Ubuntu – How to configure pkexec to not ask for password

passwordpkexecprivilegessudo

I have a GUI application that needs to call a daemon (written in Python) with superuser privileges. I would like to do this without prompting the user for a password.

Since the daemon is a script, I can't set the SUID bit directly. I could write a C wrapper for this, but I'd rather not reinvent the wheel, especially when a mistake on my part could lead to the system's security being severely compromised.

What I'd normally do in this situation is to add a line in /etc/sudoers that allows users to execute the daemon as root without a password, using the NOPASSWD directive. This works fine from the command line. However, when I do this from the GUI, a pkexec dialog pops up asking for the user's password. It seems that on Ubuntu, calls to sudo from the GUI are somehow being intercepted by pkexec.

Is there a clean way around this? I'd really rather not have to deal with the hassles of a setuid script.

Best Answer

It's improper to say that: "It seems that on Ubuntu, calls to sudo from the GUI are somehow being intercepted by pkexec". pkexec doesn't have much in common with sudo. In contrast with sudo, pkexec does not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.

Now, if you want to run a GUI application without being asked by a password by pkexec, this is not difficult to be done. Let's take for example GParted. When you open it, you will see the following dialog window asking you by a password:

gparted authenticate

Click Details and the dialog window will look now like:

gparted authenticate - details

From here all you have to do is to open /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy file using for example the following command:

gksu gedit /usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policy

and change the following lines:

      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>

with the followings:

      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>

Save the file and close it. Next, when you will open GParted you will not be asked for a password anymore.

How to configure `pkexec` to avoid getting errors when run GUI applications?

I found two possible ways:

As you can see, using the following:

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit

will not get you any error. And this is normal because man pkexec is very clear in this matter:

       [...] pkexec will not allow you to run X11 applications
       as another user since the $DISPLAY and $XAUTHORITY environment
       variables are not set.[...]

As result you can create an (permanent) alias (this is the simpliest way):

alias pkexec='pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY'

Or, (again) as man pkexec says:

       [...] These two variables will be retained if the
       org.freedesktop.policykit.exec.allow_gui annotation on an action is set
       to a nonempty value; this is discouraged, though, and should only be
       used for legacy programs.[...]

you can create a new policy file in /usr/share/polkit-1/actions named com.ubuntu.pkexec.gedit.policy with the following xml code inside where the most important thing is to set org.freedesktop.policykit.exec.allow_gui to a nonempty value:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
  "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

  <action id="com.ubuntu.pkexec.gedit">
    <message gettext-domain="gparted">Authentication is required to run gedit</message>
    <icon_name>gedit</icon_name>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

How to tell it to not ask for a password after the first time applying it to a command?

For these three setting tags: allow_any, allow_inactive and allow_active from the policy file, the following options are available:

no: The user is not authorized to carry out the action. There is therefore no need for authentication.
yes: The user is authorized to carry out the action without any authentication.
auth_self: Authentication is required but the user need not be an administrative user.
auth_admin: Authentication as an administrative user is require.
auth_self_keep: The same as auth_self but, like sudo, the authorization lasts a few minutes.
auth_admin_keep: The same as auth_admin but, like sudo, the authorization lasts a few minutes.

^{Source: Polkit - Structure - Actions}

So, if you use auth_admin_keep option (or, as applicable, auth_self_keep), pkexec will not ask for a password again for some time (by default this time is set to 5 minutes as I checked). The disadvantage here is that this thing is applicable only for one - the same - command / application and valid for all users (unless if it is overruled in later configuration).

Where to save the configuration file if not yet existing?

Configuration files or polkit definitions can be divided into two kinds:

Actions are defined in XML .policy files located in /usr/share/polkit-1/actions. Each action has a set of default permissions attached to it (e.g. you need to identify as an administrator to use the GParted action). The defaults can be overruled but editing the actions files is NOT the correct way. The name of this policy file should have this format:
```
com.ubuntu.pkexec.app_name.policy
```
Authorization rules are defined in JavaScript .rules files. They are found in two places: 3rd party packages can use /usr/share/polkit-1/rules.d (though few if any do) and /etc/polkit-1/rules.d is for local configuration. The .rules files designate a subset of users, refer to one (or more) of the actions specified in the actions files and determine with what restrictions these actions can be taken by that/those user(s). As an example, a rules file could overrule the default requirement for all users to authenticate as an admin when using GParted, determining that some specific user doesn't need to. Or isn't allowed to use GParted at all.

^{Source: Polkit - Structure}

Is there a GUI application to configure `pkexec` usage?

From what I know, until now (18.01.2014) doesn't exist something like this. If in the future I will find something, I will not forget to update this answer too.

Ubuntu – Sudo doesn’t ask for password anymore

Your last line is the culprit. I do not know why, maybe it's a bug or I do not know all Linux rules.

You should consider these lines:

# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.

So remove the last line and put it in /etc/sudoers.d/sudo-jupiter. Now revert back permissions on /etc/sudoers to u-x and restart the system.

Best Answer

Related Solutions

Ubuntu – How to configure pkexec

How to configure pkexec to avoid getting errors when run GUI applications?

How to tell it to not ask for a password after the first time applying it to a command?

Where to save the configuration file if not yet existing?

Is there a GUI application to configure pkexec usage?

Ubuntu – Sudo doesn’t ask for password anymore

Related Question

How to configure `pkexec` to avoid getting errors when run GUI applications?

Is there a GUI application to configure `pkexec` usage?