Ubuntu: Why don't gksu/gksudo or launching a graphical application with sudo work with Wayland?



Question:

I installed Ubuntu 17.10. Now I am having trouble with gksu:

$ gksu -dg synaptic  No ask_pass set, using default!  xauth: /tmp/libgksu-HgUjgQ/.Xauthority  STARTUP_ID: gksu/synaptic/8760-0-alex-XPS-15-9530_TIME4974977  cmd[0]: /usr/bin/sudo  cmd[1]: -H  cmd[2]: -S  cmd[3]: -p  cmd[4]: GNOME_SUDO_PASS  cmd[5]: -u  cmd[6]: root  cmd[7]: --  cmd[8]: synaptic  buffer: -GNOME_SUDO_PASS-  brute force GNOME_SUDO_PASS ended...  Yeah, we're in...  Unable to init server: Could not connect: Connection refused  (synaptic:8767): Gtk-WARNING **: cannot open display: :1  xauth: /tmp/libgksu-HgUjgQ/.Xauthority  xauth_env: (null)  dir: /tmp/libgksu-HgUjgQ  

If I don't use -g, the password dialog is disabled. So looks like a problem with creating a tty for root.

Any advice?


Solution:1

NOTE THIS ANSWER IS SPECIFIC TO VERSIONS OF UBUNTU USING WAYLAND, 17.10 BEING THE FIRST RELEASE TO USE WAYLAND BY DEFAULT.

It is a feature not a bug ! It is a design feature of Wayland that you can not start graphical applications as root from the terminal.

The main discussions are of course on the Fedora sites. See Fedora bug #1274451 and Graphical applications can't be run as root in wayland (e.g. gedit, beesu, gparted, nautilus) on Ask Fedora. But there is some discussion on the Ubuntu sites as well (Ubuntu Devs Uncertain about Using Wayland by Default in 17.10 - OMG! Ubuntu).

Ubuntu bug report - https://bugs.launchpad.net/ubuntu/+source/backintime/+bug/1713313

Potential work around - If you are editing system files with a graphical editor (such as gedit) use a command line tool such as nano or vim or emacs. nano is typically easier for new users, vim is more powerful and has more features, see https://linuxconfig.org/vim-tutorial or similar.

At any rate , if you really want or need to run graphical apps as root, set xhost first which forces fallback to Xserver.

To set permissions run:

xhost si:localuser:root   

When you are finished, to remove permissions

xhost -si:localuser:root   

You can add a graphical / desktop option to do this as per this launchpad bug https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/1712089

pkexec'ed applications may be healed with "xhost +si:localuser:root" placed in XDG autostart as follows:

cat <<EOF | sudo tee /etc/xdg/autostart/xhost.desktop  [Desktop Entry]  Name=xhost  Comment=Fix graphical root applications  Exec="xhost +si:localuser:root"  Terminal=false  Type=Application  EOF  

You could add this xhost command to .bashrc, but I would advise a pair of alises

alias gsuon='xhost si:localuser:root'    alias gsuoff='xhost -si:localuser:root'  

You can name the alias whatever you wish.

For details see:


Switch back to Xorg

If you prefer Xorg for any reason, you can select to run on Xorg at login

See How do you switch from Wayland back to Xorg in Ubuntu 17.10?


Solution:2

enter image description here Solutions

In Wayland it is often difficult to run GUI application programs with elevated (sudo -H, gksu ...) permissions. It is a good idea to do such tasks with command line tools.

But there are workarounds, if you have a GUI tool, that works well for you and needs elevated permissions. (I use two such standard tools: the Synaptic Package Manager, synaptic and the partitioning tool Gparted, gparted. I use MakeUSB to create USB boot drives, mkusb, too, but it can run the parts that need elevated permissions without graphics.)

xhost and sudo -H

  1. There is a workaround to allow graphical application programs owned by other users than the logged in user in Wayland,

    xhost +si:localuser:root  
  2. gksu and gksudo are not bundled with standard Ubuntu and do not work here, but they work in Xorg.

