Search code examples
linuxgnome-3gnome-shellgnome-shell-extensions

Gnome shell privilege escalation

I'm building a Gnome shell extension, and I want to be able to do some things with escalated privileges. So, I'm thinking I need to use "policy kit", but I don't know how to do go about doing this.

So, say I wanted to do something like ifconfig eth0 down or ifconfig eth0 up

I can run from the terminal: pkexec ifconfig eth0 down and it will prompt for a password and then do it.

But, how am I supposed to do it from inside an extension?

I'm pretty sure it has something to do with making a file in /usr/share/polkit-1/actions, but I can't find anything on the internet or otherwise.

I want to be able to set it up so that there is no need for a password to be typed in, and the extension can just run the certain command whenever.

I know that it is a really bad idea to allow any command to be run. That is not what I am asking for, I want to be able to just run a single program/command.

EDIT: I'm not sure, but I think it might be impossible for there to be no need to type in a password. I just know that sudo doesn't ask for the password for a while after the first time, so I kind of want similar functionality. Not sure what possible.

Solution

  • It's a long time since I didn't work with PolicyKit, but from what I remember, you have indeed to create a file in the actions/ directory, with contents like :

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="org.freedesktop.policykit.pkexec.run-ifconfig">
    <description>Configure network</description>
    <message>Authentication is required to set ifconfig parameters</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>...</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/sbin/ifconfig</annotate>
  </action>

</policyconfig>

    You have to change the value in :

    <allow_active>...</allow_active>

    To the value you want. Selecting a value of :

    • "no" will deny access
    • "yes" will implicitly permits access
    • "auth_user" requires user authentication
    • "auth_admin" requires admin authentication.
    • "auth_user_keep" and "auth_admin_keep" function similarly but retain authentication for a few minutes afterward.
    • Plus some other values, view here.

    Changing the allow_active key's value to "yes" should stop the authentication demands.

    Then you need to adapt the action file to your needs and to call it.

    Hugo,