Ubuntu 20.04 gksu replacement

After upgrading Ubuntu to 20.04, I could not run GUIs as root and gksu is gone. This is how I fixed that.

TL;DR If you don’t need/want the background, I have packaged a script that implements my solution. Click here 🙂

The gksu command was removed with Ubuntu 17.10 (https://bugs.launchpad.net/ubuntu/+source/umit/+bug/1740618), which caused much angst to many people. There were a few reasons to be upset about this.

  • There didn’t seem to be a reason for its removal. The only explanation seemed to be “because of Wayland”.
  • There was no obvious replacement. While there were several suggested replacements (including mine https://paulshipley.id.au/blog/coding-tips/ubuntu-18-04-is-missing-gksu/), these either did not cover all (or even many) of the use cases, or didn’t even work at all.
  • A lot of people were ‘unhelpful’. When the question is “how do I run <gui tool> as root?”, an answer of “use the command line tools, you noob” is not appropriate.

After a lot of research, I believe I have a better understanding of the issues, and a solution.

<rant>

This has been one of my most frustrating investigations. Not only was there a dearth of information, many of the posts quickly descended into ‘flame wars’ of epic proportions. There are a few points:

  • There were lots of posts along the lines of “this will fix it” which often didn’t work at all. In the poster’s defense, these may have worked at some point but have been superseded. The frustration was seeing the same non-solution many times (often more than ten times) without finding one that worked.
  • The ‘hate’ on Wayland was intense, often by people that had no idea what it is or what it is trying to achieve. A lot of the blame for this would have to lie with the people responsible for communicating this to the user base as I could not find any official announcements as to why or how Wayland was being implemented.
  • The ‘flame wars’, especially from the CLI aficionados, but also the Wayland ‘haters’. Many of these people had no idea what they were talking about; none of the ‘hate’ was useful. If you can’t say anything useful, just STFU.

</rant>

So what are some of the issues and their solutions

Background

Bug 1266771 – Under Wayland apps run via su or sudo are not authorised to connect to the X11 display server

https://bugzilla.redhat.com/show_bug.cgi?id=1266771

Bug report – Unable to launch pkexec’ed applications on Wayland session

https://bugs.launchpad.net/ubuntu/+source/backintime/+bug/1713313

Running GUI applications as root

https://wiki.archlinux.org/index.php/Running_GUI_applications_as_root

What is Wayland?

Wayland is a display protocol replacing X11 on Ubuntu. This has a number of features (https://wiki.ubuntu.com/Wayland), including security. One of the things not supported is running GUI applications with elevated permissions (eg: gksu, sudo, …)

Cannot sudo

Trying to run GUI applications (such as the thunar file manager) as root generates errors.

paul@PC02:~$ sudo thunar /
[sudo] password for paul: 
thunar: Failed to initialize Xfconf: Error spawning command line ?dbus-launch --autolaunch=36ffe4ecaa8c4406af465a4abdd74450 --binary-syntax --close-stderr?: Child  process exited with code 1

No protocol specified
Unable to init server: Could not connect: Connection refused

(thunar:95868): Gtk-WARNING **: 15:29:01.474: cannot open display: :1.0
paul@PC02:~$ 

The solution is to use the xhost command.

https://wiki.archlinux.org/index.php/Running_GUI_applications_as_root

xhost +si:localuser:root

The sudo command now works as expected

To make this permanent, create (or copy into) ~/.bash_aliases

xhost +si:localuser:root > /dev/null 2>&1

Cannot pkexec thunar /

The pkexec command is one of the recommended replacements for gksu, unfortunately ‘out of the box’ it doesn’t always work. One of my issues was that I am running many of my Linux machines ‘headless’ which means that my session is considered ‘remote’ and by default many of the security policies are restricted.

paul@PC02:~$ pkexec thunar /
Error executing command as another user: Not authorized

This incident has been reported.
paul@PC02:~$

https://askubuntu.com/questions/1032687/polkit-pkla-rule-is-not-working-on-18-04

This can be seen by running the nmcli command.

nmcli general permissions

The solution is to create /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla

[Allow all without authentication for members of sudo group even for ssh sessions]
Identity=unix-group:sudo
Action=*
ResultAny=yes

Run the nmcli command again to see the change. The pkexec command should now work as expected.

