You are not logged in.

Pages: 1

Topic closed

#1 2011-10-04 12:44:39

nbvcxz
Member
From: Poland
Registered: 2007-12-29
Posts: 202

[solved] Using 'pkexec' command instead of 'gksu'

Most of modern linux DEs forces us to use policykit mechanism. In theory it should allow us to run aplications as another user - so there is no need to use gksu, ktssus or other - any polkit agent is ok (polkit-gnome or lxpolkit). Program pkexec works fine with console apps, but I still can't start any X program. Of course I know: 

The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec. As a result, pkexec will not allow you to run e.g. X11 applications as another user since the $DISPLAY environment variable is not set.

But can anybody explain how to make it working with X apps? Unfortunately still after authorization by polkit agent I receive:

Gtk-WARNING **: cannot open display:

- for GTK apps or

Failed to open display

I DO UNDERSTAND that $DISPLAY variable is not est for this session, but I don't know how to set it.

Last edited by nbvcxz (2011-10-05 07:14:10)

Lenovo G50 | LXQT-git | compton | conky

Offline

#2 2011-10-04 12:55:41

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: [solved] Using 'pkexec' command instead of 'gksu'

pkexec(1) wrote:

       The environment that PROGRAM will run it, will be set to a minimal known and
       safe environment in order to avoid injecting code through LD_LIBRARY_PATH or
       similar mechanisms. In addition the PKEXEC_UID environment variable is set to
       the user id of the process invoking pkexec. As a result, pkexec will not allow
       you to run X11 applications as another user since the $DISPLAY and $XAUTHORITY
       environment variables are not set. These two variables will be retained if the
       org.freedesktop.policykit.exec.allow_gui annotation on an action is set to a
       nonempty value; this is discouraged, though, and should only be used for legacy
       programs.

blog | ±github

Offline

#3 2011-10-04 17:32:00

jfb3
Member
Registered: 2011-08-20
Posts: 68

Re: [solved] Using 'pkexec' command instead of 'gksu'

I have, just today, run into this same problem.  I'm also looking for an "Openbox" way...

Offline

#4 2011-10-04 18:07:16

nbvcxz
Member
From: Poland
Registered: 2007-12-29
Posts: 202

Re: [solved] Using 'pkexec' command instead of 'gksu'

@falconindy - thx for quick response, but as I mentioned I know that $DISPLAY and $XAUTHORITY are not set when using 'standard' pkexec configuration. My question is - how to make it work: how to make these variables set properly. I don't know how to play with org.freedesktop.policykit.exec.allow_gui annotation (where it should be set) - so my ask is still open.

Lenovo G50 | LXQT-git | compton | conky

Offline

#5 2011-10-05 01:48:24

City-busz
Package Maintainer (PM)
From: Budapest, Hungary
Registered: 2010-12-27
Posts: 181
Website

Re: [solved] Using 'pkexec' command instead of 'gksu'

It can be done by adding custom actions to policykit. E.g. if you want to run gparted as root with 

$ pkexec gparted

command, then create a new file 

/usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy

with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="org.freedesktop.policykit.pkexec.run-gparted">
    <description>Run GParted</description>
    <message>Authentication is required to run GParted</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
  </action>

</policyconfig>

More actions can be added into the same file.

Last edited by City-busz (2011-10-05 02:15:39)

My website | profile | packages
Donate me via PayPal | Liberapay | Patreon

Offline

#6 2011-10-05 07:13:43

nbvcxz
Member
From: Poland
Registered: 2007-12-29
Posts: 202

Re: [solved] Using 'pkexec' command instead of 'gksu'

Thank you City-busz. This is exactly what I need. Tried with other programs and jut now policykit seems to be quite smart solution for desktop system. I mark the subject [solved], but there are one more thing I would like to know - this solution needs dealing with /usr/share/polkit-1/actions. Is there any other way eg. writing rules according with Arch standards in /etc/polkit-1?
Here is example of working authorizing agent for Wakka - everything working fine, no gksu or other needed.
20ibt4_th.jpg

Last edited by nbvcxz (2011-10-05 07:27:21)

Lenovo G50 | LXQT-git | compton | conky

Offline

#7 2011-10-05 07:26:55

City-busz
Package Maintainer (PM)
From: Budapest, Hungary
Registered: 2010-12-27
Posts: 181
Website

Re: [solved] Using 'pkexec' command instead of 'gksu'

It seems that there is no way to annotate in Local Authority (/etc/polkit-1/localauthority), so I think it's not possible (yet).

My website | profile | packages
Donate me via PayPal | Liberapay | Patreon

Offline

#8 2011-10-05 08:21:04

nbvcxz
Member
From: Poland
Registered: 2007-12-29
Posts: 202

Re: [solved] Using 'pkexec' command instead of 'gksu'

And one more little problem - it doesn't work directly with toolsched scripts from Con Kolivas

Last edited by nbvcxz (2011-10-05 08:22:56)

Lenovo G50 | LXQT-git | compton | conky

Offline

#9 2011-11-22 22:22:57

stqn
Member
Registered: 2010-03-19
Posts: 1,191
Website

Re: [solved] Using 'pkexec' command instead of 'gksu'

I just got this problem: I tried to run gparted from my xfce menu, which locked my X session; I couldn't do anything anymore besides move the mouse pointer around... Switching to tty1 I see that pkexec is asking me for the root password. I type it (and it appears in clear on the screen), but when I press return, nothing happens. Everything in X is still frozen, nothing is written to tty1. I log in as root in tty2, try to kill pkexec, gparted-pkexec, gparted, whatever... Nothing changes, still frozen, gparted-pkexec doesn't want to die (even with kill -9)... So I had to reboot, killing all the apps that were running at the time sad.

