[orca-list] Upgrading pkexec to run X11 Orca-accessible applications as root.



I've patched pkexec which is like gksu, but uses Policy Kit for
authentication.  The patch is very simple - all I had to do is
uncomment some code the author already had in there to enable X11
applications.  It seems that the author decided that running X11
applications as root is just too much of a security hole to justify,
so he commented out the code.  As a result, Ubuntu has to rely on gksu
to run programs like Synaptic from the System/Administration menu.

gksu has problems.  It's no longer a simple sudo wrapper, and has
evolved into a multi-threaded monster of such complexity that good C
debuggers (I count myself as one) can't easily fix major problems.
gksu has a many-year outstanding bug where it hangs Gnome if
at-spi-registryd is running.  I've spent hours trying to find the bug,
as have others.  If gksu is so complex that we can't debug it, how can
we trust it?  This is very likely a security risk vs just using
pkexec.  If we already have sudo and pkexec, why do we need gksu?  Why
maintain and trust all three?

I believe the answer to why we still have gksu is that we needed a way
to run Synaptic and other X11 programs as root from Gnome menus, and
from some Python programs.  What we've done in Vinux is to replace
/usr/bin/gksu with a simple bash script that uses a zenity wrapper
around sudo.  This works around the bug where gksu locks up gnome, but
it's literally an ugly hack - the zenity dialog box looks pathetic.
Good thing the blind don't mind!  What I would like to suggest is that
Ubuntu consider moving away from gksu, and to pkexec instead, with the
simple patch to support X11 applications.  I see no reason this path
would not allow us to eventually retire gksu.  In Vinux, we could
replace /usr/bin/gksu with a wrapper to call pkexec.  My guess is that
Ubuntu would more likely start replacing calls to gksu in the menus,
Ubiquity, and other places, with calls to pkexec, and leave the gksu
package alone.

What do you think?  Is enhancing policykit to support X11 and moving
away from gksu the right direction?  I think many Orca users would
love to dump gksu.  I've attached my patch, which is compatible with
the source package use of quilt.

Thanks,
Bill

Attachment: 02_allow_X11.patch
Description: Text Data



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]