49

I installed Ubuntu 17.10. Now I am having trouble with gksu:

$ gksu -dg synaptic
No ask_pass set, using default!
xauth: /tmp/libgksu-HgUjgQ/.Xauthority
STARTUP_ID: gksu/synaptic/8760-0-alex-XPS-15-9530_TIME4974977
cmd[0]: /usr/bin/sudo
cmd[1]: -H
cmd[2]: -S
cmd[3]: -p
cmd[4]: GNOME_SUDO_PASS
cmd[5]: -u
cmd[6]: root
cmd[7]: --
cmd[8]: synaptic
buffer: -GNOME_SUDO_PASS-
brute force GNOME_SUDO_PASS ended...
Yeah, we're in...
Unable to init server: Could not connect: Connection refused
(synaptic:8767): Gtk-WARNING **: cannot open display: :1
xauth: /tmp/libgksu-HgUjgQ/.Xauthority
xauth_env: (null)
dir: /tmp/libgksu-HgUjgQ

If I don't use -g, the password dialog is disabled. So looks like a problem with creating a tty for root.

Any advice?

muru
  • 197,895
  • 55
  • 485
  • 740
Alex Chapiro
  • 491

8 Answers8

60

Note this answer is specific to versions of Ubuntu using Wayland, 17.10 being the first release to use Wayland by default.

It is a feature not a bug! It is a design feature of Wayland that you can not start graphical applications as root from the terminal.

The main discussions are of course on the Fedora sites. See Fedora bug #1274451 and Graphical applications can't be run as root in wayland (e.g. gedit, beesu, gparted, nautilus) on Ask Fedora. But there is some discussion on the Ubuntu sites as well (Ubuntu Devs Uncertain about Using Wayland by Default in 17.10 - OMG! Ubuntu).

Ubuntu bug report: Unable to launch pkexec'ed applications on Wayland session

Potential work around - If you are editing system files with a graphical editor (such as gedit) use a command line tool such as nano or vim or emacs. nano is typically easier for new users, vim is more powerful and has more features, see this Vim Tutorial or similar.

At any rate , if you really want or need to run graphical apps as root, set xhost first which forces fallback to Xserver.

To set permissions run:

xhost si:localuser:root

When you are finished, to remove permissions 

xhost -si:localuser:root

You can add a graphical / desktop option to do this as per this synaptic bug report

pkexec'ed applications may be healed with xhost +si:localuser:root placed in XDG autostart as follows (N0rbert's idea):

cat <<EOF | sudo tee /etc/xdg/autostart/xhost.desktop
[Desktop Entry]
Name=xhost
Comment=Fix graphical root applications
Exec="xhost +si:localuser:root"
Terminal=false
Type=Application
EOF

You could add this xhost command to .bashrc, but I would advise a pair of aliases

alias gsuon='xhost si:localuser:root'

alias gsuoff='xhost -si:localuser:root'

You can name the aliases whatever you wish.

For details see:

Switch back to Xorg

If you prefer Xorg for any reason, you can select to run on Xorg at login

See How do you switch from Wayland back to Xorg in Ubuntu 17.10?

