Opened 2 years ago

Closed 2 years ago

#202 closed enhancement (implemented)

Allow for easy escalation to root in AppVM

Reported by: joanna Owned by: marmarek
Priority: major Milestone: Release 1 Beta 2
Component: core Keywords:
Cc:

Description

Should work for:

  • sudo bash
  • system-config-date

Add explanation why this is a good idea and _not_ a security breach.

Change History (9)

comment:1 Changed 2 years ago by marmarek

  • Owner changed from joanna to marmarek
  • Status changed from new to accepted

comment:2 Changed 2 years ago by marmarek

  • Resolution set to implemented
  • Status changed from accepted to closed

http://git.qubes-os.org/gitweb/?p=marmarek/core.git;a=commit;h=8047ec780a44c6b538b412e0173152045ab82191

comment:3 Changed 2 years ago by joanna

  • Resolution implemented deleted
  • Status changed from closed to reopened

This doesn't work for gpk-application, one of the most important app on a templateVM...

When I open gpk-aplication and then choose "Refresh package list" from the menu, it throws an authorization failure message.

Interestingly e.g. system-config-date works just fine.

comment:4 Changed 2 years ago by marmarek

This requires forcing ConsoleKit? to think that our X session is local.
Perhaps implement own ck-xinit-session?

comment:5 Changed 2 years ago by marmarek

When done - remove workaround for nm-applet (/etc/dbus-1/system.d/qubes-nm-applet.conf and sed on /usr/share/polkit-1/actions/...)

comment:6 Changed 2 years ago by joanna

  • Milestone changed from Release 1 Beta 1 to Release 1 Beta 2

comment:7 Changed 2 years ago by joanna

  • Type changed from defect to enhancement

comment:8 Changed 2 years ago by marmarek

  • Status changed from reopened to accepted

ck-xinit-session-qubes does the work - ConsoleKit? session is set up properly as "local" and "active". I've removed workaround for nm-applet. For other applications which asks for root password, we should remove root password.

Unfortunately polkit-gnome-authentication-agent is still needed, just to (automatically) respond with empty password... When user tries to do some privileged task (i.e. install package), password prompt shows for a (almost unnoticeable) moment.

comment:9 Changed 2 years ago by marmarek

  • Resolution set to implemented
  • Status changed from accepted to closed

http://git.qubes-os.org/gitweb/?p=marmarek/core.git;a=commit;h=bb073c3cdb91775eef966d8bc4f9d4299da7f9ca

Note: See TracTickets for help on using tickets.