    Instead you can use

    sudo -H  
  3. It is a good idea to prevent graphical application programs owned by other users than the logged in user afterwards,

    xhost -si:localuser:root  

gvfs admin backend

In Ubuntu 17.10 (gvfs >= 1.29.4) you can use the gvfs admin backend. Notice that you need the full path,

gedit admin:///path/to/file  

In theory, the gvfs admin backend method (which uses polkit) is better and safer (than xhost and xudo -H), regardless of the UI you use.

You don't run the whole application as root. Privilege escalation happens only when strictly necessary. See the following link and links from it,

nautilus-admin

It is also possible to use nautilus-admin for file operations with elevated permissions and to use gedit with elevated permissions. This is described in the following AskUbuntu answer,

Temporary access for root to the Wayland desktop via function gks

Please avoid sudo GUI-program. It can cause the system to overwrite the configuration files for your regular user ID with root's configuration and set ownership and permissions to fit root and lock out your regular user ID. You should run GUI applications with sudo -H, which writes the configuration files in root's home directory /root. Example:

sudo -H gedit myfile.txt  

But there is a risk that you forget -H. Instead you can create a function, for example gks

gks () { xhost +si:localuser:root; sudo -H "$@"; xhost -si:localuser:root; }  

and store it in your ~/.bashrc near the aliases. Then you can run

gks gedit myfile.txt  

in a way similar to how you used gksudo before.

Testing

You can check how sudo, sudo -H and gks work with the following commands

sudodus@xenial32 ~ $ sudo bash -c "echo ~"  /home/sudodus  sudodus@xenial32 ~ $ sudo -H bash -c "echo ~"  /root  sudodus@xenial32 ~ $ gks () { xhost +si:localuser:root; sudo -H "$@"; xhost -si:localuser:root; }  sudodus@xenial32 ~ $ gks bash -c "echo ~"  localuser:root being added to access control list  /root  localuser:root being removed from access control list  sudodus@xenial32 ~ $   

and of course

gks gedit myfile.txt  

according to the example in the previous section.

Method that works via Alt-F2 and Gnome Shell menu

Instead of adding a simple one-line function to ~/.bashrc, you can make a system, that works also without bash. It may be convenient to use, but is more complicated to set up. Please notice that you should install only one of the alternatives, because the one-line function will disturb using this more complicated system.

Three files

The shellscript gks:

#!/bin/bash    xhost +si:localuser:root    if [ $# -eq 0 ]  then    xterm -T "gks console - enter command and password" \    -fa default -fs 14 -geometry 60x4 \    -e bash -c 'echo "gks lets you run command lines with GUI programs  with temporary elevated permissions in Wayland."; \  read -p "Enter command: " cmd; \  cmdfile=$(mktemp); echo "$cmd" > "$cmdfile"; \  sudo -H bash "$cmdfile"; rm "$cmdfile"'  else   xterm -T "gks console - enter password" -fa default -fs 14 -geometry 60x4 -e sudo -H "$@"  fi     xhost -si:localuser:root;  

The desktop file gks.desktop:

[Desktop Entry]  Version=1.0  Categories=Application;System;  Type=Application  Name=gks  Description=Run program with temporary elevated permissions in Wayland  Comment=Run program with temporary elevated permissions in Wayland  Exec=gks %f  Icon=/usr/share/icons/gks.svg  Terminal=false  StartupNotify=false  GenericName[en_US.UTF-8]=Run program with temporary elevated permissions in Wayland  

The icon file gks.svg looks like this:

enter image description here

You can download the icon file or a tarball with all three files from this link,

wiki.ubuntu.com/Wayland/gks

Copy the [extracted or copied & pasted] files to the following locations,

sudo cp gks /usr/bin  sudo cp gks.desktop /usr/share/applications/  sudo cp gks.svg /usr/share/icons  

Logout/login or reboot, and there should be a working desktop icon. It will work from a terminal window like with the simple solution with the function.

