6

This time and another I need to edit some files that are supposed to be edited by root only.

I would very much prefer to do it in a GUI text editor rather than using command line tools like nano or vi. Yes, it is perfectly possible to do editing using either one of them or the likes, I am merely dissatisfied with this option, because it is inconvenient when compared to working with kate or gedit (personal opinion; it is totally fine if you have the opposite, but I stick to mine).

That being said, I would not like to completely compromise security with a nuclear option xhost si:localuser:root. Is there any middle ground solution (like sudo that, unfortunately, have intentionally been crippled when it comes to running GUI stuff)?

S. N.
  • 305
  • 1
    Try, for example, pkexec gedit. – mikewhatever Jan 15 '21 at 19:20
  • @mikewhatever Did not work.

    Unable to init server: Could not connect: Connection refused

    (gedit:1647550): Gtk-WARNING **: 22:26:54.534: cannot open display:

     – S. N. Jan 15 '21 at 19:28
  • Have you tried sudo gedit /path/to/file? It's probably not the greatest way to do it, but it works for me. – KGIII Jan 15 '21 at 21:11
  • can you try my answer here and give some feedback, if it's working for your case? – moep Jan 16 '21 at 00:17
  • @moep Thank for you suggestion. I has tested your script and I can confirm it working, but... I see that it is based on what I called the nuclear option in my original post (xhost si:localuser:root). This solution does work, but it poses a serious security risk. And the latter is what I would prefer to avoid, if possible. – S. N. Jan 19 '21 at 18:24

2 Answers2

10

1. The admin:// URI

In Ubuntu, the official way to edit system files as root with a graphical editor is to use the admin:// URI. For example, to edit /etc/fstab, issue the following command in the run dialog you obtain after pressing Alt+F2 or on the terminal:

gedit admin:///etc/fstab

In older Ubuntu versions (prior to 20.10), the very first time you do this, you need to supply your user password two times in a row. This has been fixed in 20.10.

Of course, your user needs to belong to the root group in order to edit system files.

2. Using sudoedit

An approach valid for any desktop environment with any editor would be to use sudoedit. Setup the SUDO_EDITOR environment variable to point to the binary of your graphical editor, for example: export SUDO_EDITOR="/usr/bin/gedit". Then, you can use the command sudoedit <file> or sudo -e <file> to open a system file in your graphical editor. Much the way the admin:// URI does, this will create a temporary copy, which you edit as a normal user. Once the editor is closed, the modified temporary copy is copied back over the system file.

This can actually be combined in a single command:

env SUDO_EDITOR="/usr/bin/gedit" sudoedit <file>

Thus, the environment is changed only when you explicitly want to use the graphical editor. You create an alias or create a small script to edit system text files in a graphical editor with a single command.

3. Discouraged: using pkexec

These two options do not at any time run your graphical editor as root, which is preferred. Still, it is possible to run a graphical editor as root using pkexec. You can install a PolicyKit file, but you also may run it with some environment variables. For nautilus users, the package nautilus-admin installs a PolicyKit file for gedit and provides a right-click menu option in nautilus to launch a text file in gedit with root permissions. However, these options, where a graphical application is run as root are, according to man pkexec, discouraged:

As a result, pkexec will not allow you to run X11 applications as another user since the $DISPLAY and $XAUTHORITY environment variables are not set. These two variables will be retained if the org.freedesktop.policykit.exec.allow_gui annotation on an action is set to a nonempty value; this is discouraged, though, and should only be used for legacy programs.

vanadium
  • 88,010
  • Sorry for late answering. When executed in terminal your command gives the following output: ** (gedit:122193): WARNING **: 21:13:22.510: Loading metadata failed: The specified location is not mounted. So gedit does open fstab this way, but it is completely empty. – S. N. Jan 19 '21 at 18:30
  • Not normal. Are you using an older version of Ubuntu? – vanadium Jan 20 '21 at 08:20
  • Not really. It is Lubuntu 20.04 (more or less standard, no serious tweaking or tampering has been done). – S. N. Jan 21 '21 at 15:31
  • My answer is valid for a default Ubuntu install, since you did not specify any desktop environment. I don't think there is an "official", build in way in Lubuntu. – vanadium Jan 21 '21 at 16:16
  • I see. Yes, I suppose I should have, but it simply did not occur to me it might be of importance which specific flavour I was using. Anyway, thank you very much for your helping. – S. N. Jan 21 '21 at 17:05
  • For all things related to the graphical interface, you better mention the desktop environment. Please consider accepting the answer if it helped you. Also check the link I provided under "using pkexec": depending, you may prefer that, because it yields a graphical dialog for your sudo password, and thus can be used from a desktop launcher without needing to open a terminal if that would be a concern. – vanadium Jan 21 '21 at 17:13
  • The first solution of your addendum (the one with sudoedit )works great. The way I see it that is elegant and efficient. I am glad to accept it as the answer (the reason I did not accept the original one was the fact I could not test it on Lubuntu; but this one has passed the test perfectly). And again, thank you! – S. N. Jan 21 '21 at 19:07
  • Thank you! I took the opportunity to add the one liner you can use if you want the environment only be changed on the occasions where you want to use the graphical editor. Such one liner can be defined as an alias, e.g. sugedit=env SUDO_EDITOR="/usr/bin/gedit" sudoedit. – vanadium Jan 22 '21 at 08:08
  • admin:/// doesn't work with Ubuntu 20.04 – Kiruahxh May 03 '21 at 15:52
0

The following command works, no need to install anything:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit <filename>

To simplify things, you can create an alias by putting the following into your ~/.bash_aliases file:

alias editroot='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit'

Then (in a new terminal, in order to re-read ~/.bashrc) you can use the following command:

editroot <filename>
raj
  • 10,353
  • Interesting method. However, running graphical applications as root is not anymore up to date practice, and should, as the manual of pkexec states, be reserved for legacy programs only. Still, "that works". – vanadium Jan 21 '21 at 18:47
  • I tested your solution. Although, I have already accepted another solution as the answer, I can confirm yours is working just as good. I really appreciate your help! – S. N. Jan 21 '21 at 19:10