1mo ago

Weird root permission issue on Sway which is not present in i3

Hello fellow lemmings

I am a long-time i3 user and have decided to switch to Sway. I have encountered a weird error which has left me utterly bamboozled.

I am using Ubuntu 24.04 which has gone from 20.04 -> 22.04 -> 24.04. It has Ubuntu-Gnome, i3 and Sway currently installed.

The issue

The error that I'm facing is when I'm using Sway, I simply don't have sudo access.

This is what the error looks like

    
$ sudo visudo
[sudo] password for xavier666:
Sorry, user xavier666 is not allowed to execute '/usr/sbin/visudo' as root on <HOSTNAME>.

When I switch back to i3, my permissions are fine for the same user. I have not done any crazy modifications to the sudoer's file as far as I can remember.

PS: I have added a command to no-sudo xavier666 ALL = NOPASSWD: /usr/bin/brightnessctl

The "fix"

I temporarily solved it by adding xavier666 ALL=(ALL:ALL) ALL to the sudoer's file.

IMO, I think this should not be required. I don't remember ever adding the default user to the file for all the installations that I have done. (But this is the first time I've installed Sway)

Logs/Outputs

Running sudo -l without the fix (on Sway)

    
Matching Defaults entries for xavier666 on <HOSTNAME>:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User xavier666 may run the following commands on <HOSTNAME>:
    (root) NOPASSWD: /usr/bin/brightnessctl

When I run the same command on i3, i get this (ALL : ALL) ALL extra line in the output. And when I run sudo -l with my fix on Sway, (ALL : ALL) ALL is present and the permission issue is fixed.

What is causing Sway to remove the root permission for the user?

Note: I'm just asking for the standard sudo behaviour. I'm not trying to run GUI applications as root.

Edit:

The issue was caused by swhkd. It was installed as a setuid binary (as instructed by the developer of the project). Once I switched back to sway's default keybinds and disabled swhkd, the permissions were back to normal. I removed my previous "fix" in the sudoers list and I still have sudo access.

Thanks a lot everyone and specially @gnuhaut@lemmy.ml for pointing me in the right direction.

40 comments

This likely has nothing to do with sway but with the way the sway session is started, as opposed to the i3 session.
We need more info on this.
Isn't i3 Xorg only, and sway wayland only? That would mean the whole graphical server has also changed.
- but with the way the sway session is started, as opposed to the i3 session. We need more info on this.
  I'm using gdm to start sway. I'm using the laptop's built-in fingerprint scanner to unlock (Not sure if it matters). I saved the fingerprint in the Gnome session long back.
  gdm probably looks inside /usr/share/wayland-sessions and finds sway.desktop and uses it to launch Sway.
  I've tried to keep things as vanilla as possible.
  Isn’t i3 Xorg only, and sway wayland only?
  Correct.
  Maybe wayland is launched using restrictive set of permissions.
  
  One big difference is that sway doesn't run as a login process (and neither does gdm), meaning none of your .profile files are getting sourced. Check how your environment variables differ between i3 and sway and see if that might be the issue.
  
  Does the same issue also happen if you launch sway from the tty and not from gdm ?
  I've never used gdm but it probably allow you to open a tty with Ctrl+Alt+F3, then log in and type sway.
  
  gdm probably looks inside /usr/share/wayland-sessions and finds sway.desktop and uses it to launch Sway.
  And how did you use to start i3?
  
  You're going to have to look at how that process works on Ubuntu and how it differes from Xorg session start.
  gdm probably looks inside /usr/share/wayland-sessions and finds sway.desktop and uses it to launch Sway.
  FWIW, these are all text files. Look at them.
  Sorry, I have to go now. More tonight, if you want.

From my experience a user account needs to be in the "wheel" group to elevate privileges through sudo. So try that.
- Or in the sudo group. It differs.

Hmm let's try to isolate the bug to know if it's sway or gdm messing up:
Try to disable gdm: sudo systemctl disable gdm.service
Logout/restart. You should be at the TTY, enter username and password to login. Then simply type sway
Now, test your sudo commands within this sway session. Do you still get the same bug?
- Great suggestion. I tried this method just now.
  Unfortunately, I'm still getting the same bug.
  The main difference between the two sessions is the output of the groups command
  In pure tty
  
  $ groups xavier666 adm cdrom sudo dip plugdev lpadmin lxd sambashare
  The moment I enter into sway from inside the tty
  
  $ groups xavier666 root
- I found something interesting, thanks to my friend
  I removed the fix mentioned above. Now user does not have sudo access inside sway
  I ran the command exec su - xavier666. It asked for my user password and the command was accepted.
  My groups output looks normal (xavier666 is now part of sudo) and my permissions are fine
  However, the problem reappears after a reboot
  It is as if this user is an imposter with incorrect privileges 📮
  
  It is as if this user is an imposter with incorrect privileges
  No, this rather points to sway/wayland.
  Once again:
  you will need to figure out how wayland sessions in general start up on your system
  file /usr/bin/sway if that command says it's some sort of text/scii/script, open it in an editor and see what it does. It might give you first clues.