N0rbert
  • 99,918
Panther
  • 102,067
  • Does this workaround work with Mir as well? – Eliah Kagan Oct 04 '17 at 14:59
  • I do not know about MIR, it may. – Panther Oct 04 '17 at 15:01
  • 1
    Or just xhost +local: – chaskes Oct 04 '17 at 16:25
  • @chaskes Less secure , but sure – Panther Oct 04 '17 at 16:58
  • Great answer :-) Please fix typo: alias gsuoff='-si:localuser:root' --> alias gsuoff='xhost -si:localuser:root' – sudodus Oct 23 '17 at 07:07
  • 20
    "It is a feature not a bug !"... sigh. These kind of things is exactly reason I cannot convince my friend and colleagues to switch to linux. Using VIM and Nano is not an alternatives to GEdit. Gedit works like notepad, while you need to learn CRTL-code for those others. And take for instance Nano using the terms like "Write Out" instead of "Save".... Very user unfriendly. – JHBonarius Oct 30 '17 at 07:43
  • 10
    This also completely breaks gparted, which is kinda an important thing to have access to. What ever happened to "Do not try to prevent stupid people from doing stupid things; you will only succeed in preventing clever people from doing clever things."? – Matthew Najmon Feb 23 '18 at 18:32
  • @MatthewNajmon - Try the work around and file a bug report. Otherwise, this is not really the place to complain about the problem. – Panther Feb 24 '18 at 03:01
  • As of Feb 15, the "xhost" command allowed gksu "deja-dup --backup" to work. As of Mar 29, it no longer works. The password prompt is given but the graphic no longer accepts the password. It goes into the terminal running the gksu command in plain text. – jpezz Mar 29 '18 at 21:00
  • 1
    It is better to just type sudo -EH application instead of nasty xhost hack. xhost is opening X wrapper for root access and this is insecure. If an application is written against Wayland API, like gedit for example, it would be better to run it as sudo -EH gedit. The switch -E preserves the env variables (like WAYLAND_DISPLAY) and this is the trick – ZAB May 03 '18 at 18:55
  • use a command line tool – and call it like sudoedit myfile instead of sudo whatever-editor myfile – törzsmókus Mar 05 '19 at 21:37
  • The ubuntu wiki also says that: https://wiki.ubuntu.com/Wayland, yet I can run gtk apps in ubuntu on wayland just fine with sudo. Why? – sezanzeb Feb 20 '21 at 22:31
  • This so-called "feature" also breaks e.g. the Matlab Linux installer. It is truly a bug for some workflows, even if it is a "feature" for a majority. – MRule Sep 21 '22 at 08:20
23

enter image description here Solutions

In Wayland it is often difficult to run GUI application programs with elevated (sudo -H, gksu ...) permissions. It is a good idea to do such tasks with command line tools.

But there are workarounds, if you have a GUI tool, that works well for you and needs elevated permissions. (I use two such standard tools: the Synaptic Package Manager, synaptic and the partitioning tool Gparted, gparted. I use MakeUSB to create USB boot drives, mkusb, too, but it can run the parts that need elevated permissions without graphics.)

gvfs admin backend

The gvfs admin backend is a good tool for elevated permissions with GUI tools. In Ubuntu 17.10 (gvfs >= 1.29.4) and newer versions you can use the gvfs admin backend. Notice that you need the full path, for example

thunar admin:///path/to/directory
gedit admin:///path/to/file

In theory, the gvfs admin backend method (which uses polkit) is better and safer (than xhost and sudo -H), regardless of the UI you use.

You don't run the whole application as root. Privilege escalation happens only when strictly necessary. See the following link and links from it,

xhost and sudo -H

  1. There is a workaround to allow graphical application programs owned by other users than the logged in user in Wayland,

     xhost +si:localuser:root

  2. gksu and gksudo are not bundled with standard Ubuntu and do not work here, but they work in Xorg.

    Instead you can use

     sudo -H

    Edit:

    -H is no longer necessary (in 20.04 LTS and newer versions)

    Prior to 20.04 (or maybe 19.10, I can't remember when) using sudo for a GUI application, particularly the file manager, could change ownership of files and folders in your home to root, completely removing your ability to login to the system as user. Changes to the way the system uses sudo means that the danger of that happening has now gone so it should be safe as far as that problem is concerned.

    end of edit

  3. It is a good idea to prevent graphical application programs owned by other users than the logged in user afterwards,

     xhost -si:localuser:root

nautilus-admin

It is also possible to use nautilus-admin for file operations with elevated permissions and to use gedit with elevated permissions. This is described in the following AskUbuntu answer,