Create Launcher for pkexec thunar /

Create ~/.local/share/applications/menulibre-thunar-as-root.desktop

[Desktop Entry]
Version=1.1
Type=Application
Name=Thunar as Root
Comment=Open currrent directory as root 
Icon=folder-saved-search
Exec=pkexec /usr/bin/thunar /
Actions=
Categories=System;
StartupNotify=true

Copy to Desktop

cp ~/.local/share/applications/menulibre-thunar-as-root.desktop ~/Desktop

Cannot pkexec gedit

Even after fixing the other issues, some applications would not work, in particular gedit.

paul@PC02:~$ pkexec gedit
Unable to init server: Could not connect: Connection refused

(gedit:103016): Gtk-WARNING **: 16:08:00.967: cannot open display: 
paul@PC02:~$

This was due to a missing security policy. Bizarrely I found the solution in a post about installing Firefox. A similar solution may be required for other applications.

https://askubuntu.com/questions/1214907/how-to-install-firefox-developer-edition

Create new file /usr/share/polkit-1/actions/org.freedesktop.policykit.gedit.policy

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
    <action id="org.freedesktop.policykit.pkexec.gedit">
    <description>Run gedit program</description>
    <message>Authentication is required to run the gedit</message>
    <icon_name>accessories-text-editor</icon_name>
    <defaults>
        <allow_any>auth_admin</allow_any>
        <allow_inactive>auth_admin</allow_inactive>
        <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
    </action>
</policyconfig>

The pkexec gedit command should now work as expected.

Script

Create the following script as enable_pkexec.sh

#!/bin/sh
# Enable gksu like behaviour under Wayland using pkexec and sudo

# Enable the ability to do 'sudo thunar /' and 'sudo gedit'
echo Enable xhost
cat <<EOF > ~/.bash_aliases
xhost +si:localuser:root > /dev/null 2>&1
EOF

# Enable polkit for 'pkexec thunar /' and 'pkexec gedit'
echo Enable polkit for sudoers
cat <<EOF | sudo tee /etc/polkit-1/localauthority/50-local.d/allow-all-for-group-sudo-polkit105.pkla
[Allow all without authentication for members of sudo group even for ssh sessions]
Identity=unix-group:sudo
Action=*
ResultAny=yes
EOF

echo Enable polkit for thunar
cat <<EOF | sudo tee /usr/share/polkit-1/actions/org.freedesktop.policykit.gedit.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
    <action id="org.freedesktop.policykit.pkexec.gedit">
    <description>Run gedit program</description>
    <message>Authentication is required to run the gedit</message>
    <icon_name>accessories-text-editor</icon_name>
    <defaults>
        <allow_any>auth_admin</allow_any>
        <allow_inactive>auth_admin</allow_inactive>
        <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
    </action>
</policyconfig>
EOF

# Create a desktop Launcher for 'pkexec thunar /'
echo Create desktop Launcher
mkdir -p ~/.local/share/applications
cat <<EOF > ~/.local/share/applications/menulibre-thunar-as-root.desktop
[Desktop Entry]
Version=1.1
Type=Application
Name=Thunar as Root
Comment=Open currrent directory as root 
Icon=applications-other
Exec=pkexec /usr/bin/thunar /
Actions=
Categories=System;
StartupNotify=true
EOF

cp ~/.local/share/applications/menulibre-thunar-as-root.desktop ~/Desktop

echo done

Run the enable_pkexec.sh script.

chmod +x ./enable_pkexec.sh
./enable_pkexec.sh

These changes should take immediate effect, but you should reboot to be sure that they ‘stick’.

8,791 views

Need help? Let me take care of your IT issues.

Share this page

Scroll to Top