5

Someone could answer me how make one prompt via pkexec when I've to use two command with authentication? My easy sample script:

pkexec virsh net-start default;
pkexec "/home/user/program";

I'm new in linux environmen, Thanks :)

Hamlet
  • 53
  • do you really need to use pkexec, or could you use instead sudo which I know has a window on authentication or can be configured to allow NOPASSWD for certain commands – thrig Feb 04 '18 at 19:38
  • @thrig i tried use sudo without any effect. I changed I changed chown file on root and doesn't. Could you show some example used twice sudo in one script? – Hamlet Feb 04 '18 at 20:41
  • I added to sudo nano /etc/sudoers: %sudo ALL = (root) NOPASSWD: /home/Ham/.config/folder/start.sh Next I ran my .desktop app (it has Exec=/home/Ham/.config/folder/start.sh) and it didn'y working. When I run from my terminal that command /home/Ham/.config/folder/start.sh then it work. I don't understand what I do wrong.. – Hamlet Feb 04 '18 at 21:03
  • what exactly is in start.sh and what exactly needs to be run as root? – thrig Feb 04 '18 at 21:05
  • in start.sh is: 1st command: virsh which allow me set network to guest (for root). 2nd command: run app like gnome-boxes (for root the same as above) Why I need run/open both command via root? I 've to run this command as root bc then I can mount usb device. Simple user can't do that. For example: "sudo virsh net-star =/= virsh net start" <- these are different network space – Hamlet Feb 04 '18 at 21:17
  • running a root program connecting to your user X11 might be a little bit tricky, though there's probably other questions about that on this site – thrig Feb 04 '18 at 21:25
  • that's why I thought the best way is to use polkit (gui with root privileges) – Hamlet Feb 04 '18 at 21:31
  • Untested; can you run both commands under one shell? pkexec sh -c “virsh... ; /home/user/program” – Jeff Schaller Feb 04 '18 at 23:39
  • @JeffSchaller yes I can do it. Problem's opening twice windows where I must enter root password. – Hamlet Feb 05 '18 at 00:33

3 Answers3

4

You can simply run any two or multiple commands with one prompt using sh -c so in your case you can write

pkexec sh -c 'virsh net-start default && /home/user/program'

Source

This method worked for me in command line and desktop files, let me know if it works in scripts

Luny Cipres
  • 41
  • Is there a way to run the second command regardless of whether the first one was successful? – mapto Sep 27 '21 at 07:59
  • @mapto I think sudo -- sh -c 'command1; command2' might do it as in the source page it is implied that while using && it will check first command and proceed to next if first was successful. However it could be an equivalent syntax. I'm not sure. – Luny Cipres Sep 30 '21 at 06:04
1

Old answer.: May you take pkexec out of the script? Try create next script where you paste your code (without pkexec) and execute him via pkexec from your script. your script: #!/bin/bash pkexec ./new_script new script: #!/bin/bash your command:

Edit.: New Answer

After your conversation with @Thrig, I guess what you are going to do. You want to run both programs on root permissions without double authentication (only once). These two programs are: "virsh" and "gnome-boxes". My previous (above) solution is ok, but not in this case. You wrote to @Thrig that you are considering using "sudo". Why not use "pkexec" and "sudo" together. With the proper completion of "/ etc / sudoers" you will not need to authenticate when you use the "sudo" command in the script. I let myself improve your idea. I hope you like it. I will describe everything step by step.

