https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c2 Ricardo Cruz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |rpmcruz@alunos.dcc.fc.up.pt InfoProvider| |support@microtechniques.com --- Comment #2 from Ricardo Cruz 2010-09-05 14:54:24 UTC --- Hi Don, Does, say, "gnomesu gedit" work for you? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c Ricardo Cruz changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-gnome@forge.provo. |rpmcruz@alunos.dcc.fc.up.pt |novell.com | Severity|Normal |Major -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c5 --- Comment #5 from Don Hughes 2010-09-06 21:33:41 UTC --- Reference to Comment 2: where do I enter 'gnomesu gedit' Reference to Comment 3: It brings up the menu but most of the sub-items will not work when started from gnome-terminal. I typed 'yast2' at the text mode command line (I.E. outside of Gnome) and it works correctly. Reference to Comment 4: Yes, there are errors. That is why I was trying to run yast2 to try and correct some of them. The logs were a) retrieved from /var/logs/ b) startx >startx.log -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c7 --- Comment #7 from Don Hughes 2010-09-07 00:49:13 UTC --- Running gnomesu gives gnomesu 3756 No services for libgr10mesu are available. Running startx from a non-privileged user gives: Fatal server error: xf86OpenConsole: Cannot open virtual console 7 (Permission denied) Changing the sysconfig/security PERMISSION_SECURITY setting from paranoid to easy and I can start a non-privileged startx session and gnomesu does ask for a password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c9 --- Comment #9 from Vincent Untz 2010-09-07 13:50:00 UTC --- My first reaction is that running X as root and having paranoid PERMISSION_SECURITY is weird: you should never run a desktop session as root. Will need to investigate for the real issue, though. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c11 --- Comment #11 from Vincent Untz 2010-09-07 14:33:19 UTC --- (In reply to comment #10)

Please have a look at the first few lines of /etc/permissions.paranoid . Then, reconsider.

Can you highlight the lines that tell it's okay to run a desktop session as root? :-) And I've not closed the bug, so it'll be considered. But it might be that there's nothing to fix because of the paranoid mode -- it needs investigation. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c13 --- Comment #13 from Vincent Untz 2010-09-07 15:28:41 UTC --- (In reply to comment #12)

Frankly, I don't feel inclined to comment on the desktop session as root thingy. :)

Ah apologies, I misunderstood, then :-) I'm tempted to agree with your conclusion, btw. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c15 --- Comment #15 from Vincent Untz 2010-09-08 11:47:45 UTC --- (In reply to comment #14)

Looking at libgnomesu code, it looks like it supports both su and pam as privilege escalation methods. And, apparently, none of which can be used on the paranoid level.

Anyway, I wonder why, when getui() == 0, gnomesu doesn't just do an execv() ?!

I guess we could.

Either way, Vincent, do you this is worth showing an error window? I mean, gnomesu is rarely used via the command-line, so any error message should also be shown in a window...

On the other hand, libgnomesu seems to be lacking maintenance, and, without the supervision of someone knowledge of the code, I'm worried I might introduce some fatal bug in the process of adding an error window there.

If you write a patch, I'll review it. We're more or less upstream for gnomesu, now anyway (even though we don't use any real vcs for it, just our package). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c17 --- Comment #17 from Vincent Untz 2010-09-08 12:23:13 UTC --- (In reply to comment #16)

You say "that running X as root and having paranoid PERMISSION_SECURITY is weird: you should never run a desktop session as root". However, with paranoid PERMISSION_SECURITY, the only way that you CAN run X is as root.

And therefore I wouldn't use X in paranoid mode.

I have an application server that, unfortunately, requires a gui for some of its configuration. Normally, no one is logged into the system. I chose permissions.paranoid for the reduced attack exposure. When I need to make configuration changes, I start X. If you have suggestions for an alternative setup, I would appreciate your input.

I don't have any good suggestion here, unfortunately. I would probably change the mode from paranoid to secure while I have ti run the config tool, but that's just me.

If permissions.paranoid was not intended to be used without modification, please rename it to permissions.paranoid.template, or permissions.paranoid.example; and please edit the comments.

You might want to file a different bug for this -- this is not for the GNOME team.

Regardless of how the permissions got changed - either through PERMISSION_SECURITY or manually - gnomesu should fail a little less obtusely. I have had this problem for a number of months, and it was not obvious that it was really a permissions issue.

Yes, we agree on that :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c19 Ricardo Cruz changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #388269|0 |1 is obsolete| | --- Comment #19 from Ricardo Cruz 2010-09-09 03:22:05 UTC --- Created an attachment (id=388413) --> (http://bugzilla.novell.com/attachment.cgi?id=388413) Another approach (gnomesu.c) Instead of showing the error window at the libgnomesu.c level, this one does so from gnomesu.c. It might be less intrusive and complex. Code: a) added a gnomesu_get_error() that works similarly to perror() b) if gnomesu_spawn_...() returns FALSE, check that gnomesu_get_error() != NULL, and show the user an error message. (Notice that gnomesu_spawn_...() returns FALSE if the user pressed Cancel too, not necessarily for errors.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c21 --- Comment #21 from Ricardo Cruz 2010-09-09 03:30:08 UTC --- Created an attachment (id=388415) --> (http://bugzilla.novell.com/attachment.cgi?id=388415) Stock icon patch Vincent, this patch is so that the "Continue" button of gnomesu doesn't show an icon, in case those are disabled for Gnome (now the default). It just uses GTK's convenience methods, which also greatly simplifies the code too. Should we contact gnomesu's author, to get at least some of these changes upstream? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=637215 https://bugzilla.novell.com/show_bug.cgi?id=637215#c23 Dominique Leuenberger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #23 from Dominique Leuenberger 2013-09-29 17:10:09 UTC --- Dear Reporter, Thank you for taking the time to report this bug and helping to make openSUSE better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in openSUSE since the time you reported the bug and your problem may have been fixed with some of the updates. It would help us a lot if you could test it on a current, supported openSUSE version. When you test it and it is still an issue, kindly reopen this bug and move it to the tested version of openSUSE. Truly yours. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.