I've read the comunity "RootSudo" documentation and am interested in this line:
You should never use normal sudo to start graphical applications as Root.
Why? What is the difference? Please provide a simple explanation, as I'm just a normal desktop user.
In Ubuntu 19.10 and later, the admonition in that article (and in this answer) no longer applies. See WinEunuuchs2Unix's answer as well as this question.
Graphical applications often store settings and other user-specific data in configuration files written inside the user's home folder. The main mechanism applications use to determine what they should use as the user's home folder is the HOME environment variable. (You can inspect it yourself with echo $HOME).
Suppose you're running gedit (a graphical text editor) as root. If you run sudo gedit, HOME will continue to point toward your home directory, even though the program is running as root. Consequently, gedit will write configuration files as root into your home directory. This will sometimes result in the configuration files being owned by root and thus inaccessible to you (when you later run the program as yourself and not as root). This mainly happens when the application has to create a new configuration file. Newly created files, by default, are owned by the user who creates them (who in this case is root, not you).
That's the primary reason why you should run graphical applications with a graphical sudo frontend rather than with straight sudo. In Ubuntu and most of its derivatives (including Xubuntu and Lubuntu), the standard graphical frontend is gksu/gksudo. In Kubuntu it is kdesudo. (It depends on the desktop environment being used.)
If you want to use sudo directly to run a graphical application like gedit, you can run:
sudo -H gedit
The -H flag makes sudo set HOME to point to root's home folder (which is /root).
That still won't automatically handle the ownership of .Xauthority by copying it to a temp folder (this is the other thing that graphical sudo frontends take care of for you). But in the infrequent event that .Xauthority is inaccessible, you'll get an error saying it is, and then you can fix the problem by deleting it (sudo rm ~/.Xauthority), as it's automatically regenerated. Thus, protecting .Xauthority's ownership and permissions is less important than protecting the ownership and permissions of configuration files.
In contrast to a root-owned .Xauthority, when configuration files become owned as root, it's not always as obvious what the problem is (because graphical programs will often run, but not work very well, and output any useful errors to the console). And it's sometimes a bigger hassle to fix, especially if you're in a situation where you want one or more files in your home directory to be owned by someone other than you (because then you cannot fix it simply by recursively chowning all your files back to yourself).
Therefore, sudo (at least without -H) should not be used to run a graphical application unless you are highly familiar with the app's inner workings and know for sure that it does not ever attempt to write any configuration files.
sudo chmod -R $USER:$USER ~ Unfortunately, those criteria don't always apply. If you have any files where you need to preserve the group owner, you can run sudo chmod -R $USER ~. This is usually sufficient. (If you have files need to be owned by another user in your home directory, even that will be a problem.)
– Eliah Kagan
Mar 20 '13 at 05:46
sudo, it's possible that you've been fortunate enough that you don't have any root-owned configuration files. (This could happen if it never had to create a file, which is the main circumstance where a file becomes owned by root.) If you haven't had any problems, I wouldn't worry.
– Eliah Kagan
Mar 20 '13 at 05:54
chmod actually do it? I always thought it was chown that did it. chmod never did it for me.
– Wyatt Ward
Sep 10 '15 at 20:06
chown instead of chmod in my comments above. Sorry about that -- and thanks for pointing this out!
– Eliah Kagan
Dec 31 '16 at 23:10
gksudo you don't have to worry about this. When you use gksudo or kdesudo to run a GUI program, you won't get unexpected root-owned files in your home directory. That's why they're ideal. You also get a graphical password prompt, so you can use them from a run dialog (Alt+F2) as well as a terminal. The reason I mention sudo -H is only some Ubuntu flavors have gksudo or kdesudo preinstalled anymore. You can still install gksudo. (kdesudo is only for a system with KDE.) But if you don't want to, sudo -H is a reasonable choice and far better than bare sudo.
– Eliah Kagan
Jul 04 '17 at 00:16
gksudo shouldn't be used, and I don't recommend aliasing sudo to it. For non-GUI commands, you sometimes want to keep $HOME; gksudo requires a usable display (try DISPLAY= gksudo ls vs. with sudo); sudo and gksudo have different options and some of the "same" ones like -k are unrelated; and gksudo prompts for a password even if you just ran it successfully. Also you'd still need to be careful as aliases aren't always expanded.
– Eliah Kagan
Sep 07 '17 at 14:34
sudo -H echo $HOME still returns my normal user's home and not the /root or /home/root directory (sudo version 1.8.21p2 on Linux Mint 19.1).
– The Quark
Jun 18 '19 at 21:17
sudo -H echo $HOME, your shell--running as you, not as root--performs parameter expansion on $HOME, obtaining the path of your home directory, then passes that to sudo, which in turn passes the already-expanded value to echo, which prints it. sudo -H printenv HOME, sudo -H bash -c 'echo $HOME', and sudo -H sh -c 'echo $HOME' all print /root. This is conceptually similar--though by a different mechanism--to how x=a echo "$x" doesn't print a (unless x already had the value a).
– Eliah Kagan
Jun 18 '19 at 21:25
Simply put:
This prevents files in your home directory becoming owned by root.
Read it here. Also, possibly a duplicate of What is the difference between "gksudo nautilus" and "sudo nautilus"?
As of Ubuntu 19.10, typing sudo some_command now has the same effect as typing sudo -H some_command. This means the directory for any configuration files touched will be under /root directory and not /home/regular_userID directory (aka $HOME).
This makes this whole Q&A a moot point to a large degree for Ubuntu 19.10 users and greater.
To see whether sudo is working like sudo -H in your distribution try these short tests:
$ sudo printenv | grep HOME
HOME=/home/rick
$ sudo -H printenv | grep HOME
HOME=/root
As you can see, sudo above does not perform like sudo -H so using plain sudo can harm your user configuration files.
An alternative to gksu nautilus, gksu gedit or sudo -H gedit is to use the nautilus-admin add-on. It allows you to browse files and directories with Nautilus and then open them as root (Administrator).
Installation is straight forward:
sudo apt install nautilus-admin
Now when you are in Nautilus you'll have an extra option to Edit as administrator:
gedit as root doesn't allow preferencesWhen you run gedit as root you can't use the preferences you've set up as a regular user for tab stops, convert tabs to spaces, font name, font size, line wrap, etc.
To solve this I've written the script sgedit to inherit user preferences and apply them to root: How can I sync my root gedit with my user gedit's preferences?
sgedit filename1 filename2 ...sudo -H to preserve file ownership whilst getting root powers.sudo has timed out.gedit as a background task such that terminal prompt reappears immediately.
sudo {GUI command} now just like we would use gksudo {GUI command} before gksudo was removed?
– TrailRider
Jan 25 '20 at 18:16