Gnome shell privilege escalation

Question

I'm building a Gnome shell extension, and I want to be able to do some things with escalated privileges. So, I'm thinking I need to use "policy kit", but I don't know how to do go about doing this.

So, say I wanted to do something like ifconfig eth0 down or ifconfig eth0 up

I can run from the terminal: pkexec ifconfig eth0 down and it will prompt for a password and then do it.

But, how am I supposed to do it from inside an extension?

I'm pretty sure it has something to do with making a file in /usr/share/polkit-1/actions, but I can't find anything on the internet or otherwise.

I want to be able to set it up so that there is no need for a password to be typed in, and the extension can just run the certain command whenever.

I know that it is a really bad idea to allow any command to be run. That is not what I am asking for, I want to be able to just run a single program/command.

EDIT: I'm not sure, but I think it might be impossible for there to be no need to type in a password. I just know that sudo doesn't ask for the password for a while after the first time, so I kind of want similar functionality. Not sure what possible.

Answer 1

It's a long time since I didn't work with PolicyKit, but from what I remember, you have indeed to create a file in the actions/ directory, with contents like :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="org.freedesktop.policykit.pkexec.run-ifconfig">
    <description>Configure network</description>
    <message>Authentication is required to set ifconfig parameters</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>...</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/sbin/ifconfig</annotate>
  </action>

</policyconfig>

You have to change the value in :

<allow_active>...</allow_active>

To the value you want. Selecting a value of :

• "no" will deny access
• "yes" will implicitly permits access
• "auth_user" requires user authentication
• "auth_admin" requires admin authentication.
• "auth_user_keep" and "auth_admin_keep" function similarly but retain authentication for a few minutes afterward.
• Plus some other values, view here.

Changing the allow_active key's value to "yes" should stop the authentication demands.

Then you need to adapt the action file to your needs and to call it.

Hugo,

Answer 2

I was having much the same issue to try and implement a selector for tuned. Here is what I came up with.

As others answered, you may need to write a policy file (I used "auth_admin"). I placed it in "/usr/share/polkit-1/actions/tuned-adm.policy." I don't think I can distrib that through the extensions model, so I will have to ask upstream to include it.

Next, I used pkexec and my command to get the "sudo popup" and got it to work.

const GLib = imports.gi.GLib;
const Util = imports.misc.util;
this.pkexec_path = GLib.find_program_in_path('pkexec');
this.tunedadm_path = GLib.find_program_in_path('tuned-adm');
let result = Util.trySpawnCommandLine(this.pkexec_path + " " + this.tunedadm_path  + " list")

The real kicker here was I used a couple of other methods to run the command line and they would lock up gnome-shell. I found the code here: https://github.com/nodefourtytwo/gnome-shell-extension-cpu-freq/blob/master/extension.js to be particularly handy.