Editing system files: best practice

[Head_on_a_Stick]

There are several ways to edit system files (ie, all files not under /home) in MX Linux but such edits require elevated privileges because the files are not owned by the normal user.

The principle of least privilege is an important paradigm of computer security and it demands that the least amount of code as possible is run as root so as to minimise the inherent risk.

Accordingly, the best method is to use the sudoedit command, for example:

Code: Select all

sudoedit /etc/hostname

Using this command in MX Linux will open a (temporary) copy of the target file as the normal user with the nano command line text editor.

Once the file is modified and saved then it is copied back to the original location so only the copy command is run as root.

However, some users are not comfortable with command line text editors such as nano (although it is fairly easy to use) and would much prefer to employ a graphical text editor instead.

Although lots of guides will suggest using the gksu command to open a graphical text editor as root it should be noted that this program ceased development back in 2014 and has been abandoned upstream and dropped by Debian for the upcoming buster release:

https://bugs.debian.org/cgi-bin/bugrepo ... bug=892768

The reason why gksu is considered insecure is because text editors under its aegis will run their entire codebase with elevated privileges, in direct contravention of the principle of least privilege.

An alternative to gksu is available though

First install the gedit text editor:

Code: Select all

sudo apt install gedit

Then use the Open button and enter the admin:// prefix before the name of the system file to be edited, for example:

Code: Select all

admin:///etc/hostname

This will then present a polkit authentication window to enter the root password so that the file can be edited without running the entire graphical interface under elevated privileges.

[fehlix]

First install the gedit text editor:

Code: Select all

sudo apt install gedit

Then use the Open button and enter the admin:// prefix before the name of the system file to be edited, for example:

Code: Select all

admin:///etc/hostname

This will then present a polkit authentication window to enter the root password so that the file can be edited without running the entire graphical interface under elevated privileges.

Nice. OTOH, have you tested this proposal on MX Linux?
After having opened now admin:///etc/hostname and closed gedit just w/o writing,
when I now open geany as normal user and press Ctlr+O ( File Open from the menu),
the polkit-password pop's up, even without having selected any file - not intending to open as root anyway as I started it as normal user.I agree the idea is good, I guess something ( history or recent files ?) still need to be fixed so it will work in MX Linux properly and not injecting issues into other editor.

[Head_on_a_Stick]

have you tested this proposal on MX Linux?

I tested it in the MX live image (under QEMU) before posting.

After having opened now admin:///etc/hostname and closed gedit just w/o writing,
when I now open geany as normal user and press Ctlr+O ( File Open from the menu),
the polkit-password pop's up, even without having selected any file - not intending to open as root anyway as I started it as normal user.

OK, I will look into that, thanks for reporting the issue.

[Head_on_a_Stick]

I can reproduce your issue but if the file is selected from geany then it is not actually opened by the editor at all and it is not possible to edit the file from geany.

Not sure why the polkit window in showing up though, more digging is called for...

[sunrat]

Another best practice is to make a backup copy before editing.

Code: Select all

#cp systemfile systemfile.bak
#nano systemfile

[Head_on_a_Stick]

^ Great point sunrat!

No need to type the file name out twice though:

Code: Select all

cp systemfile{,.bak}

I guess something ( history or recent files ?) still need to be fixed so it will work in MX Linux properly and not injecting issues into other editor.

The problem is caused by ~/.local/share/recently-used.xbel, it keeps a bookmark from gedit with the admin:// href and geany calls it up again when the file open dialogue is used.

To stop it happening delete ~/.local/share/recently-used.xbel and create a file at ~/.config/gtk-3.0/settings.ini with this content:

Code: Select all

[Settings]
gtk-recent-files-max-age=0
gtk-recent-files-limit=0

This will prevent the creation of an edit history for GTK3 programs.

[fehlix]

I guess something ( history or recent files ?) still need to be fixed so it will work in MX Linux properly and not injecting issues into other editor.

The problem is caused by ~/.local/share/recently-used.xbel, it keeps a bookmark from gedit with the admin:// href and geany calls it up again when the file open dialogue is used.

To stop it happening delete ~/.local/share/recently-used.xbel and create a file at ~/.config/gtk-3.0/settings.ini with this content:

Code: Select all

[Settings]
gtk-recent-files-max-age=0
gtk-recent-files-limit=0

This will prevent the creation of an edit history for GTK3 programs.

We might have user, who like to have a list of recent open files. What shall we tell those user?
Also when I open gedit, as normal user: not only when opening geany: polkit now asks always for a root password,
just because I had opend once the root-edit-session.
Seems to me rather a gedit issue with this magic "admin://" URI., so to say a upstream bug
But again, the idea is in the right direction, to open from within the editor a privileged editor session

[Head_on_a_Stick]

We might have user, who like to have a list of recent open files. What shall we tell those user?

OK, we could create an executable wrapper script at /usr/local/bin/gedit with this content:

Code: Select all

#!/bin/sh
XDG_CONFIG_HOME="${HOME}/.config_gedit" /usr/bin/gedit "${@}"

Then

Code: Select all

cp -r ~/.config{,_gedit}

And create ~/.config_gedit/gtk-3.0/settings.ini with the gtk-recent-files* settings listed there.

I've just tested this and it causes gedit to not save a file history but geany still does.

Also when I open gedit, as normal user: not only when opening geany: polkit now asks always for a root password,
just because I had opend once the root-edit-session.
Seems to me rather a gedit issue with this magic "admin://" URI., so to say a upstream bug

That is fixed in Ubuntu 17.10, apparently:

https://ubuntuforums.org/showthread.php?t=2377380

Hopefully they have fed the fix back upstream, I'll check the live version of Debian buster's GNOME desktop later if I have time.

[fehlix]

Code: Select all

#!/bin/sh
XDG_CONFIG_HOME="${HOME}/.config_gedit" /usr/bin/gedit "${@}"

That's a nice idea ;=)

[towwire]

There is one other change you will need to do.

Some of us used the file manger (Thunder) and find the the file we want to edit, like 'fstab' and we right click and edit as root which opens it in 'FeatherPad'.

As to backup file before edit I just copy it first to a Mytemp folder that I made in my home and have it there just in case. As far as 'fstab' goes I have a 'fstab', 'fstab.backup' and a 'fstab-disk-manager-save'.

So if you use the

Code: Select all

cp systemfile{,.bak}

will it just overwrite one already there or will there be a warning? Just something to think about.