Temporary access for root to the Wayland desktop via function gks

Please avoid sudo GUI-program. It can cause the system to overwrite the configuration files for your regular user ID with root's configuration and set ownership and permissions to fit root and lock out your regular user ID. You should run GUI applications with sudo -H, which writes the configuration files in root's home directory /root. Example:

sudo -H gedit myfile.txt

But there is a risk that you forget -H. Instead you can create a function, for example gks

gks () { xhost +si:localuser:root; sudo -H "$@"; xhost -si:localuser:root; }

and store it in your ~/.bashrc near the aliases. Then you can run

gks gedit myfile.txt

in a way similar to how you used gksudo before.

Testing

You can check how sudo, sudo -H and gks work with the following commands

sudodus@xenial32 ~ $ sudo bash -c "echo ~"
/home/sudodus
sudodus@xenial32 ~ $ sudo -H bash -c "echo ~"
/root
sudodus@xenial32 ~ $ gks () { xhost +si:localuser:root; sudo -H "$@"; xhost -si:localuser:root; }
sudodus@xenial32 ~ $ gks bash -c "echo ~"
localuser:root being added to access control list
/root
localuser:root being removed from access control list
sudodus@xenial32 ~ $

and of course

gks gedit myfile.txt

according to the example in the previous section.

Method that works via Alt-F2 and Gnome Shell menu

Instead of adding a simple one-line function to ~/.bashrc, you can make a system, that works also without bash. It may be convenient to use, but is more complicated to set up. Please notice that you should install only one of the alternatives, because the one-line function will disturb using this more complicated system.

Three files

The shellscript gks:

#!/bin/bash

xhost +si:localuser:root


if [ $# -eq 0 ]
then
  xterm -T "gks console - enter command and password" 

  -fa default -fs 14 -geometry 60x4 

  -e bash -c 'echo "gks lets you run command lines with GUI programs
with temporary elevated permissions in Wayland."; 

read -p "Enter command: " cmd; 

cmdfile=$(mktemp); echo "$cmd" > "$cmdfile"; 

sudo -H bash "$cmdfile"; rm "$cmdfile"'
else
 xterm -T "gks console - enter password" -fa default -fs 14 -geometry 60x4 -e sudo -H "$@"
fi


xhost -si:localuser:root;

The desktop file gks.desktop:

[Desktop Entry]
Version=1.0
Categories=Application;System;
Type=Application
Name=gks
Description=Run program with temporary elevated permissions in Wayland
Comment=Run program with temporary elevated permissions in Wayland
Exec=gks %f
Icon=/usr/share/icons/gks.svg
Terminal=false
StartupNotify=false
GenericName[en_US.UTF-8]=Run program with temporary elevated permissions in Wayland

The icon file gks.svg looks like this:

enter image description here

You can download the icon file or a tarball with all three files from this link,

wiki.ubuntu.com/Wayland/gks

Copy the [extracted or copied & pasted] files to the following locations,

sudo cp gks /usr/bin
sudo cp gks.desktop /usr/share/applications/
sudo cp gks.svg /usr/share/icons

Logout/login or reboot, and there should be a working desktop icon. It will work from a terminal window like with the simple solution with the function.

Alt F2 box:

enter image description here

Gnome Shell menu:

enter image description here

gks console and gparted:

enter image description here

Custom script and desktop file

If you have only a few GUI applications, that need elevated permissions, you could make custom scripts and desktop files for them and avoid entering the command (application name). You would only enter the password, which is not more difficult compared to the previous versions of Ubuntu (you should enter the password anyway).

