Gnome shell privilege escalation
-
30-05-2021 - |
Question
I'm building a Gnome shell extension, and I want to be able to do some things with escalated privileges. So, I'm thinking I need to use "policy kit", but I don't know how to do go about doing this.
So, say I wanted to do something like ifconfig eth0 down
or ifconfig eth0 up
I can run from the terminal: pkexec ifconfig eth0 down
and it will prompt for a password and then do it.
But, how am I supposed to do it from inside an extension?
I'm pretty sure it has something to do with making a file in /usr/share/polkit-1/actions, but I can't find anything on the internet or otherwise.
I want to be able to set it up so that there is no need for a password to be typed in, and the extension can just run the certain command whenever.
I know that it is a really bad idea to allow any command to be run. That is not what I am asking for, I want to be able to just run a single program/command.
EDIT: I'm not sure, but I think it might be impossible for there to be no need to type in a password. I just know that sudo doesn't ask for the password for a while after the first time, so I kind of want similar functionality. Not sure what possible.
Solution
It's a long time since I didn't work with PolicyKit, but from what I remember, you have indeed to create a file in the actions/ directory, with contents like :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="org.freedesktop.policykit.pkexec.run-ifconfig">
<description>Configure network</description>
<message>Authentication is required to set ifconfig parameters</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>...</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/sbin/ifconfig</annotate>
</action>
</policyconfig>
You have to change the value in :
<allow_active>...</allow_active>
To the value you want. Selecting a value of :
- "no" will deny access
- "yes" will implicitly permits access
- "auth_user" requires user authentication
- "auth_admin" requires admin authentication.
- "auth_user_keep" and "auth_admin_keep" function similarly but retain authentication for a few minutes afterward.
- Plus some other values, view here.
Changing the allow_active key's value to "yes" should stop the authentication demands.
Then you need to adapt the action file to your needs and to call it.
Hugo,
OTHER TIPS
I was having much the same issue to try and implement a selector for tuned. Here is what I came up with.
As others answered, you may need to write a policy file (I used "auth_admin"). I placed it in "/usr/share/polkit-1/actions/tuned-adm.policy." I don't think I can distrib that through the extensions model, so I will have to ask upstream to include it.
Next, I used pkexec and my command to get the "sudo popup" and got it to work.
const GLib = imports.gi.GLib;
const Util = imports.misc.util;
this.pkexec_path = GLib.find_program_in_path('pkexec');
this.tunedadm_path = GLib.find_program_in_path('tuned-adm');
let result = Util.trySpawnCommandLine(this.pkexec_path + " " + this.tunedadm_path + " list")
The real kicker here was I used a couple of other methods to run the command line and they would lock up gnome-shell. I found the code here: https://github.com/nodefourtytwo/gnome-shell-extension-cpu-freq/blob/master/extension.js to be particularly handy.