Hyprland - Launch GUI App as Root

I’m experimenting with Hyprland, in addition to my default Gnome desktop. I am pretty new to Arch and Endeavour (and linux generally).

I’m trying to figure out why something happens: if I open gedit (or another gui app) with root privileges (“sudo gedit”) while logged in with Gnome, the terminal asks for my password and the app opens. If I do the same when logged into Hyperland, I get this message:

Authorization required, but no authorization protocol specified

(gedit:17652): Gtk-WARNING **: 12:14:02.268: cannot open display: :0

I have polkit installed, and GUI applications are able to elevate to ask for root privileges. E.g., if I open a /etc/foo.bar with Kate, and try to save it, Kate will ask for root privileges and when I enter my PW, it can save the file.

This isn’t a big issue - I know that I could use a command line editor or Kate, etc. I’m trying to understand the why of it.

Thanks in advance.

This is totally different than running an application as root. In this case, it is just using root to save the file, not escalating the entire application to run as root.

Running a GUI application as root is fundamentally unsafe unless it has been specifically designed to run that way.

It is likely because you have lost all the environment variables a wlroots-based environment needs to run.

It would probably work with sudo -E but I would still recommend against it.

This is totally different than running an application as root. In this case, it is just using root to save the file, not escalating the entire application to run as root.

This makes sense. Thank you for explaining the difference.

Running a GUI application as root is fundamentally unsafe unless it has been specifically designed to run that way.

So, this is not a configuration or installation on my part. Rather it is expected and intentional behavior?

Try sudo -E <application name>

Hyprland comes from sway/wayland.

Have a look here: https://wiki.archlinux.org/title/Running_GUI_applications_as_root

Also as for a text editor, mousepad for example works with pkexec:

pkexec mousepad

This is the right way to launch the application as root this -E or --preserve-env works.

No - running ‘as root’ or ‘using sudo’ on some GUI application, unless specifically designed for it, is always the wrong way.

Didn’t know about sudo -E but it does indeed work. Just knew about pkexec but I actually just use that to elevate scripts, since generally if an application ever needs root access it’ll request it on it’s own anyways.

This is 100% right too btw, you should not run things as root unless they only work when run as root.

But a text editor like gedit? That’s pretty much fine, gedit unlike kate needs to be elevated at launch and simple text editors are fine to elevate like that when needed.

I usually just use nano to edit root-only files. (e.g. sudo nano /file) since it’s a CLI editor and doesn’t need a GUI. Which can be good to know how to operate if you’re ever caught in a situation where X11 or Wayland fails you so bad that you have to work from a tty.

And gedit is designed for it I’m pretty sure…Running gedit with sudo is a relatively common thing to do, but Kate’s way is way better.

I disagree with this statement 100% Wireshark for example requires root privileges to function as designed. Just because the root env was not configured by hyprland to support this does not mean it is wrong. Preserving the environment to run applications with elevated privileges to function as designed is 100% the correct thing to do. So you are implying that I should never run a gui application with sudo privileges even if it is needed to function as intended by the developer. Making core kernel functionalities available without elevated privileges is a security risk to your operating system. If this is solely referring to things like gedit where the polkit agent is used to run an operation with elevated privileges than I’d agree. One should not run gui applications with elevated privileges frivolously.

It’s possible to add a polkit policy for gedit and use pkexec gedit.

I dont think you fully grasp how these things work.

You really are not supposed to launch GUI applications ‘as root’/‘with sudo’.

This is nothing new.

Like .. do 5 minutes of search time and find out all about it.

To wireshark specifically .. once again - you are simply demonstrating that you are doing it wrong.

Once again the wrong way though.
A proper polkit-aware editor will not need to be launched itself with special privileges.
See for example: kate.
Otherwise see sudoedit which will not actually launch the editor as/with root .. but rather use sudo to move temporary files after the editor is closed.
This is also covered in the archwiki as linked already.

The Archwiki also says:

running GUI applications with elevated privileges could be properly implemented by creating a Polkit policy

### Using pkexec


You can launch GUI an application with:

$ pkexec env WAYLAND_DISPLAY="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" XDG_RUNTIME_DIR=/run/user/0 *program*

which preserves the environment variable WAYLAND_DISPLAY.

From polkit homepage:

polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes: It is a framework for centralizing the decision making process with respect to granting access to privileged operations for unprivileged applications.

Polkit is used for controlling system-wide privileges. It provides an organized way for non-privileged processes to communicate with privileged ones. In contrast to systems such as sudo, it does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

So what are, in your opinion, the downside of creating a proper polkit policy for launching gedit specifically?

That comes from that ‘as root’ page with the preface that already quoted - that is all examples shown have drawbacks even if they can technically be used.

pkexec , like sudo, is a command to “Execute a command as another user” .. which isnt what you should normally need to do with a text editor that is properly polkit-aware.

Instead some action (like saving a file to some root directory) would be the more correct kind of polkit policy.

Which would again not require the application itself to be launched with sudo, pkexec, or any other weird long string.

See also this reference:

Yes. I am aware of that.

With the fundamental difference that, a proper polkit policy, in contrast to sudo :

does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

I am trying to wrap my head around the whole subject.

If I am not totally wrong, when you run, for example, pkexec gedit with a proper Polkit policy, only the necessary privileges for editing files are granted, reducing the risk of unintended system-wide changes or exploits.

With a policy, properly implemented, you could define what actions require what level of permission, effectively defining what system functions need authorization and under what conditions.

Perhaps writing a proper polkit policy wont automatically convert, for example gedit, to a “properly polkit aware”, as you call it, text editor but it seems to me that it is much lesser of an evil than running it with sudo as it was suggested further up.

More, an application like Gparted, ships by default a polkit action policy. It uses pkexec to gain escalated privilege. To my knowledge, it is considered to be a pretty safe GUI app to be run with elevated permissions.

Now if you can “replicate” the kind of policy as for Gparted, adapting it to gedit, my question is still is, what would be the downsides of running gedit with an action policy which effectively put constraints on which processes needs elevated permissions and grant it only to those?

That has nothing to do with the polkit or it’s policy. It has to do with the actions the application takes while it is running. In the context being discussed here, there isn’t all that much difference either way using sudo vs polkit to run the application as root.

So when it comes to gedit specifically, it won’t make any difference to run the whole GUI as root (with sudo) or running it with a polkit policy (with pkexec) that defines which actions need the elevated permissions and grant it only to those actions?

Maybe I am not understanding well the whole subject but that’s why I am asking.

polkit isn’t like firejail or a sandbox. It doesn’t provide arbitrary limitations to an application.

micro is a cool text editor as it will ask you for sudo password whilst saving if required