Bug 107083 - The accessibility machinery needs the GTK_MODULES environment variable to be whitelisted by pkexec
Summary: The accessibility machinery needs the GTK_MODULES environment variable to be ...
Status: RESOLVED WONTFIX
Alias: None
Product: PolicyKit
Classification: Unclassified
Component: daemon (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: David Zeuthen (not reading bugmail)
QA Contact: David Zeuthen (not reading bugmail)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-02 08:44 UTC by Lukáš Tyrychtr
Modified: 2018-07-02 16:16 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Lukáš Tyrychtr 2018-07-02 08:44:44 UTC 
When an application is started using pkexec and it is a GUI app (e. g. Gparted), under Gnome 3, Orca, the Linux screen reader, can read the window just fine, however under other desktop environments, it can not, because the GTK_MODULES environment variable is not in the variables whitelist.
Could it be added, or is there someone who knows how Gnome achieves not needing the env var or what sort of magic it does? Providing the whitelist alteration patch should not be hard, so if it'd help, i can do it as well.
Comment 1 Miloslav Trmac 2018-07-02 16:16:21 UTC 
Thanks for your report.

Looking at https://www.gtk.org/setuid.html , allowing GTK_MODULES through is absolutely unacceptable; it won’t be added to polkit, and please don’t add it to any local patches.

The standard recommendation is, as the page says, to split the application into a privileged backend and a non-privileged UI, and then perhaps use polkit to authenticate requests to the backend.

I don’t know whether there is any other way to support accessibility for GUI applications which were not designed for this and must run entirely as root.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.