7

I just heard that it isn't recommended to use sudo -i on GUI programs - because it's less secure.

Is there any truth here - is there an advantage to this:

sudo -i gedit /random/file.name

over

pkexec gedit /random/file.name

I used to use gksudo, but that's been phased out, so now I use sudo -i to prevent root owning files in my home area. But should I really be using pkexec?

Here is a reason:

The environment that PROGRAM will run [in], will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec.

Community
  • 1
Tim
  • 33,500

1 Answers1

-1

I think the security concern you are referring to comes from the fact that if you use sudo, with or without the -i, you have an active permission to run sudo commands, for 5 minutes. If you were to do sudo vim /file.txt then leave, your computer unattended the sudo session would still be active. someone could come along and type sudo rm /file.txt or worse.

pkexec will prompt you for a password every-time, which would seem a little more secure.

I think Elementary OS is intended for schools, where the physical environment shouldn’t be considered secure. Students may well show up at your desk moments after you leave. Comparatively, in my Business office, where only 3 folks have the key, and my computer is moderately secure in the physical sense, I'm less concerned with untrusted individuals running in and using my PC unsupervised. If I run sudo command, then leave, I'm assuming no one will come in and give malicious sudo commands.

I make no claim to be a security expert, but I think that is what the elementary OS folks are thinking.

j0h
  • 15,365