RSS - Posts
Is GNOME Do launching Synaptic without admin rights?
Posted by BostonPeng on 10 September 2008
Last week I took some updates that left me unable to use GNOME Do to launch Synaptic. After a bit of hunting I eventually posted a question on the GNOME Do Google Group asking about it.
Igor asked me if I run KDE, but before I could see the query I saw a post from Alex Launi that included a link to Bug #242992 – Do 0.5 open synaptic in non root mode. It turns out I’m definitely not the only one experiencing the issue. A Launchpad member with the amusing nick of Darwin Award Winner identified the cause of the problem and posted a workaround until the bug can be resolved properly.
I think I found the problem:
$ locate synaptic | grep desk
…
/usr/share/applications/synaptic-kde.desktop
/usr/share/applications/synaptic.desktop
…$ cat /usr/share/applications/synaptic-kde.desktop
Name=Synaptic Package Manager
…
Exec=synaptic
…
X-KDE-SubstituteUID=true
…synaptic-kde.desktop has the same “Name” field as the regular synaptic.desktop, so I guess it clobbers it in the serach results. KDE has a different “su” mechanism that doesn’t involve the Exec field, so any non-KDE-aware application that simply reads the “Exec” line will not know to run the program as root.
Here’s the basis for a cheap workaround: whichever of the two desktop entries sorts lexicographically higher takes precedence. As it is, a dash sorts higher than a period, so synaptic-kde.desktop beats synaptic.desktop. Simply change the dash to an underscore, and synaptic.desktop beats synaptic_kde.desktop, and balance and order will be restored to the universe (at least until the next update of the synaptic package clobbers the change).
$ mv /usr/share/applications/synaptic-kde.desktop /usr/share/applications/synaptic_kde.desktop
I suppose the real fix would be to support the “X-KDE-SubstituteUID” field, though I’m not sure how to do that.
I tried looking for the appropriate file in Nautilus, but I wasn’t sure I could handle the renaming with 100% certainty in Nautilus (I’m still working on my first cup of coffee) so I definitely recommend doing it from the command line.
There’s a question as to why we’d even have a /usr/share/applications/synaptic-kde.desktop in the first place if we’re running a primarily GNOME box, but I don’t have an answer for that. The good news is that you can simply delete /usr/share/applications/synaptic-kde.desktop if you’re running a primarily GNOME system. Darwin Award Winner also suggests a way to make it permanent on Debian-based systems.
I should note, if you want to make my workaround permanent (i.e. survive package updates) on a Debian-based system (e.g. Ubuntu), try this command, which should tell the package manager to divert the file to its new location:
sudo dpkg-divert –divert /usr/share/applications/synaptic_kde.desktop –local /usr/share/applications/synaptic-kde.desktop
I haven’t tried that yet but if you were to run it you wouldn’t have to worry about an update overriding your using the first workaround. Kudos to Alex Launi and Darwin Award Winner for helping me resolve the issue. I owe both of them a beer.
This entry was posted on 10 September 2008 at 8:39 am and is filed under GNU/Linux, Open Source, Ubuntu. Tagged: admin, bug, GNOME Do, permissions, Synaptic, workaround. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
Mackenzie said
This is bad advice. Making it SUID means sudo is not used. Any user, even ones who are not supposed to have access to root-powers, can run Synaptic as root. If someone gets in as your user, they can do it without your password. Very bad for security.
Peng said
I wasn’t aware of that, Mackenzie. On shared computers, if the second option (the permanent method) doesn’t ask for the admin password to run Synaptic then it does lower security, although for users like myself and my sister, and countless others, it’s less of an issue since only one person uses the computer.
If the permanent method doesn’t ask for an admin password then we need to get a bug filed against it because it does jeopardize system security. But again, on a single-user computer it’s not that big of a deal. One of the biggest annoyances for a single-user box is that we can get asked for our password so often, like for logging in and then again for letting Evolution ask for our password to let it access the keyring as well as to access a wireless network, even if we use the less secure autologin option.
Of course if we’re running a GNOME-based system, with perhaps a KDE app or two, we shouldn’t even have to deal with /usr/share/applications/synaptic-kde.desktop. That’s a bug that I’m looking forward to seeing fixed.