6

So, I have one software that always asks for password when starting. And I want to run this software without this gksu password prompt popping up everytime.

The first thing I tried was adding its path to sudoers. However, that didn't work. Later I found out there's a thing called policykit, and if some program wants to use some of policykit actions, it will always prompts user for password (sudoers have no effect on it).

I followed a guide in How do I prevent PolicyKit from asking for a password?, but it still doesn't work, so I think I might have added wrong action.

Question: How I can see what pkaction does my program use so I can enter it in my .pkla file?

Community
  • 1
PKM
  • 829
  • Which software in particular do you want to run like this? What exactly did you try to achieve that and what happened instead? Did you encounter any warning or error messages? Please reproduce them in their entirety in your question. You can select, copy and paste terminal content and most dialogue messages in Ubuntu. (see How do I ask a good question?) – David Foerster Feb 24 '17 at 10:55

2 Answers2

2

Ask Ubuntu has this answer (How to configure pkexec to not ask for password?) that is closer to what you need than the link you found earlier.

As a quick example to finding the application, I'll illustrate using my own script. I wanted to replace gksu which is being deprecated with pkexec so I wrote a wrapper script called gsu.

I invoke gsu from the command line with:

gsu pkexec

Notice the Details drop down arrow. Click it and this is revealed:

gsu pkexec details

In my example the pkla is controlled by org.gnome.gedit. I'll use that in the next example, which you would replace with your own:

gsu pexec authorities

If you want to run without password prompt you would set the following:

  <allow_any>yes</allow_any>
  <allow_inactive>yes</allow_inactive>
  <allow_active>yes</allow_active>

On a personal note I don't like repeatedly entering the password myself but will not change gedit to never ask for password when changing root files using pkexec. However I would like it to not repeatedly ask for password when running it many times in given session. You can do this with sudo and you can extend the period from 10 minutes to 120 minutes as I have done on my system. I would like similar functionality for policy kits.

Community
  • 1
WinEunuuchs2Unix
  • 102,282
  • There are cases where no prompt is made: http://askubuntu.com/a/884708/158442 – muru Feb 26 '17 at 03:30
  • @muru You wrote an excellent answer there and only got one upvote while Byte Commander got 16 upvotes for the question. Deviation from normal Q&A voting. +1 for the answer there but would you like me to put your link into my answer too? – WinEunuuchs2Unix Feb 26 '17 at 17:47
  • 1
    no, but I'd like to know how to find the action when there is no prompt. In that case, I knew beforehand the actions used by shutdown, restart, etc., but they have changed before and may change again. – muru Feb 27 '17 at 00:19
1

It would seem counter-intuitive to bypass the security of a policykit authorization. In the absence of any further details my best advice is don't do it.

Be that as it may,

A mechanism needs to declare a set of actions in order to use polkit. Actions correspond to operations that clients can request the mechanism to carry out and are defined in files that the mechanism installs into the /usr/share/polkit-1/actions directory.

pkaction --verbose

will produce detailed output regarding all policykit actions. This will be useful when reviewing local config files. You can redirect this output to a text file for later review in the usual way >later.review.txt

These config files are found in the directories listed when you issue the command sudo ls /var/lib/polkit-1/localauthority/

10-vendor.d  20-org.d  30-site.d  50-local.d  90-mandatory.d

dig around and find the .pkla file that corresponds to your unidentified software. Absent any useful information I'll pretend it's the Unity Greeter for example. We can review the lines that begin with Action= with the command sudo grep "Action=" /var/lib/polkit-1/localauthority/10-vendor.d/unity-greeter.pkla Which results in 

Action=org.freedesktop.NetworkManager.enable-disable-network;org.freedesktop.NetworkManager.enable-disable-wifi;org.freedesktop.NetworkManager.enable-disable-wwan;org.freedesktop.NetworkManager.enable-disable-wimax;
Action=org.freedesktop.NetworkManager.sleep-wake
Action=org.freedesktop.NetworkManager.wifi.share.protected;org.freedesktop.NetworkManager.wifi.share.open
Action=org.freedesktop.NetworkManager.settings.modify.own;org.freedesktop.NetworkManager.settings.modify.system;org.freedesktop.NetworkManager.settings.modify.hostname
Action=org.freedesktop.NetworkManager.use-user-connections
Action=org.freedesktop.NetworkManager.network-control

For further information the latest polkit reference manual can be found here and related information on systemd can be found here

As @muru points out there's also a related Q&A here

Sources:

https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

How do I prevent PolicyKit from asking for a password?

Community
  • 1
Elder Geek
  • 36,023
  • 25
  • 98
  • 183
  • Of course, this needn't always be about bypassing security, but could be the other way around: http://askubuntu.com/a/884708/158442 and best I can tell, systemd doesn't have a file in 10-vendor.d – muru Feb 26 '17 at 03:29
  • @muru, good point regarding the bypass of security. I suppose the OP's statement regarding wanting to bypass the password led me to the conclusion that that was the intent. The 10-vendor.d is an example from one of my systems running the Unity desktop. – Elder Geek Feb 26 '17 at 17:42