedesktop.org

Thanks.

HS