shundhammer/x-prog-root.md

## x-prog-root.md

      
    Raw
  

              x-prog-root.md
            
          
    Running an X Program with Root Privileges

xdg-su

This will ask for the root password:
[Desktop Entry]
Type=Application
Name=Myrlyn
Exec=xdg-su -c /usr/bin/myrlyn
sudo

sudo cannot open a window to ask for a password; it only works in text mode, or if sudo is configured in /etc/sudoers not to ask for a password with the NOPASSWD parameter.
sudo (dirty)

This opens the X11 connection (your display) to everybody in the local network, so use this only in a home network behind a DSL router with nobody else in that network.
This uses the sudo configuration in /etc/sudoers. For SLES 16.0 / Leap 16.0, this will ask the password of the current user (like in Debian / Ubuntu since forever); in SLE-15 / Leap 15.x, it will ask for the root password (because we have Defaults: !targetpw in /etc/sudoers there).
There are rules in /etc/sudoers that grant the wheel group (see /etc/group) root privileges.
In 16.0, the first user account created during installaton is automatically added to the wheel group, so that user account can use that for more privileges if that is configured in /etc/sudoers.
[Desktop Entry]
Type=Application
Name=Myrlyn
Exec=sh -c "xhost +; sudo /usr/bin/myrlyn"
sudo (clean)

sudo cannot open a window to ask for a password; it only works in text mode, or if sudo is configured in /etc/sudoers not to ask for a password with the NOPASSWD parameter.
[Desktop Entry]
Type=Application
Name=Myrlyn
Exec=sh -c "sudo -E DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY /usr/bin/myrlyn"
This works only if $XAUTHORITY is set, i.e. in a local shell on your local desktop, not for ssh -X, but that should be good enough. This is also why the whole command needs to be embedded into a separate shell (sh -c); otherwise the .desktop file would only fork and exec the command without a shell around it, and assigning the environment variables wouldn't work.
sudo -E

[Desktop Entry]
Type=Application
Name=Myrlyn
Exec=sudo -E /usr/bin/myrlyn
sudo -E preserves the environment.
man sudo:

-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their
existing environment variables.  The security policy may return an error
if the user does not have permission to preserve the environment.

Special sudo configuration in /etc/sudoers

Using sudo is possible if it is configured not to ask for a password (which is of course less secure):
/etc/sudoers (at the end to avoid interference by included files):
...
...

# Keep important environment variables
Defaults env_keep = "DISPLAY WAYLAND_DISPLAY XAUTHORITY QT_QPA_PLATFORMTHEME"

# Allow root privileges for this one user
myusername ALL=(ALL) NOPASSWD: ALL

# Allow root privileges for members of the 'wheel' user group
%wheel ALL=(ALL:ALL) NOPASSWD: ALL

Then all you need in the myrlyn-root.desktop file is:
[Desktop Entry]
Type=Application
Name=Myrlyn (root)
Exec=sudo /usr/bin/myrlyn
Icon=Myrlyn
pkexec

This also asks for the root password by default:
[Desktop Entry]
Type=Application
Name=Myrlyn
Exec=pkexec env DISPLAY=$DISPLAY WAYLAND_DISPLAY=$WAYLAND_DISPLAY XAUTHORITY=$XAUTHORITY /usr/bin/myrlyn
Using the membership in the wheel user group works with the polkit rule below; then it asks for the user's own password instead.
But importing the environment variables in a .desktop file like above doesn't work at all; they are all empty. This is consistent with man pkexec where it is described that it sabotages all attempts to set at least some environment variables.
Reference


Stack Overflow article about pkexec
Bugs  that got this rolling:

https://bugzilla.suse.com/show_bug.cgi?id=1243764
https://bugzilla.suse.com/show_bug.cgi?id=1243813
No results found