Example with the simple GUI program xlogo that comes with the program package x11-apps:

The shellscript gkslogo (simplified compared to gks),

#!/bin/bash

xhost +si:localuser:root


xterm -T "gks console - enter password" -fa default -fs 14 -geometry 60x4 -e sudo -H xlogo


xhost -si:localuser:root;

The desktop file gkslogo.desktop:

[Desktop Entry]
Version=1.0
Categories=Application;System;
Type=Application
Name=gkslogo
Description=Run program with temporary elevated permissions in Wayland
Comment=Run program with temporary elevated permissions in Wayland
Exec=gkslogo
Icon=/usr/share/icons/gks.svg
Terminal=false
StartupNotify=false
GenericName[en_US.UTF-8]=Run program with temporary elevated permissions in Wayland

I was lazy and used the same icon file gks.svg

Copy the [copied & pasted] files to the following locations,

sudo cp gkslogo /usr/bin
sudo cp gkslogo.desktop /usr/share/applications/

gks[logo] console and xlogo:

enter image description here

sudodus
  • 46,324
  • 5
  • 88
  • 152
  • 1
    Is the "Temporary access for root to the Wayland desktop via function gks" a safer method (e.g. than adding a file like /etc/xdg/autostart/xhost.destop as also suggested) because it ends by restoring the original environment? And can we safely replace sudo -H with gksu in the alias so as to use insert into .desktop files, etc.? – Sadi Oct 30 '17 at 19:09
  • 1
    Yes, I would think it is safer to allow root access to the desktop only when necessary. And yes, you can replace sudo -H with gksu in the function, it may work better for your applications. – sudodus Oct 30 '17 at 19:15
  • How to do in case Alt-F2 or Gnome Shell menu? – Alex Chapiro Oct 31 '17 at 09:26
  • @AlexChapiro, I enjoyed modifying this method for Alt-F2 and the Gnome Shell menu :-) – sudodus Oct 31 '17 at 21:59
  • Thanks, it works now. I'll test it more later, but at the first glance all the problems had been resolved. – Alex Chapiro Nov 01 '17 at 01:19
  • I tried replacing sudo -H with gksu in the function, but it didn't work, which should have been expected; so it seems there's no way of escaping from the use of terminal ;-) – Sadi Nov 01 '17 at 18:05
  • @Sadi, You are right, It does not work to replace sudo -H with gksu in the function. There is a complaint "Unable to copy the .Xauthority file". I tested in Xorg, where gksu and gksudo work, hoping that the copied file would somehow survive after logout and login to Wayland, but no. – sudodus Nov 01 '17 at 18:27
  • @Sadi, However, you can use terminal in an implicit way with the second method using the shellscript and desktop file. If you have only a few GUI applications, that need elevated permissions, you could make custom scripts and desktop files for them and avoid entering the command (application name). You would only enter the password, which is not more difficult compared to gksu. – sudodus Nov 01 '17 at 18:35
  • Yes, indeed! I think Alt+F2 way represents the closest eqivalent to the obsolete method that we are missing now, and thank you for this :-) @AlexChapiro , I highly recommend this to be marked as the answer ;-) – Sadi Nov 01 '17 at 18:49
  • 1
    +1 for extremely thorough answer. Similar to your gks abbreviation I had setup gsu to use policy kits (the new future for 16.04) for gedit and nautilus. When 18.04 comes out though I think I'll just name the xhost +si... wrapper script gksu which I'll never install from packages starting with 18.04. – WinEunuuchs2Unix Dec 24 '17 at 23:22
  • 2
    "Wayland is designed to not allow elevated (sudo -H, gksu ...) permissions with GUI application programs." -- false. Wayland allows root applications just fine. You can see this by running sudo -E gedit. There is currently a bug in gdm where it configures the Xwayland X11 compatibility server to not support XAUTHORITY, which is required for X11 applications running as root to work. Native wayland applications running as root work just fine. – psusi Feb 21 '18 at 02:53
  • 1
    @psusi, I modified the answer to avoid statements about the design and intentions of Wayland. – sudodus Feb 21 '18 at 07:01
6

Better check whether wayland is really running first before granting root right

if [ $XDG_SESSION_TYPE = "wayland" ]; then
    xhost +si:localuser:root
fi
eli chan
  • 91
6

If you are using Ubuntu 17.04 or higher, it is recommended to use the gvfs admin backend. Simply add admin:// to the front of the full filepath you want to open in an app like the Text Editor or the Files apps.

