3

I'm trying to code something in Python, making Apache stop and start with a GUI application. Everything works ok, I mean I execute the command (service start or service stop) with subprocess.Popen and call for pkexec as first argument so the user is prompted and can start or stop apache

The problem is, pkexec is runned everytime the user clicks on start or stop apache which is quite normal. I thought after the first identification, the user would be as root inside my application, but he's not, i'm testing before and after the pkexec command...

Do you think I can find another solution for it ? Should I stick with the password dialog for ever

Thomas M.
  • 85
  • 9
  • have you tried that link: http://askubuntu.com/questions/383747/how-to-configure-pkexec-to-not-ask-for-password Looks like he has got the same problem as you! Hope it helps! Cheers mate! – errlog Jul 20 '15 at 13:07
  • Yeh, already saw it but it's quite hard to understand everything about this policy :/ and of course it's not documented – Thomas M. Jul 20 '15 at 13:26
  • Alright guys, thanks for having clarified this. Anyway, previous answer was about creating a new policy. I'm quite curious about another way to do what I want. I mean, is there really no way to keep the pkexec answer from a command that has been executed via my application running subprocess ? – Thomas M. Jul 20 '15 at 14:47
  • Ok after some research, I finally have something related to @errlog answer : here is the answer : while trying to execute as root this specific command : `subprocess.Popen(['/usr/bin/pkexec', "service","apache2","start"])` I made a link with the **service** command inside polkit, here is the two lines that was useful inside my **.policy** : `/usr/sbin/service true` After adding these two lines inside a new policy file, gksudo service was executed only once! – Thomas M. Jul 20 '15 at 20:47

1 Answers1

0

I'm facing the same problem than you: My python GTK app needs to run commands as root, but using pkexec makes it asking each time for the root password, which is really annoying.

I see two ways to solve that "issue":

1. Run your app with pkexec

That solution would fit more for your case.

Write a shell script which runs your python app with pkexec. With that solution, the user is asked only once, and your app run as root, therefore it doesn't require to use pkexec anymore, and can run any commands.

The downside of this is that you could expect, after a while, that the password is again asked, just in the case an unauthorized person get access to the computer.

2. Split your app

My use case is an installer that ease the life of users by downloading, compiling and installing a software.

The previous solution would work, but I do prefer let the user run the installer, and get asked for the password when it actually hit the "Install" button.

The solution is then to split the app in 2 parts:

  • The GUI
  • The "engine" or command executor process

The GUI will run the "engine" using pkexec when it needs to start it (in your case, it would need to run with pkexec only the first time the user clicks the "Start/Stop" button), so that the GUI runs as the user, and the "engine" as root.

Now you need an inter-process communication so that the "engine" can report to the GUI, and the GUI can send commands to the "engine". To do so, the best option would be to use pipes like it is shown in this answer: https://stackoverflow.com/a/3806342/1996540.

Update

I have finally implemented my suggested answer in this project so you can have a look on a working example.

ZedTuX
  • 2,859
  • 3
  • 28
  • 58