Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 486448 - net-firewall/pglinux: avoid gksu usage
Summary: net-firewall/pglinux: avoid gksu usage
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords: NeedPatch
Depends on:
Blocks: 425156
  Show dependency tree
 
Reported: 2013-09-29 09:53 UTC by Pacho Ramos
Modified: 2016-10-09 12:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pacho Ramos gentoo-dev 2013-09-29 09:53:46 UTC 
As explained in bug 425156, gksu is dead and should be replaced by direct polkit usage when needed (as was done with gparted). Thanks
Comment 1 Julian Ospald 2013-09-29 11:12:20 UTC 
I do not see any good reason in both bugs.

Is there any security vulnerability? "Old and unmaintained" sounds pretty vague to me.
Comment 2 Pacho Ramos gentoo-dev 2013-09-29 11:47:03 UTC 
It's completely unmaintained and is not the preferred way because it gives full root access to applications instead of relying in polkit to control the access
Comment 3 Julian Ospald 2013-09-29 11:49:22 UTC 
it's still stable and unmasked, still not a good reason
Comment 4 Pacho Ramos gentoo-dev 2013-09-29 11:51:02 UTC 
It's stable and unmasked because it was maintained years ago and the only alternative, and we cannot mast it because of the packages still using it to gain root access
Comment 5 Julian Ospald 2013-09-29 11:51:53 UTC 
so what would be the masking reason then?
Comment 6 Pacho Ramos gentoo-dev 2013-09-29 11:55:23 UTC 
The security implications of using gksu instead of pkexec are shown in "man pkexec". Also, "features" like retaining root access for some time (in the case of gksu) is prone to security issues
Comment 7 Julian Ospald 2013-09-29 11:56:53 UTC 
That's too thin for me.
Comment 8 Pacho Ramos gentoo-dev 2013-09-29 12:06:48 UTC 
Maybe considering that there is not advantage in giving only the necessary privileges to the involved app instead of full root access is your problem. The same for relying on a completely unmaintained app to do this
Comment 9 Pacho Ramos gentoo-dev 2013-09-29 12:07:13 UTC 
I have seen you have reassigned it to gnome team, why? Do you allow us to do the changes?
Comment 10 Pacho Ramos gentoo-dev 2013-09-29 12:09:41 UTC 
You can also see gksu homepage about the migration:
http://www.nongnu.org/gksu/
Comment 11 Julian Ospald 2013-09-29 12:13:37 UTC 
Well, I'm not interested in fixing as long as gksu is in the tree. As you can see it is one of 3 supported implementations. If you replace it, you have to make sure that it WORKS.
Comment 12 Justin Lecher (RETIRED) gentoo-dev 2013-10-25 06:36:39 UTC 
(In reply to Julian Ospald (hasufell) from comment #11)
> Well, I'm not interested in fixing as long as gksu is in the tree. As you
> can see it is one of 3 supported implementations. If you replace it, you
> have to make sure that it WORKS.

You have to fix it as you are the maintainer of net-firewall/pglinux. If the maintainer of gksu follow upstreams recommendations [1] to not use it anymore, then we have a valid reason. So please be cooperative and work together with the net-firewall/pglinux and our gnome team on the migration.


1)
"It is not a good option now that we have PolicyKit."
https://wiki.gnome.org/gksu
Comment 13 Pacho Ramos gentoo-dev 2013-10-25 06:42:41 UTC 
Anyway, I will try to provide a fix for this when I have time to dig into this gksu migration in a future round
Comment 14 Julian Ospald 2013-10-26 17:28:28 UTC 
If you can come up with something interesting, then I can make it go upstream.

Otherwise feel free to remove the gksu dep yourself. This is only an optional dependency and the user selects it in the gui directly (the path to the binary).
Comment 15 Pacho Ramos gentoo-dev 2016-10-09 12:03:42 UTC 
2.3.1 doesn't use it