Can you compare groups output under both sessions?
Specifically, if you don't show membership of sudo in your Sway session, try this
loginctl enable-linger lazarus
- Inisde i3 WITHOUT FIX
  
  $ groups xavier666 adm cdrom sudo dip plugdev lpadmin lxd sambashare $ groups xavier666 xavier666 : xavier666 adm cdrom sudo dip plugdev lpadmin lxd sambashare
  Inside sway WITH/WITHOUT FIX
  
  $ groups xavier666 root $ groups xavier666 xavier666 : xavier666 adm cdrom sudo dip plugdev lpadmin lxd sambashare
  PS: I corrected the username, it should be xavier666. I corrected the main post.
  
  $ groups
  xavier666 root
  Sorry what? As what user are you executing all these 'groups' commands? Unless Ubuntu does things significantly differently from Arch and Debian, there's something very fishy going on here. The "normal" user should not be in the root group, and root should not be in the normal user's group.
  Have you done other things beside the "fix" you mentioned?
  That "fix" from your op, btw, looks totally valid to me.
  
  Try enable-linger. As I understand it, the issue is related to the way Sway handles Wayland sockets, and enable-linger kicks things off before Sway is involved.

Can you provide output of which sway, sway --version, file $(which sway) and ls -l $(which sway)?
Also, can you run id, after logging in w/o gdm on the console, and then again after starting sway?
The fact that your group membership changes even when starting sway from a tty, as mentioned in some other comment, is super weird. I believe newer versions of sway should not mess with this.
AFAIK some versions ago, sway used to be (or at least could be) a setuid root binary (something something needed root privileges for some reason to do with h/w access), but no longer. Back then it looks like it did mess with group membership etc.
I have this hunch, that maybe your binary has the setgid bit set for some reason (due to, perhaps, an oversight made by the packager, because in the old package that was needed).
- $ which sway /usr/bin/sway $ sway --version sway version 1.9 $ file $(which sway) /usr/bin/sway: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=70fe358f7e410f618ad8a9ce0e573ed6826b2e75, for GNU/Linux 3.2.0, stripped $ ls -l $(which sway) -rwxr-xr-x 1 root root 600352 Apr 1 2024 /usr/bin/sway
  id pre and post login
  
  uid=1000(xavier666) gid=1000(xavier666) groups=1000(xavier666),0(root) --------------- uid=1000(xavier666) gid=1000(xavier666) groups=1000(xavier666),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare)
  A funny thing; I think this has nothing to do with gdm. I have gdm disabled now and launching sway directly from the terminal and the issue still persists.
  The problem goes away (xavier666 becomes part of sudo like expected) when I type exec su - xavier666 for that terminal session only. If I open a new terminal, it problem reappears. I'll just in case check if zsh/omyzsh is doing something funny.
  
  Yeah so this does not confirm my hunch, and I don't think sway is changing your group membership. Version 1.9 does not allow sway to be installed setuid root, and it isn't, as confirmed by the ls output.
  So it must be something else. It could be anything between the login shell in the console and the shell started with the messed up groups. What's weird is that in order to change group membership, you would need root permissions (technically you only need CAP_SETGID, but why would you have that?). I think there are really only two ways to do that: Run a binary that has the setuid bit (like e.g. sudo) or CAP_SETGID, or talk to some process (e.g. a daemon like systemd) that is already running as root, and ask it to do that for you.
  I cannot imagine why anything between the login shell -> sway -> ??? -> zsh would be either setuid root, or have any reason or permission to change groups in any way. So that's really weird and interesting.
  How do you open the shell inside sway? Keyboard binding from sway config? Launcher? Which terminal? Do any of the involved programs have setuid root bit set (looks like rws instead of x in ls -l output)?
  About zsh: I mean I guess in theory one could change groups in the zsh configuration if you had the permissions (which you shouldn't have), but I cannot think of any reasonable explanation why anybody would want do that.

40 comments