Good practices to ask sudo password in GUI ?

Philippe734 · Post by **Philippe734** » Sunday 12th February 2023 7:32am

Hello,
My app require sudo to fully operate.
In order to avoid start my app with sudo or pkexec, what are the good practices to ask the password while running the GUI app?
I tried the following, but each pkexec still ask password instead of once.

   
  Exec ["pkexec", "apt", "update"] Wait 
  Exec ["pkexec", "apt", "update"] Wait

cogier · Post by **cogier** » Sunday 12th February 2023 10:44am

You could have a look at my program Sudo_solution that is on the Gambas Farm and available here

BruceSteers · Post by **BruceSteers** » Sunday 12th February 2023 1:04pm

That is incorrect syntax for pkexec, you must pass Env vars "DISPLAY" and "XAUTHORITY" to your command or pkexec hides the info.

the bash/shell syntax is like this...
pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY

Note: NOT env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY pkexec
the Envs must be passed to your command being run not pkexec itself.

gb.desktop command Desktop.RunAsRoot() uses pkexec correctly.
(It was me who updated it from just using old gksudo/kdesudo commands that are mostly dead ducks now)
Deksktop.RunAsRoot("apt", "update") should work okay.

A Gambas Exec command should be done something like this...
Exec ["pkexec", "env", "DISPLAY=" & Env["DISPLAY"], "XAUTHORITY=" & Env["XAUTHORITY"], "apt", "update"] Wait

BruceSteers · Post by **BruceSteers** » Sunday 12th February 2023 1:36pm

Note, You cannot change a running programs sudo level.

You have to either run the program as root (then ANY commands are done at root level) or it's not root.

When using the Exec or RunAsRoot command it creates a shell process (using pkexec for root) runs the command , then the process ends.
So IT WILL ask for root every time you run a command with pkexec or Desktop.RunAsRoot()

It is considered not-good to have a non-root application ask for sudo then quietly retain the privileges.

There are options...

Run the program as root.

Or you could use a Terminal gb.form.terminal then initiate it with TerminalView1.Exec("sudo","bash")
then the terminal has a root bash running in it until it is closed and multiple commands can be added to it.

or.
Put all your commands together in a temp file and run that.

Dim sCom As String = "apt update && apt upgrade -y"
File.Save("/tmp/exec", sCom)
Chmod "/tmp/exec" To "rwxr-xr-x"
Shell "pkexec env DISPLAY=" & Env["DISPLAY"] & "XAUTHORITY=" & Env["XAUTHORITY"] & " /tmp/exec" Wait
Kill "/tmp/exec"

note: i used "apt update -y" as the shell will not be interactive so you cannot enter and key text like y for yes to upgrade.

Philippe734 · Post by **Philippe734** » Sunday 12th February 2023 4:29pm

cogier wrote: ↑Sunday 12th February 2023 10:44am You could have a look at my program Sudo_solution that is on the Gambas Farm and available here

I did it a try. It works, but it's not very good for security.
Why the command is executing twice?
First:

  If InStr(sCommand, "2>&1") Then                                                       'If the error output has been requested then
    Try Shell "echo " & sPass & " | sudo -S " & sCommand To sOutput                     'Shell the Command with the password to sOutput
  Else                                                                                  'Else..
    Try Shell "echo " & sPass & " | sudo -S " & sCommand & " 2>&1" To sOutput           'Shell the Command with the password and output the Error string
  End If

Then:

  Else                                                                                  'Else..
    Try Shell "echo " & sPass & " | sudo -S " & sCommand To sOutput

@bruce: I will check your comments soon, thanks

cogier · Post by **cogier** » Monday 13th February 2023 2:52pm

I did it a try. It works, but it's not very good for security.

You are right, but I didn't create this to be super secure.

Why the command is executing twice?

This is done to catch any errors, try putting the wrong password in or a command that can't work.

Philippe734 · Post by **Philippe734** » Monday 13th February 2023 3:23pm

I like the solution to start a terminal (or internal shell) and keep alive with adding multiples commands, in order to ask once password. But, the problem remain: how to ask only once the password, in a security way. If we use pkexec, then each command beginning with pkexec ask password again, even in the same shell. If we use the solution from Cogier, then ok the password is asked once, but it's very ugly for security as it retain the root password. Thanks for proposals, I will continue to search a better way.
Bellow, from a standard terminal. Each pkexec ask password, even if password is correct.

Code: Select all

user:~$ pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update
[...]
user:~$ pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update
Error executing command as another user: Request dismissed

BruceSteers · Post by **BruceSteers** » Monday 13th February 2023 4:48pm

Philippe734 wrote: ↑Monday 13th February 2023 3:23pm I like the solution to start a terminal (or internal shell) and keep alive with adding multiples commands, in order to ask once password. But, the problem remain: how to ask only once the password, in a security way. If we use pkexec, then each command beginning with pkexec ask password again, even in the same shell. If we use the solution from Cogier, then ok the password is asked once, but it's very ugly for security as it retain the root password. Thanks for proposals, I will continue to search a better way.
Bellow, from a standard terminal. Each pkexec ask password, even if password is correct.
Code: Select all
user:~$ pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update
[...]
user:~$ pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update
Error executing command as another user: Request dismissed

how about ..
pkexec --user root env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update

it's probably your username "user" is not in the sudo group
sudo adduser user
sudo adduser user sudo

BruceSteers · Post by **BruceSteers** » Monday 13th February 2023 5:57pm

or just something simple like this in your startup method...

  If User.Name <> "root" Then
    Dim sCommand As String = Application.Path &/ File.Name(Args[0])
    If File.Ext(sCommand) <> "gambas" Then sCommand &= ".gambas"
    If Args.Max Then sCommand &= " " & Args.All.Copy(1, -1).Join(" ")
    Desktop.RunAsRoot(sCommand, True)
    Quit
  Endif

  Print "user =";; User.Name
  Print "command =";; Args.All.Join(" ")

How that works when you run the program...
if you are not root then the program launches itself again with any given args, then quits.
if you are root it will continue to run and show the use name and any arguments that were passed to the first instance.

Note:
it HAS to happen that way that the program runs twice and the first instances stays alive until the root one closes. the first instance is the owning task of the root instance and if it exits all it's child tasks quit too.

So for the first instance the program does not properly load and run it just launches itself again with root then quits.

Hope that makes sense.

Philippe734 · Post by **Philippe734** » Monday 13th February 2023 6:09pm

I understand your point of view. However, I don't want users run as root my app. I want to only run some commands as root. Because, my apps are packaged as AppImage and can run on any Linux as Fedora, Arch, Debian...

Gambas ONE

Good practices to ask sudo password in GUI ?

Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?

Re: Good practices to ask sudo password in GUI ?