use sudoedit in Whonix documentation and Whonix software

sheep · July 1, 2019, 4:31am

There is the point regarding filename and location change, resulting in wrong syntax highlighting, as described in

Since the files are copied to temporary files, the filename and location, which are often identifying characteristics for filetype detection, are lost. So, where /etc/apache2/apache2.conf would load syntax highlighting suitable for Apache2 configuration files ( set ft returns filetype=apache ), /var/tmp/apache2XXcLFdTD.conf has filetype=conf .

I didn’t observe this issue with mousepad though.

micky · July 2, 2019, 5:06pm

You edit it, then shred it? I think you already have issues right there. Say you have a long file, and you remove part of it when you edit, and at some point in the future shred it. Which part gets shredded? if I understand correctly, only the data at the last version of the file.

Patrick · September 16, 2019, 1:25pm

This is now documented.

Hardcoding mousepad in https://github.com/Whonix/usability-misc/blob/master/usr/lib/default-editor/default_editor.sh is not great. But there is no /etc/alternatives/x-editor or visual.

Debian feature request: please provide /usr/bin/visual
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758228

Patrick · September 16, 2019, 1:29pm

Patrick · September 16, 2019, 1:29pm

github.com

Whonix/usability-misc/blob/master/usr/lib/default-editor/default_editor.sh

#!/bin/sh

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Sets mousepad as the default editor for environment variable VISUAL
## is unset and if mousepad is installed.

## Environment variable VISUAL will also be honored by sudoedit.

## https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation/7599

## please provide /usr/bin/visual
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758228

if [ "$VISUAL" = "" ]; then
   if command -v mousepad 1>/dev/null 2>/dev/null  ; then
      VISUAL="mousepad"
      export VISUAL
   fi

This file has been truncated. show original

Patrick_mobile · September 22, 2019, 3:06am

https://itsfoss.com/gksu-replacement-ubuntu/ suggests to use gvfs. Example:

gedit admin:///etc/default/apport

https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618 saying

Debian has removed gksu. I recommend that we remove gksu and libgksu for Ubuntu 18.04 LTS also.

It is recommended that developers use PolicyKit to only use elevated privileges for the specific actions where it is needed.

It is recommended that users use the gvfs admin backend available in Ubuntu 17.10 and 18.04 LTS. You can do this with the admin:// prefix. For instance, instead of running gksu gedit or gksu nautilus to edit /etc/default/grub, navigate to admin:///etc/default/ and open the grub file.

Ubuntu 17.10’s default session (a themed GNOME on Wayland) does not support gksu. Ubuntu 18.04 switched back to using X instead of Wayland as default but it is expected that Wayland will once again be the default in 18.10.

policykit? gvfs?

Citation from more authoritative sources may be required to learn what the plan for Debian is.

That is because https://help.ubuntu.com/community/RootSudo contradicts it and says

gksu has been replaced by pkexec, but even pkexec is being deprecated by the mainline Ubuntu developers. They have taken the position that file manipulation and editing under root should be restricted to the command line.

Also citation required.

Patrick · October 8, 2019, 3:48am

Very much citation required since https://help.ubuntu.com/community/RootSudo also says:

March 14, 2019 PLEASE NOTE: This wiki article is being significanly rewritten as it contains a good deal of old, dated and possibly questionable material. Using caution and consulting with others on the Ubuntu Forums or Ask Ubuntu is highly recommended!

HulaHoop · November 3, 2019, 11:59pm

New bug I ran into: GUI editing of whonix firewall no longer opens/responds

Patrick · November 4, 2019, 6:18am

I.e. Try run this manually on command line:

/usr/lib/whonix-firewall/firewall50user

bash -x /usr/lib/whonix-firewall/firewall50user

sudoedit /etc/whonix_firewall.d/50_user.conf

ls -la /etc/whonix_firewall.d/50_user.conf

cat /etc/whonix_firewall.d/50_user.conf

env | grep -i VISUAL

expected output:

VISUAL=mousepad

The VISUAL environment variable influences whether sudoedit will work in GUI or not.

HulaHoop · November 4, 2019, 1:34pm

The first three commands open mousepad,

env | grep -i VISUAL

gives the expected out put but the link in the whisker menu doesn;t respond at all.

Patrick · November 4, 2019, 2:19pm

Do contents of https://github.com/Whonix/whonix-firewall/blob/master/usr/share/applications/whonix-firewall50user.desktop match contents of file /usr/share/applications/whonix-firewall50user.desktop?

Patrick · November 4, 2019, 2:21pm

Does /etc/whonix_firewall.d/50_user.conf exist as an empty file?

HulaHoop · November 4, 2019, 2:30pm

Yes to both questions

Patrick_mobile · November 18, 2019, 6:47pm

/usr/share/applications/whonix-firewall50user.desktop calls /usr/lib/whonix-firewall/firewall50user which calls sudoedit /etc/whonix_firewall.d/50_user.conf. The latter does not have a sudoers exception. And probably should not have one anyhow. Since started from start menu (GUI), sudoedit will not ask for password. And we’re not using -A / askpass option.

I don’t think anyone accept ssh-askpass is using sudo aspass option.

This would work:

sudo apt install ssh-askpass
export SUDO_ASKPASS=/usr/bin/ssh-askpass
sudoedit -A /etc/something

We could write a nicer zenity wrapper to ask for the password.

zenity --title "something" --password

zenity is too limited. Couldn’t show a custom message. And inventing this from scratch seems a lot work.

But probably this would be better:

lxsudo env VISUAL="$VISUAL" sudoedit /etc/whonix_firewall.d/50_user.conf

Has a more familiar, consistent GUI. Designed for purpose of password entry and showing the actual command.

Would it be a problem that sudoedit is run as root (through lxsudo)?

madaidan · November 18, 2019, 8:09pm

Yes. That runs mousepad as root which is what sudoedit is meant to prevent. When using lxsudo with sudoedit, mousepad warns that it is running as root. You can also see it running as root with ps aux.

You can use this hack instead

lxsudo sudo -u user env VISUAL="$VISUAL" sudoedit /etc/whonix_firewall.d/50_user.conf

Patrick · November 19, 2019, 2:52pm

Using that now but replaced hardcoded user with $(whoami).

Patrick_mobile · November 20, 2019, 11:00am

This is fixed in the developers repository.

Patrick · December 10, 2019, 3:25pm

github.com

Whonix/usability-misc/blob/master/usr/bin/gsudoedit

#!/bin/bash

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

env VISUAL="$VISUAL" sudoedit "$@"

github.com

Whonix/usability-misc/blob/master/man/gsudoedit.8.ronn

gsudoedit(8) -- graphical sudoedit
=============================================

<span class="comment">
# Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
# See the file COPYING for copying conditions.
</span>

## SYNOPSIS
`gsudoedit` filename

## Description
Similar to the sudoedit(8) utility but using a graphical editor.

Wrapper around sudoedit. Makes invocation of sudoedit easier. Less to type.

Requires environment variable `VISUAL` to be set to a graphical editor such as
`mousepad`.

Runs:

This file has been truncated. show original

TNT_BOM_BOM · April 17, 2021, 5:44am

Although sudoedit better than sudo, But its not safe from security issues (specially when the issue in sudo).

Patrick · January 17, 2022, 6:53pm

4 posts were split to a new topic: vitor - safely edit the Tor configuration file