16

I have a UI app (uses GTK) for Linux that requires to be run as root (it reads and writes /dev/sd*).

Instead of requiring the user to open a root shell or use "sudo" manually every time when he launches my app, I wonder if the app can use some OS-provided API to get root permissions. (Note: gtk app's can't use "setuid" mode, so that's not an option here.)

The advantage here would be an easier workflow: The user could, from his default user account, double click my app from the desktop instead of having to open a root terminal and launch it from there.

I ask this because OS X offers exactly this: An app can ask the OS to launch an executable with root permissions - the OS (and not the app) then asks the user to input his credentials, verifies them and then launches the target as desired.

I wonder if there's something similar for Linux (Ubuntu, e.g.)

Clarification:

So, after the hint at PolicyKit I wonder if I can use that to get r/w access to the "/dev/sd..." block devices. I find the documention quite hard to understand, so I thought I'd first ask whether this is possible at all before I spend hours on trying to understand it in vain.

Update:

The app is a remote operated disk repair tool for the unsavvy Linux user, and those Linux noobs won't have much understanding of using sudo or even changing their user's group memberships, especially if their disk just started acting up and they're freaking out. That's why I seek a solution that avoids technicalities like this.

Thomas Tempelmann
  • 11,045
  • 8
  • 74
  • 149
  • It's definitely possible to set things up like that - for example, the Synaptic package manager is usually set up that way. – caf Mar 08 '10 at 12:11
  • I'm not sure you should really want to run as root. If you only need access to disk, it's better at add the user to "disk" group. – Milan Babuškov Mar 08 '10 at 23:25
  • Milan - My app acts as a one-time disk repair tool. I don't think anyone who wants to use it is willing to change his system-wide settings for this, quasi permanently. – Thomas Tempelmann Mar 08 '10 at 23:30

1 Answers1

7

The old way, simple but now being phased out, is GKSu. Here is the discussion on GKSu's future.

The new way is to use PolicyKit. I'm not quite sure how this works but I think you need to launch your app using the pkexec command.

UPDATE:

Looking at the example code on http://hal.freedesktop.org/docs/polkit/polkit-apps.html, it seems that you can use PolicyKit to obtain authorization for certain actions which are described by .policy files in /usr/share/polkit-1/actions. The action for executing a program as another user is org.freedesktop.policykit.exec. I can't seem to find an action for directly accessing block devices, but I have to admit, the PolicyKit documentation breaks my brain too.

So, perhaps the simplest course of action for you is to separate your disk-mangling code that requires privileges into a command-line utility, and run that from your GUI application using g_spawn_[a]sync() with pkexec. That way you wouldn't have to bother with requesting actions and that sort of thing. It's probably bad practice anyway to run your whole GUI application as root.

Another suggestion is to ask the author of PolicyKit (David Zeuthen) directly. Or try posting your question to the gtk-app-devel list.

ptomato
  • 56,175
  • 13
  • 112
  • 165
  • I've tried pkexec - unfortunately, it doesn't work in my case as I get the following error message: "Gtk-WARNING **: cannot open display:" -- "man pkexec" explains why: “The environment that PROGRAM will run it, will be set to a minimal known and safe environment in order to avoid injecting code through LD_LIBRARY_PATH or similar mechanisms. In addition the PKEXEC_UID environment variable is set to the user id of the process invoking pkexec. As a result, pkexec will not allow you to run e.g. X11 applications as another user since the $DISPLAY environment variable is not set.” Darn. – Thomas Tempelmann Mar 08 '10 at 23:19
  • 2
    Hmm, I think the PolicyKit API allows you to achieve the same thing, but from within your program. I'm not sure though. – ptomato Mar 09 '10 at 09:08
  • SO did not mail me about your update, so I only see it now. Thanks for making the extra effort, I think with that information I can get ahead. – Thomas Tempelmann Mar 17 '10 at 18:09
  • Sure, I'm happy to go the extra mile for all that rep, they don't call it Crack Overflow for nothing ;-) – ptomato Mar 18 '10 at 13:33