For instance, to change boot settings, open

admin:///etc/default/grub

This method uses PolicyKit and will still work with Ubuntu 17.10's Wayland default, while sudo and gksu for GUI apps won't.

Jeremy Bicha
  • 8,234
  • 1
    Thanks. For me this worked best with gedit (except a strange behavior when used simply as gedit admin:), very oddly with nautilus (almost useless), and totally failed with synaptic. Any ideas? – Sadi Oct 30 '17 at 18:52
  • It's not going to work with synaptic. It should work fine in nautilus though, but you need to pick a directory not a file like admin:///etc/ – Jeremy Bicha Oct 31 '17 at 20:28
  • 1
    It kind-of works with nautilus but you'll see what I mean ("very oddly", "almost useless") even when you directly open a directory, and start trying to do this and that ;-) – Sadi Nov 01 '17 at 10:46
  • @Sadi I have no idea what "this and that" is. You could file a bug if it doesn't work right. – Jeremy Bicha Nov 16 '17 at 19:13
3

For applications which use su-to-root and pkexec you may want to add this code to /etc/xdg/autostart (see my comment at launchpad) at your own risk:

cat <<EOF | sudo tee /etc/xdg/autostart/xhost.desktop
[Desktop Entry]
Name=xhost
Comment=Fix graphical root applications
Exec="xhost +si:localuser:root"
Terminal=false
Type=Application
EOF

Other root applications are broken on Wayland too (see bug 1713313 and bug 1713311 ).

If you do not want permanent solution, you may use @ravery's method:

just type xhost +si:localuser:root in the terminal before launching privileged application

N0rbert
  • 99,918
1

If an application support Wayland API you can run it as root using sudo -EH application command.

The -E switch tells sudo to preserve environment variables (as well as WAYLAND_SOCKET and XDG_RUNTIME_DIR) needed to wayland applications. It is always better to use this option over nasty xhost hack proposed in other answers. xhost allows the application to run from under X wrapper which is less secure than using Wayland (shared clipboard, keylogging etc). The sudo -EH trick wont work with an application that hadn't been rewritten for wayland, like gparted for example, but would work with gedit etc.

ZAB
  • 253
  • 3
  • 11
0

This is based on Thomas Guyot-Sionnest's answer.

I feel like this deserves its own answer, since it very simple and cleaned up so many issues for me. Create a shell script called wlsudo with the following contents:

#!/usr/bin/env bash
socat UNIX-LISTEN:/tmp/.X11-unix/X1 UNIX-CONNECT:/tmp/.X11-unix/X0 & sudo DISPLAY=:1 "$@"

Save it in a directory on your $PATH, and give it executable permissions (chmod +x ./wlsudo). You should then be able to launch GUI apps using wlsudo in place of sudo in Wayland, e.g. wlsudo synaptic just works.

MRule
  • 440
0

Actually the following code almost works:

#! /bin/bash
set -e 
if [ -z "$1" ] ; then
    echo "Application is not specified" ;  exit
fi 
if [ $XDG_SESSION_TYPE = "wayland" ]; then
    if [[ -t 1 ]]; then
       xhost +si:localuser:root
       sudo -u root "$@"
       xhost  -  
       exit 0
    fi 
fi
gksu "$@"

(please excuse me for naive style of bash coding- I'm a sort of newbie with this subject). T doesn't work stable from Alt-F2, if last selection was not a terminal; in this case we just cannot set focus to password dialog Looks like it works from Gnome menu. Anyway< 1. It is not a 100% solution. 2. It seems to me that Ubuntu architects think that we are not supposed to search any work arounds..

Alex Chapiro
  • 491