Alt F2 box:

enter image description here

Gnome Shell menu:

enter image description here

gks console and gparted:

enter image description here

Custom script and desktop file

If you have only a few GUI applications, that need elevated permissions, you could make custom scripts and desktop files for them and avoid entering the command (application name). You would only enter the password, which is not more difficult compared to the previous versions of Ubuntu (you should enter the password anyway).

Example with the simple GUI program xlogo that comes with the program package x11-apps:

The shellscript gkslogo (simplified compared to gks),

#!/bin/bash    xhost +si:localuser:root    xterm -T "gks console - enter password" -fa default -fs 14 -geometry 60x4 -e sudo -H xlogo    xhost -si:localuser:root;  

The desktop file gkslogo.desktop:

[Desktop Entry]  Version=1.0  Categories=Application;System;  Type=Application  Name=gkslogo  Description=Run program with temporary elevated permissions in Wayland  Comment=Run program with temporary elevated permissions in Wayland  Exec=gkslogo  Icon=/usr/share/icons/gks.svg  Terminal=false  StartupNotify=false  GenericName[en_US.UTF-8]=Run program with temporary elevated permissions in Wayland  

I was lazy and used the same icon file gks.svg

Copy the [copied & pasted] files to the following locations,

sudo cp gkslogo /usr/bin  sudo cp gkslogo.desktop /usr/share/applications/  

gks[logo] console and xlogo:

enter image description here


Solution:3

Better check whether wayland is really running first before granting root right

if [ $XDG_SESSION_TYPE = "wayland" ]; then      xhost +si:localuser:root  fi  


Solution:4

If you are using Ubuntu 17.04 or higher, it is recommended to use the gvfs admin backend. Simply add admin:// to the front of the full filepath you want to open in an app like the Text Editor or the Files apps.

For instance, to change boot settings, open

admin:///etc/default/grub  

This method uses PolicyKit and will still work with Ubuntu 17.10's Wayland default, while sudo and gksu for GUI apps won't.


Solution:5

For applications which use su-to-root and pkexec you may want to add this code to /etc/xdg/autostart (see my comment at launchpad) at your own risk:

cat <<EOF | sudo tee /etc/xdg/autostart/xhost.desktop  [Desktop Entry]  Name=xhost  Comment=Fix graphical root applications  Exec="xhost +si:localuser:root"  Terminal=false  Type=Application  EOF  

Other root applications are broken on Wayland too (see bug 1713313 and bug 1713311 ).


Solution:6

Actually the following code almost works:

#! /bin/bash  set -e   if [ -z "$1" ] ; then      echo "Application is not specified" ;  exit  fi   if [ $XDG_SESSION_TYPE = "wayland" ]; then      if [[ -t 1 ]]; then         xhost +si:localuser:root         sudo -u root "$@"         xhost  -           exit 0      fi   fi  gksu "$@"  

(please excuse me for naive style of bash coding- I'm a sort of newbie with this subject). T doesn't work stable from Alt-F2, if last selection was not a terminal; in this case we just cannot set focus to password dialog Looks like it works from Gnome menu. Anyway< 1. It is not a 100% solution. 2. It seems to me that Ubuntu architects think that we are not supposed to search any work arounds..


Solution:7

If an application support Wayland API you can run it as root using sudo -EH application command.

The -E switch tells sudo to preserve environment variables (as well as WAYLAND_SOCKET and XDG_RUNTIME_DIR) needed to wayland applications. It is always better to use this option over nasty xhost hack proposed in other answers. xhost allows the application to run from under X wrapper which is less secure than using Wayland (shared clipboard, keylogging etc). The sudo -EH trick wont work with an application that hadn't been rewritten for wayland, like gparted for example, but would work with gedit etc.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »