use sudoedit in Whonix documentation and Whonix software

Patrick · September 16, 2019, 1:29pm

https://github.com/Whonix/usability-misc/blob/master/usr/lib/default-editor/default_editor.sh

Patrick_mobile · September 22, 2019, 3:06am

gksu Removed From Ubuntu, Here's What You Can Use Instead suggests to use gvfs. Example:

gedit admin:///etc/default/apport

Bug #1740618 “Remove gksu from Ubuntu” : Bugs : umit package : Ubuntu saying

Debian has removed gksu. I recommend that we remove gksu and libgksu for Ubuntu 18.04 LTS also.

It is recommended that developers use PolicyKit to only use elevated privileges for the specific actions where it is needed.

It is recommended that users use the gvfs admin backend available in Ubuntu 17.10 and 18.04 LTS. You can do this with the admin:// prefix. For instance, instead of running gksu gedit or gksu nautilus to edit /etc/default/grub, navigate to admin:///etc/default/ and open the grub file.

Ubuntu 17.10’s default session (a themed GNOME on Wayland) does not support gksu. Ubuntu 18.04 switched back to using X instead of Wayland as default but it is expected that Wayland will once again be the default in 18.10.

policykit? gvfs?

Citation from more authoritative sources may be required to learn what the plan for Debian is.

That is because RootSudo - Community Help Wiki contradicts it and says

gksu has been replaced by pkexec, but even pkexec is being deprecated by the mainline Ubuntu developers. They have taken the position that file manipulation and editing under root should be restricted to the command line.

Also citation required.

Patrick · October 8, 2019, 3:48am

Very much citation required since RootSudo - Community Help Wiki also says:

March 14, 2019 PLEASE NOTE: This wiki article is being significanly rewritten as it contains a good deal of old, dated and possibly questionable material. Using caution and consulting with others on the Ubuntu Forums or Ask Ubuntu is highly recommended!

HulaHoop · November 3, 2019, 11:59pm

New bug I ran into: GUI editing of whonix firewall no longer opens/responds

Patrick · November 4, 2019, 6:18am

I.e. Try run this manually on command line:

/usr/lib/whonix-firewall/firewall50user

bash -x /usr/lib/whonix-firewall/firewall50user

sudoedit /etc/whonix_firewall.d/50_user.conf

ls -la /etc/whonix_firewall.d/50_user.conf

cat /etc/whonix_firewall.d/50_user.conf

env | grep -i VISUAL

expected output:

VISUAL=mousepad

The VISUAL environment variable influences whether sudoedit will work in GUI or not.

HulaHoop · November 4, 2019, 1:34pm

The first three commands open mousepad,

env | grep -i VISUAL

gives the expected out put but the link in the whisker menu doesn;t respond at all.

Patrick · November 4, 2019, 2:19pm

Do contents of whonix-firewall/whonix-firewall50user.desktop at master · Whonix/whonix-firewall · GitHub match contents of file /usr/share/applications/whonix-firewall50user.desktop?

Patrick · November 4, 2019, 2:21pm

Does /etc/whonix_firewall.d/50_user.conf exist as an empty file?

HulaHoop · November 4, 2019, 2:30pm

Yes to both questions

Patrick_mobile · November 18, 2019, 6:47pm

/usr/share/applications/whonix-firewall50user.desktop calls /usr/lib/whonix-firewall/firewall50user which calls sudoedit /etc/whonix_firewall.d/50_user.conf. The latter does not have a sudoers exception. And probably should not have one anyhow. Since started from start menu (GUI), sudoedit will not ask for password. And we’re not using -A / askpass option.

I don’t think anyone accept ssh-askpass is using sudo aspass option.

This would work:

sudo apt install ssh-askpass
export SUDO_ASKPASS=/usr/bin/ssh-askpass
sudoedit -A /etc/something

We could write a nicer zenity wrapper to ask for the password.

zenity --title "something" --password

zenity is too limited. Couldn’t show a custom message. And inventing this from scratch seems a lot work.

But probably this would be better:

lxsudo env VISUAL="$VISUAL" sudoedit /etc/whonix_firewall.d/50_user.conf

Has a more familiar, consistent GUI. Designed for purpose of password entry and showing the actual command.

Would it be a problem that sudoedit is run as root (through lxsudo)?

madaidan · November 18, 2019, 8:09pm

Yes. That runs mousepad as root which is what sudoedit is meant to prevent. When using lxsudo with sudoedit, mousepad warns that it is running as root. You can also see it running as root with ps aux.

You can use this hack instead

lxsudo sudo -u user env VISUAL="$VISUAL" sudoedit /etc/whonix_firewall.d/50_user.conf

Patrick · November 19, 2019, 2:52pm

Using that now but replaced hardcoded user with $(whoami).

