I have a GUI application that needs to call a daemon (written in Python) with superuser privileges. I would like to do this without prompting the user for a password.
Since the daemon is a script, I can't set the SUID bit directly. I could write a C wrapper for this, but I'd rather not reinvent the wheel, especially when a mistake on my part could lead to the system's security being severely compromised.
What I'd normally do in this situation is to add a line in /etc/sudoers that allows users to execute the daemon as root without a password, using the NOPASSWD directive. This works fine from the command line. However, when I do this from the GUI, a pkexec dialog pops up asking for the user's password. It seems that on Ubuntu, calls to sudo from the GUI are somehow being intercepted by pkexec.
Is there a clean way around this? I'd really rather not have to deal with the hassles of a setuid script.
It's improper to say that: "It seems that on Ubuntu, calls to
sudofrom the GUI are somehow being intercepted bypkexec".pkexecdoesn't have much in common withsudo. In contrast withsudo,pkexecdoes not grant root permission to an entire process, but rather allows a finer level of control of centralized system policy.Now, if you want to run a GUI application without being asked by a password by
pkexec, this is not difficult to be done. Let's take for example GParted. When you open it, you will see the following dialog window asking you by a password:Click Details and the dialog window will look now like:
From here all you have to do is to open
/usr/share/polkit-1/actions/com.ubuntu.pkexec.gparted.policyfile using for example the following command:and change the following lines:
with the followings:
Save the file and close it. Next, when you will open GParted you will not be asked for a password anymore.