[Bug 1713313] Re: Unable to launch pkexec'ed applications on Wayland session

Wed Dec 13 04:36:20 UTC 2017

Phillip:

You were banned from the Ubuntu Forms not by me personally, but rather
by the Forums Council after repeated violations of the CoC and difficult
interactions with the Forums Staff including both moderators and Forums
Council Members.

You appealed your ban to the Community Council, and your ban was upheld.

This is not the appropriate place to protest you ban. I am no longer an
active staff member, please contact the current Forums Council if you
wish to discuss any potential future use of the Forums

https://wiki.ubuntu.com/ForumCouncil

As far as the technical discussion I am afraid we will have to agree to
disagree.

I can not always follow what you are saying, but I have the impression,
perhaps falsely, you do not understand or that you intermingle issues of
Wayland, X (XWayland, Xhost), and Weston, those are fairly diverse
features / functions.

At any rate, I also think you do not understand that Wayland is in rapid
development and not all the mechanisms of security have been agreed on
up stream or resolved.

I believe Upstream has made their security intentions very clear in
their mailing list and security blog, which I have provided for your
consideration.

The fedora experience makes this very clear in their bug reports as
well. The Fedora project has raised most if not all of your issues, and
as they are a bit further ahead, the Fedora Bug Reports are referenced
here.

This thread makes it clear that Ubuntu is working not on revamping
wayland security, but by rewriting applications and the way they obtain
elevated privileges.

I also see your bugs getting closed as "wont fix" here on Ubuntu.

My best suggestion would be that you engage into a technical discussion
with your LP mentor, the community council, perhaps Norbert, or one of
the Gnome Developers whom you respect rather than continue a discussion
with myself, here, on this bug report.

I suggest you conduct such a technical discussion outside this bug
report, perhaps on the gnome or wayland mailing list or IRC or whatever
channel you feel benefits you most. I have given you the Wayland mailing
list and links to security discussions and can send them again if you
would like.

I believe this bug report is not the best place to obtain the
clarification and answers to your questions and I have in good faith
provided you and others what I would hope would be helpful information
and sources of further information.

bodhi at daemon:~$sudo gedit
No protocol specified
Unable to init server: Could not connect: Connection refused

(gedit:7374): Gtk-WARNING **: cannot open display: :0
bodhi at daemon:~$sudo su -

root at daemon:~#gedit
Unable to init server: Could not connect: Connection refused

(gedit:7346): Gtk-WARNING **: cannot open display:

I believe once Upstream (Wayland) feels the wayland code has matured
their long term intentions will be to drop XWayland and support for
circumventing wayland security via the mechanisms you currently use /
exploit such as Xhost , su - , etc.

I believe Xwayland and Xhost are intended to give downstream projects
such a Fedora and Ubuntu time to transition from X to Wayland and time
for Wayland to mature. Obviously this is a large project, both for
Wayland and Ubuntu .

I do not believe that because mechanisms currently exist to run
applications as root on Wayland at this time that you should assume that
such mechanisms will either be maintained or expanded in the future.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gparted in Ubuntu.
https://bugs.launchpad.net/bugs/1713313