Patrick_mobile · November 20, 2019, 11:00am

This is fixed in the developers repository.

Patrick · December 10, 2019, 3:25pm

github.com

Kicksecure/usability-misc/blob/master/usr/bin/gsudoedit

#!/bin/bash

## Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -e

env VISUAL="$VISUAL" sudoedit "$@"

github.com

Kicksecure/usability-misc/blob/master/man/gsudoedit.8.ronn

gsudoedit(8) -- graphical sudoedit
=============================================

<!--
# Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
# See the file COPYING for copying conditions.
-->

## SYNOPSIS
`gsudoedit` filename

## Description
Similar to the sudoedit(8) utility but using a graphical editor.

Wrapper around sudoedit. Makes invocation of sudoedit easier. Less to type.

Requires environment variable `VISUAL` to be set to a graphical editor such as
`mousepad`.

Runs:

This file has been truncated. show original

nurmagoz · April 17, 2021, 5:44am

Although sudoedit better than sudo, But its not safe from security issues (specially when the issue in sudo).

Patrick · January 17, 2022, 6:53pm

4 posts were split to a new topic: vitor - safely edit the Tor configuration file

Patrick · January 17, 2022, 7:03pm

Patrick · October 11, 2023, 10:57am

I am struggling making gsudoedit compatible with wayland.

Patrick · October 11, 2023, 11:06am

github.com/lxqt/lxqt-sudo

SUDO_ASKPASS functionality

opened 11:03AM - 11 Oct 23 UTC

adrelanos

##### Expected Behavior Functional `SUDO_ASKPASS` functionality. ##### Cur…rent Behavior Broken `SUDO_ASKPASS` functionality. ##### Possible Solution ##### Steps to Reproduce (for bugs) `VISUAL=mousepad SUDO_ASKPASS=/usr/bin/lxqt-sudo sudoedit --askpass /etc/a` ##### Context > What are you trying to accomplish? Editing files in /`etc` folder with a graphical text editor. This requires write permissions in that folder. Some sort of root rights will be required. With X11, `sudoedit` was suitable for this task. `sudoedit` copies the file to a temporary location, edits it as a normal user and then overwrites the original using `sudo`. This way is much more secure as it does not run the editor as root. If `lxqt-sudo` supported being used as `SUDO_ASKPASS` tool, then any text editor could still be used to edit files in `/etc` with root rights even under Wayland. Even editors that do not support `gvfs`. (Example: `gedit admin:///etc/ld.so.preload`) Running any editor as root is insecure. In native Wayland it is no longer possible to run editors with root rights. (Excluding xwayland.)

Patrick · October 11, 2023, 11:25am

Looking for a graphical SUDO_ASKPASS tool that doesn’t contain unneccessary confusing messages related to SSH, which is also compatible with native Wayland.

GitHub - lxqt/lxqt-openssh-askpass: GUI to query passwords on behalf of SSH agents. might be an alternative. Available form packages.debian.org.

issue:

Always showing

Enter your SSH passphrase for request:

possibly non-issue:

github.com/lxqt/lxqt-openssh-askpass

Use Wayland, not X11/XWayland

opened 09:10AM - 24 Oct 22 UTC

txtsd

##### Expected Behavior Unlike `x11-ssh-askpass`, `lxqt-openssh-askpass` sh…ould display using wayland. ##### Current Behavior Despite being a Qt application, it needs X11/XWayland to display. ![2022-10-24-13:49:33:43:754541215-424x128_grim](https://user-images.githubusercontent.com/768728/197482420-5262131a-215e-498c-a988-9fb30ae95075.png) ![2022-10-24-13:48:26:43:409000531-436x169_grim](https://user-images.githubusercontent.com/768728/197482352-483f665d-9e46-49a0-a1d7-855f93e10655.png) ##### Possible Solution ¯\\\_(ツ)\_/¯ ##### Steps to Reproduce (for bugs) 1. Use a Wayland DE like Sway 2. Set `SSH_ASKPASS=lxqt-openssh-askpass` and restart `ssh-agent` 3. Trigger an askpass situation and notice that the dialog opens with XWayland 4. One could use `xeyes` to verify it ##### Context I'm trying to use a pure Wayland environment, but there are some leftover programs that require XWayland to function. ##### System Information * Distribution & Version: Archlinux * Kernel: 6.0.2.zen1-1 * Qt Version: 5.15.6+kde+r180-2 / 6.4.0-2 * liblxqt Version: 1.1.0-3 * lxqt-build-tools Version: N/A * Package version: 1.1.0-1