Caution running GUI programs like gedit with sudo

[TheFu]

Last weekend, I was helping someone very new to Linux troubleshoot an issue.
He had just loaded Ubuntu and followed a guide somewhere that had him run

Code:

sudo gedit

to modify some file in /etc. The file didn't matter.

Since this was one of the first commands he ever ran, it created the ~/.gnome or ~/.gnome2 directory - AS ROOT. sudo cmd doesn't alter the environment to be safe, so $HOME was left to the userid, not /root/. Seems at least 1 gnome-based program will crash if it can't save settings into those directories, firefox. I suspect there are many others. I haven't looked at the gnome-settings code to know if the problem with crashing is there or in the application's implementation.

Since it was a new installation, we wiped all the prior settings - ~/.[a-z]* - that fixed it.

Sadly, this sort of advice is all over the internet, so only a strong education campaign to stop will work. As much as it pains me to say, could we please be consistent and suggest using nano for all system-level file edits?

Code:

sudo nano

won't break things and it works on desktops and servers. I purge nano from my installs - sudo vim works great, but vim is highly selective about which users it is friendly towards, so sudo nano is less evil.

Or is there a better option?
sudo -i gedit will work on desktops, since it loads the settings for root, but it will fail on servers without X/Windows.

[Elfy]

Since the demise of gksu(do) in default installs, there should be pkexec profiles, so pkexec gedit.

But I tend to when I can sudo nano too, if nothing else people get the opportunity to use it BEFORE they've got to use it in recovery mode.

[slickymaster]

Since the demise of gksu(do) in default installs, there should be pkexec profiles, so pkexec gedit.

But I tend to when I can sudo nano too, if nothing else people get the opportunity to use it BEFORE they've got to use it in recovery mode.

+1

[Lars Noodén]

Actually visudo is even safer. It makes a copy of the file first and then runs the editor as the unprivileged user. It will run nano if so decided. A further advantage of vi or nano is that the edits can be done remotely.

I'm sad though to hear about pkexec over sudo. 2016 and then with finality 2019 will soon be here. It was good while it lasted.

EDIT: Ugh. I should read what I type. I meant to write sudoedit instead of visduo. I don't multitask.

[TheFu]

https://help.ubuntu.com/community/gedit is not clear where they say

To edit system files such as sources.list and fstab, open it with administrative privileges. Note graphical applications use gksudo rather than sudo.

This is not emphasized and the note is not strongly worded enough to make it clear what the risks are if sudo gedit is used to edit system files.

I would change some of these documents, but can't figure out how in 5 minutes or less.

https://help.gnome.org/users/gedit/s...s-root.html.en - ouch - they aren't helping!
http://www.unixmen.com/how-to-change...erick-meerkat/ - a reputable site gets this wrong.

Most new-to-Unix users are confused by sudo already and will miss the subtle difference between gksudo vs sudo. I see this all the time at local LUGs.

[tgalati4]

You have pointed out an important issue. Gedit provides a graphical environment for those who think the command line is too scary or that entering commands in a DOS-like window is too retro, but it can lead to problems.

I usually give command line advice because I have no idea what environment is being run. Often new users don't give enough information in the first post anyway, so I try to find out more using command line tools like dmesg, free, or catting log files to see what is going on. I don't use gedit because I run MATE and that has been replaced with pluma, so not every system has gedit installed.

Nano is installed as the default Raspbian text editor and a lot of new folks are getting exposed to GNU/Linux so nano is a good recommendation.

[rrnbtter]

Greetgings,
sudo -H

[ajgreeny]

It seems to be safe to use sudo with a suffix such as sudo -H or sudo -i rather than just sudo to open GUI applications, but it is possible to use pkexec already, with an alias as I have made, and use when I remember, to do so. The alias needed is

Code:

alias pkx='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY'

but I accept that doing this is probably beyond the inexperienced user of Ubuntu.

Even more complicated is the possibility to make new pkexec policy files specifically for applications that you might want to use with root permissions. Such files need the following content:-

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.thunar">
    <message gettext-domain="gparted">Authentication is required to run thunar</message>
    <icon_name>thunar</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/thunar</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

and in Xubuntu are put added to /usr/share/polkit-1/actions/ with names in form of com.ubuntu.pkexec.thunar.policy

I have the above file for thunar and another for mousepad (I just replaced the word thunar with mousepad) and both seem to work with no problems or faults. Again, probably not something for new users, but at least it proves it can be done.

[rrnbtter]

Greetings,
@ajgreeny +1, but
I just don't like the name pkexec (too Windows-ish). They should change the name to something Linux-ish!

[TheFu]

Ajgreeny - that doesn't seem like an intuitive answer for the issue.

The person I was helping found lots of "outdated" how-tos and decided to follow one of them. sudo won't be gone for many more years. We **can** do something about this today and it is simple.
sudo nano

Programs that behave differently - like magic - seem like a really bad idea to me.

OTOH, I've used gksudo maybe 2 times in my life. Sorta don't see the point.