[ubuntu-hardened] GNOME on Wayland: pkexec
Jeremy Bicha
jbicha at ubuntu.com
Fri Jun 9 00:32:14 UTC 2017
I mentioned briefly in Tuesday's team meeting that some apps like
synaptic don't work on Wayland. I promised that I would provide a bit
more information.
Part of GNOME on Wayland's design enforces a higher level of security
than non-Wayland. [1]
Synaptic doesn't have real PolicyKit integration. It has a simple
pkexec script that still ends up running the whole app as root instead
of just the specific actions needed.
This does not currently work in GNOME Shell. There actually is a GNOME
Shell patch [2] that would allow this simple pkexec to work, but the
GNOME Shell maintainer is understandably uncomfortable with pushing
that change.
I'm CCing the Ubuntu security mailing list, but I suggest that replies
be kept to the ubuntu-desktop list.
[1] https://fedoraproject.org/wiki/Common_F25_bugs#wayland-root-apps
[2] https://bugzilla.gnome.org/763531
Thanks.
Jeremy Bicha
More information about the ubuntu-hardened
mailing list