1. Create three scripts:

a) main.sh - set up the connection, destroy the connection, run gnome-boxes. everything as root

b) net.sh - execute the order

c) die.sh - execute the order

a)

#!/Bin/bash
sudo /home/ham/..your..path../net.sh && pkexec /usr/bin/gnome-boxes;
sudo /home/ham/..your..path../die.sh;
exit

why that? description of operators

b)

#!/Bin/bash
virsh net-start default

c)

#!/Bin/bash
virsh net-destroy default

2. Edit the "sudoers" file to make the script: b) c) run with root privileges:

$ sudo nano /etc/sudoers

%sudo ALL=(root) NOPASSWD: /home/..your..path../net.sh
%sudo ALL=(root) NOPASSWD: /home/..your..path../die.sh

3. Change the owner of the scripts b) c) to root:

$ sudo chown 700 /home/ham/..your..path../net.sh
$ sudo chown 700 /home/ham/..your..path../die.sh;

4. Create a rule in polkit for gnome-boxes. The answer: "how to do it?" is here: simple_polkit_rule

5. Edit files:

  • org.gnome.Boxes.service

    Exec=/home/..your..path../start.sh

  • org.gnome.Boxes.desktop

    Exec=/home/..your..path../start.sh

6. Now run the gnome-boxes application by clicking on its shortcut icon. Finished. From myself I added auto turn off connection when you close the gnome-boxes application.

Zic
  • 26
  • Damn it :) Thank you very much for the solution. Everything with details described and Works! Nice idea. You saved my time. – Hamlet Feb 05 '18 at 00:38
  • No problem x) It's good to hear that. – Zic Feb 05 '18 at 01:17
  • I would recommend not allowing these sudo-able scripts to be writable by the user and not putting them in a directory owned by or writable by the user. If your local user account is compromised, it provides an easy pathway to a root compromise if the scripts can be edited/replaced. The scripts should be owned by root, with 755 perms, and in a directory owned by root (e.g. /usr/local/bin, also mode 755). – cas Feb 05 '18 at 03:48
  • @cas Even if I give 700 permission? What is the importance of location when script can be edit by root <- only bc 700? – Hamlet Feb 06 '18 at 15:07
  • 700 would be OK too. location is important because if the user has write access to the directory, they can replace the script. – cas Feb 06 '18 at 23:47
1

Many have had similar issues with wanting to run GUI with su privileges. More recently I have looked into the lingering open terminal window. After searching this is what worked for me.

  • my usage is invoking GUI with SU from the term and/or a shell script from ~/bin using aliases.

GUI privilege escalation of "su" or "sudo" is not recommended and should never be done with out knowledge of the risks of what your doing.

  • pkexec can be obtained by the following:

    sudo apt install policykit-1

  • Edit the bottom of this file to where it looks likes this:

    sudo nano /usr/share/polkit-1/actions/org.freedesktop.policykit.policy

  • yours should look like this:

    <action id="org.freedesktop.policykit.lockdown">

  <description>Configure lock down for an action</description>

    <message>Authentication is required to configure lock down policy</message>

  <defaults>

    <allow_any>auth_admin</allow_any>

    <allow_inactive>auth_admin</allow_inactive>

    <allow_active>auth_admin</allow_active>

  </defaults>

  <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pklalockdown</annotate>

</action>

  • After that try:

    pkexec gedit

Adding a custom bin path to terminal: - The Standard is to store users shell programs in 

   /home/$USER/bin

or

   ~/bin

*These are the same location the first is the full path to file the second is short hand for

    /home/$USER/bin

  • To add your user /bin to your $USER $PATH simply

    mkdir /home/$USER/bin

  • terminal will now recognise your shell scripts or programs located in

    ~/bin

Example:

    $/path/to/file.sh

Becomes:

    $file.sh

ADD this to .bashrc

export PATH=$PATH:$HOME/bin

Where "$HOME/bin" is the directory I assume you want to add. This change is only temporary (it works only in the current session of the shell) to make it permanent add the previous line to your .bashrc file located in your home directory.

  • I prefer this method of privilege escalation for gui apps because i can just pkexec in a shell script to run multiple programs and have the option to save credentials temporarily.

  • you then can try and add an alias to ~/.bash_aliases:

    echo 'alias gedit="pkexec gedit"' >> ~/.bash_aliases

/PKEXEC /SU /GUI /GKsu /POLKIT /policykit-1

TinyRickHole
  • 11