Xfce Forum

Sub domains
 

You are not logged in.

Pages: 1

#1 2025-03-30 13:49:45

trinidad
Member
From: Chicago
Registered: 2024-05-20
Posts: 8
Website
UbuntuFirefox 128.0

Configuring an /etc/sudoers.d/wayland

I have an /etc/sudoers.d/wayland file and it works nicely for synaptic, gparted etc. What I would prefer is that it only is accessed for specific applications. Where would I need to create a file to limit which applications could use it? Thanks in advance for suggestions.

TC

Offline

#2 2025-04-01 19:22:59

ajgringo619
Member
Registered: 2024-06-09
Posts: 6
LinuxChrome 134.0

Re: Configuring an /etc/sudoers.d/wayland

What does your 

/etc/sudoers.d/wayland

contain? You don't need a separate file for this.

Offline

#3 2025-04-02 15:08:39

trinidad
Member
From: Chicago
Registered: 2024-05-20
Posts: 8
Website
UbuntuFirefox 128.0

Re: Configuring an /etc/sudoers.d/wayland

It sets the environment for sudo without needing sudo options. Passes on Wayland environment variables to sudoers. Allows GUI applications to run with root.
Contains the following:

Defaults env_keep += "XDG_RUNTIME_DIR"
Defaults env_keep += "WAYLAND_DISPLAY"

To set it up run the following:

echo 'Defaults   env_keep += "XDG_RUNTIME_DIR"
Defaults   env_keep += "WAYLAND_DISPLAY"' | sudo tee /etc/sudoers.d/wayland

Works very well even for synaptic, gnome-disks and GParted.
I'd like to be able to restrict which applications have access.

TC

Last edited by trinidad (2025-04-02 15:10:46)

Offline

#4 2025-04-02 16:27:20

k3dAR
Member
From: Czech Republic
Registered: 2022-07-27
Posts: 110
LinuxChrome 134.0

Re: Configuring an /etc/sudoers.d/wayland

synaptic, gparted, and maybe all (maintained) gui apps, use pkexec via polkit, not sudo via sudoers...

on Wayland is only need:

xhost +si:localuser:root

Gparted pkexec wraper (/usr/sbin/gparted) doing this automatically, "+SI" before real gparted bin (/usr/libexec/gpartedbin) run and "-SI" after exit

But synaptic-pkexec only run "pkexec ...../synaptic ..." so for synaptic you must xhost +si:localuser:root run manualy, or add local wraper, i write /usr/local/bin/synaptic-pkexec :
(with also set same GTk theme as have as normal user)

#!/bin/bash

echo "Running local Synaptic wrapper: ${0}"

xfce_theme="$(xfconf-query -c xsettings -p /Net/ThemeName)"

xhost_root(){
    if [[ ${1}  = "enable" ]]; then
        xhost | grep -q localuser:root || {
            xhost +si:localuser:root
            xhost_root_set="yes"
        }
    elif [[ ${1} = "disable" && ${xhost_root_set} ]]; then
        xhost -si:localuser:root
    fi
}

xhost_root enable
pkexec env DISPLAY=${DISPLAY} XAUTHORITY=${XAUTHORITY} GTK_CSD=1 GTK_THEME=${xfce_theme} "/usr/sbin/synaptic" "$@"
xhost_root disable

and finally... about not asking for password, but only for specific app, create: /etc/polkit-1/localauthority/50-local.d/nopwd-synaptic.pkla

[Install package file]
Identity=unix-group:sudo
Action=com.ubuntu.pkexec.synaptic
ResultActive=yes

Action name you can see in GUI ask password dialog when run specific app, under ">Details", and you can copy it with right mouse ;-)

Offline

Pages: 1

Registered users online in this topic: 0, guests: 1
[Bot] ClaudeBot

Board footer

Powered by FluxBB
Modified by Visman

[ Generated in 0.010 seconds, 7 queries executed - Memory usage: 533.23 KiB (Peak: 533.86 KiB) ]