Bug 107083

Summary: The accessibility machinery needs the GTK_MODULES environment variable to be whitelisted by pkexec
Product: PolicyKit Reporter: Lukáš Tyrychtr <lukastyrychtr>
Component: daemonAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED WONTFIX QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Lukáš Tyrychtr 2018-07-02 08:44:44 UTC 
When an application is started using pkexec and it is a GUI app (e. g. Gparted), under Gnome 3, Orca, the Linux screen reader, can read the window just fine, however under other desktop environments, it can not, because the GTK_MODULES environment variable is not in the variables whitelist.
Could it be added, or is there someone who knows how Gnome achieves not needing the env var or what sort of magic it does? Providing the whitelist alteration patch should not be hard, so if it'd help, i can do it as well.
Comment 1 Miloslav Trmac 2018-07-02 16:16:21 UTC 
Thanks for your report.

Looking at https://www.gtk.org/setuid.html , allowing GTK_MODULES through is absolutely unacceptable; it won’t be added to polkit, and please don’t add it to any local patches.

The standard recommendation is, as the page says, to split the application into a privileged backend and a non-privileged UI, and then perhaps use polkit to authenticate requests to the backend.

I don’t know whether there is any other way to support accessibility for GUI applications which were not designed for this and must run entirely as root.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.