Ubuntu – Root tasks using dbus and policykit


At some point my application needs to do administrative tasks like creating a file in /etc or running commands with root priveleges.

I know just could do a Q&D:

os.popen("pkexec foo bar")

But I also know that this is not the foreseen clean way to do it. Some kind of annoying for the user because he always needs to reenter his password instead of having a session-like handling.

I was very optimistic as I found the python example for authenticating.

It's a simple example which works immediatly:

import dbus

bus = dbus.SystemBus()
proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
authority = dbus.Interface(proxy,  dbus_interface='org.freedesktop.PolicyKit1.Authority')

system_bus_name = bus.get_unique_name()

subject = ('system-bus-name', {'name' : system_bus_name})
action_id = 'org.freedesktop.policykit.exec'
details = {}
flags = 1            # AllowUserInteraction flag
cancellation_id = '' # No cancellation id

result = authority.CheckAuthorization(subject, action_id, details, flags, cancellation_id)

print result

I've been quite naive thinking that after authorization I could just go on in the script with some os.popen()-commands. Now I know better 🙁

I can see the tuple-result in the example above, but in the further documentation I could not find a working code to go on at this point.

What do I have to do with this result? How can I go on performing the tasks I need? Is there a python reference with examples that offer the available methods?

I tried to list the methods of authorization by using dir() but could not find any clue how to go on.

I really want to avoid using my fallback but it would be my last resort. Please help me doing it the right way 🙂

Thanks and regards



Due I did not bring this to work and my former solution by starting my program with gksu does not work out of /opt/, I finally had to give up and implement a thousand asks for password to make the program rudimentary work to get at least a T-Shirt in the app showdown.

I did not notice the problem because I first did a quickly share. There everything worked right. Asking once for the password at the beginning. I'm totally down now. My contribution for AppShowdown was https://launchpad.net/armorforge. ;-(

Best Answer

There's a fundamental concept you need to grasp first: PolicyKit only handles authorisation, not privilege escalation. PolicyKit will answer the question: "is the user authorised to do this task?", but it will not give you root privileges.

The commonly-used model is to create a DBus system service, which runs with root privileges. It will take requests from non-root processes, use PolicyKit to determine whether that process is authorised to make that request, and then do the task requested.

I wrote a tutorial on PolicyKit and DBus with Python on ubuntuforums.org a few years back. The principles are the same, although it might need some updating. I need to go to bed now, so have a look and let me know if it needs updating.