Do not require sudo for default Desktop

Registered by Kees Cook on 2009-04-28

Identify remaining elements needed to remove the use of "sudo" for the default Desktop install. Switching entirely to PolicyKit would be the primary goal.

Blueprint information

Not started
Rick Clark
Kees Cook
Needs approval
Series goal:
Milestone target:


* Reasons for getting sudo out of Desktop
 * Central place to configure authorizations (PolicyKit)
 * no graphical applications should ever run as root
 * sudo is all or nothing in some environments, which means regular people may not be able to do privileged needed actions

* Identify remaining default tools using sudo/gksudo
 * apport
 * synaptic, gdebi, update-notifier, apturl

  -> And what about terminal stuff? sudo cp, ln.. should work, or would it require full root access?

* Deprecation Plans

* State of packaging
 * packagekit (backend as root, frontend not)
 * need to pass ENV variables to gui frontend which runs as root
 * gksu/policykit
  * talks to dbus service and says 'run this as root'
  * not as trusted as sudo (which is defensive and has many checks)
  * unstable
  * could be adjusted to have whitelisted commands
  * needs to be a one-time allowed action
  * packages (like synaptic) will declare themselves for whitelisting in some
 * future dbus functionality to pass pty fd over dbus to vte terminal
 * policykit frontend not attractive

* removing sudo package from default install?
 * users don't want to use synaptic to install sudo
 * lots of people are used to sudo being there
 * copy/paste of sudo commands is wide-spread
 * removing sudo means there is one less avenue of attack
 * if X doesn't come up, it is harder to fix stuff
 * remove/rename admin group from /etc/sudoers (so user has to add a group
   via policykit aware application, ...)

091017: Here is a more detailed and up to date list of packages depending on gksu. Not that many dependencies left in main.
The ones depending on gksu in the default installation is apturl, gdebi, gnome-codec-install, network-manager-gnome, software-properties-gtk, update-notifier, checkbox-gtk and update-manager //Olof
∘ multiverse
‣ controlaula
‣ lubuntu-desktop
‣ mythtv-backend
‣ mythtv-frontend
∘ main
‣ apturl
‣ gdebi
‣ gnome-app-install
‣ gnome-codec-install
‣ gnome-utils
‣ gparted
‣ libgksu2-0
‣ nautilus-gksu
‣ network-manager-gnome
‣ sabayon
‣ synaptic
‣ software-properties-gtk
‣ update-notifier
∘ universe
‣ aptlinex
‣ aptoncd
‣ brdesktop-gnome
‣ ettercap-gtk
‣ foomatic-gui
‣ galternatives
‣ gapti
‣ gdecrypt
‣ gexec
‣ gkdebconf
‣ gnome-desktop-environment
‣ gnome-netstatus-applet
‣ gpppon
‣ gufw
‣ hplip-gui
‣ kleansweep
‣ live-magic
‣ macchanger-gtk
‣ menu
‣ mythbuntu-live-autostart
‣ network-config
‣ pcmanfm
‣ pcmanfm-nohal
‣ pysdm
‣ update-manager-hildon
‣ usb-imagewriter
‣ ẅicd
‣ xnetcardconfig
‣ zenmap
• False depends?
∘ checkbox-gtk
∘ update-manager
• Fixed
∘ gdm
∘ kvpnc
∘ mythbuntu-control-centre
∘ usb-creator
• Removed
∘ gnome-apt

090724 Olof
1. Is this dependancy valid for checkbox-gtk? I ran the program as a normal user and did some grepping in the source code and couldn't find any references to gksu. If I'm wrong, could someone point out the relevant code?
2. Is there any interest in porting software-properties-gtk and update-manager to use aptdaemon, or will these programs be superseeded by "AppCenter" when Karmic is released? -> (mvo) adding a backend for update-manager is done with 0.124.6, porting software-properties-gtk is a bit more work


Work Items