Title:
  Unable to launch pkexec'ed applications on Wayland session

Status in Back In Time:
  Fix Released
Status in Boot-Info:
  Fix Committed
Status in Boot-Repair:
  Fix Committed
Status in GNOME Terminal:
  New
Status in Settings editor for LightDM GTK+ Greeter:
  New
Status in OS-Uninstaller:
  Fix Committed
Status in Y PPA Manager:
  New
Status in apport package in Ubuntu:
  New
Status in apt-offline package in Ubuntu:
  New
Status in backintime package in Ubuntu:
  Confirmed
Status in budgie-welcome package in Ubuntu:
  Invalid
Status in caja-admin package in Ubuntu:
  New
Status in cinnamon package in Ubuntu:
  Invalid
Status in ettercap package in Ubuntu:
  Confirmed
Status in gdebi package in Ubuntu:
  Confirmed
Status in gdm3 package in Ubuntu:
  Won't Fix
Status in gnunet-gtk package in Ubuntu:
  Confirmed
Status in gparted package in Ubuntu:
  Invalid
Status in gui-ufw package in Ubuntu:
  Confirmed
Status in guidedog package in Ubuntu:
  New
Status in hplip package in Ubuntu:
  Confirmed
Status in italc package in Ubuntu:
  New
Status in laptop-mode-tools package in Ubuntu:
  New
Status in lightdm-gtk-greeter-settings package in Ubuntu:
  Confirmed
Status in nautilus-admin package in Ubuntu:
  New
Status in needrestart-session package in Ubuntu:
  Confirmed
Status in nemo package in Ubuntu:
  Confirmed
Status in policykit-1 package in Ubuntu:
  Invalid
Status in scanmem package in Ubuntu:
  New
Status in scap-workbench package in Ubuntu:
  Confirmed
Status in sirikali package in Ubuntu:
  Fix Released
Status in synaptic package in Ubuntu:
  Confirmed
Status in thunar package in Ubuntu:
  New
Status in tuned package in Ubuntu:
  New
Status in ubuntustudio-controls package in Ubuntu:
  New
Status in ubuntustudio-default-settings package in Ubuntu:
  Invalid
Status in update-notifier package in Ubuntu:
  New
Status in xdiagnose package in Ubuntu:
  Confirmed
Status in xubuntu-default-settings package in Ubuntu:
  Invalid
Status in zulucrypt package in Ubuntu:
  Fix Released

Bug description:
  *****************************
  Main upstream discussion & fixes example to deal with wayland:
  https://bugzilla.gnome.org/show_bug.cgi?id=776437
  *****************************

  ********************************************************************************************************************************************

  Steps to reproduce:
  1. Install Ubuntu 17.10
  2. Install backintime-qt4 or gparted application from above list (full may be acquired from https://codesearch.debian.net/search?q=pkexec+filetype%3Adesktop+path%3A*%2Fapplications%2F*&perpkg=1&page=4 )
  3a. Try to launch backintime-qt4 from shortcut "Back In Time (root)" (located in /usr/share/applications/backintime-qt4-root.desktop, it uses pkexec
  ($ cat /usr/share/applications/backintime-qt4-root.desktop | grep Exec
  Exec=pkexec backintime-qt4)
  3b. Try to launch Gparted from shortcut "GParted" (located in /usr/share/applications/gparted.desktop, it uses gparted-pkexec)
  4a.1. Back In Time does not start from GUI.
  4a.2. Back In Time shows error message in console:
  4b. gparted-pkexec does not start, reports error
  $ gparted-pkexec
  Created symlink /run/systemd/system/-.mount → /dev/null.
  Created symlink /run/systemd/system/run-user-1000.mount → /dev/null.
  Created symlink /run/systemd/system/run-user-121.mount → /dev/null.
  Created symlink /run/systemd/system/tmp.mount → /dev/null.
  No protocol specified

  (gpartedbin:12831): Gtk-WARNING **: cannot open display: :0
  Removed /run/systemd/system/-.mount.
  Removed /run/systemd/system/run-user-1000.mount.
  Removed /run/systemd/system/run-user-121.mount.
  Removed /run/systemd/system/tmp.mount.

  $ pkexec backintime-qt4

  Back In Time
  Version: 1.1.12

  Back In Time comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it
  under certain conditions; type `backintime --license' for details.

  No protocol specified
  app.py: cannot connect to X server :0

  Expected results:
  * backintime-qt4 may be run as root

  Actual results:
  * unable to run backintime-qt4 as root

  Workaround:
  * setting "xhost +si:localuser:root" helps.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: backintime-qt4 1.1.12-2
  ProcVersionSignature: Ubuntu 4.12.0-11.12-generic 4.12.5
  Uname: Linux 4.12.0-11-generic i686
  ApportVersion: 2.20.6-0ubuntu7
  Architecture: i386
  CurrentDesktop: GNOME
  Date: Sun Aug 27 14:23:14 2017
  InstallationDate: Installed on 2017-08-26 (0 days ago)
  InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha i386 (20170826)
  PackageArchitecture: all
  SourcePackage: backintime
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/backintime/+bug/1713313/+subscriptions