What I don't understand is, if pkexec doesn't let us run X applications, why is gksu deprecated, and why was gparted changed to use pkexec?

Last edited by stqn (2011-11-22 22:23:22)

Offline

#10 2011-11-22 22:37:25

City-busz
Package Maintainer (PM)
From: Budapest, Hungary
Registered: 2010-12-27
Posts: 181
Website

Re: [solved] Using 'pkexec' command instead of 'gksu'

You have to install a PolicyKit Authentication Agent GUI (e.g. polkit-gnome), and autostart it with your session.

My website | profile | packages
Donate me via PayPal | Liberapay | Patreon

Offline

#11 2011-12-29 20:17:33

stqn
Member
Registered: 2010-03-19
Posts: 1,191
Website

Re: [solved] Using 'pkexec' command instead of 'gksu'

City-busz wrote:

You have to install a PolicyKit Authentication Agent GUI (e.g. polkit-gnome), and autostart it with your session.

Thanks, that worked. With Xfce I didn't have to setup anything, it "autostarted itself" wink. And also despite its name, polkit-gnome doesn't depend on gnome stuff ("only" gtk3 which I had anyway).

(Sorry for the long delay in replying, I haven't tried earlier because I didn't want to risk crashing my system again...)

Offline

#12 2012-02-08 22:31:12

bresiyel
Member
Registered: 2012-02-08
Posts: 1

Re: [solved] Using 'pkexec' command instead of 'gksu'

I started using this, just because gksu decided that every time it runs, it wants to ask if I want my screen grabbed.... Instead of messing with that, I came up with a handy bash script for handling the addition of programs to your pkexec policy file.

Last edited by bresiyel (2012-02-09 04:30:33)

Offline

#13 2015-03-20 18:52:44

ElectricPrism
Member
Registered: 2012-12-07
Posts: 35

Re: [solved] Using 'pkexec' command instead of 'gksu'

bresiyel wrote:

I started using this, just because gksu decided that every time it runs, it wants to ask if I want my screen grabbed.... Instead of messing with that, I came up with a handy bash script for handling the addition of programs to your pkexec policy file.

Thanks for writing that script, I added it to my ~/Scripts

Step 1: Download http://pastebin.com/PbGTZ0jc to ~/Scripts

# Copy Example Policy Kit List to Policy Kit List
sudo cp /usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy

# I symlink Sublime's binary to my /usr/bin folder like so
sudo ln -s /opt/sublime_text_3/sublime_text /usr/bin/sublime

# Create Sublime Policy Kit
sudo sh ~/Scripts/create-policykit-app-launcher.sh sublime

# Execute Sublime as Root
pkexec sublime

Here's the script from pastebin with this info included

#!/bin/sh
# By: Bresiyel 1-28-2012
# Adds programs to polkit for gui view
# ~/Scripts/create-policykit-app-launcher.sh
# https://bbs.archlinux.org/viewtopic.php?pid=1054825#p1054825
# Copy Example Policy Kit List to Policy Kit List
# sudo cp /usr/share/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy
# I symlink Sublime's binary to my /usr/bin folder like so
# sudo ln -s /opt/sublime_text_3/sublime_text /usr/bin/sublime
# Create Sublime Policy Kit
# sudo sh ~/Scripts/create-policykit-app-launcher.sh sublime
# Execute Sublime as Root
# pkexec sublime
progAdd=$1
progLoc=$(echo `whereis "$progAdd" | awk '{print $2}'`)

verify(){
if [ "$progAdd" == "" ];
then
   echo "Program usage: poladd program"
   exit 1
fi
if [ "$progLoc" == "" ];
then
   echo "Did not find $progAdd"
   exit 1
elif [ `echo $progLoc | grep bin` == "" ];
then
   echo "Found location $progLoc, however this may not be valid..."
   echo "Exiting..."
   exit 1
fi
exists
return
}
exists(){
alreadyHere=$(cat /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy | grep "$progAdd")
if [ "$alreadyHere" != "" ];
then
   echo "This program is already configured."
   exit 1
fi
return
}
addProgram(){
if [ -e /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy ];
then
   sudo cp -f /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy ~/org.freedesktop.policykit.pkexec.policy.backup
   cat /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy | sed 's_</policyconfig>__' | sudo tee /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy
   echo "  <action id=\"org.freedesktop.policykit.pkexec."$progAdd"\">
    <description>Run "$progAdd"</description>
    <message>Authentication is required to run "$progAdd"</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key=\"org.freedesktop.policykit.exec.path\">"$progLoc"</annotate>
    <annotate key=\"org.freedesktop.policykit.exec.allow_gui\">true</annotate>
  </action>
  
</policyconfig>" | sudo tee -a /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy
fi
return
}

verify
addProgram
exit

Last edited by ElectricPrism (2015-03-20 19:06:25)

Offline

#14 2015-03-20 19:31:23

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [solved] Using 'pkexec' command instead of 'gksu'

Please don't necrobump old threads: https://wiki.archlinux.org/index.php/Fo … bumping.22

Your script probably belongs in the handy command line utilities thread...



Closing

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

Pages: 1

Topic closed

Board footer

Powered by FluxBB