Unsolved Enter admin rights once, use it in multiple process calls to terminal [Linux]
-
Hello,
I have a lot of process calls that runs commands in the terminal. This is done by calling the following line multiple times:process.start("pkexec", QStringList() << "--user" << "root" << [command]);
This works, but it's not very convenient as the user gets a prompt to enter admin password every time these processes run.
So my question is, how should i do if i only want the user to enter admin rights once and still get root privileges multiple times?
Thanks. -
@fleppe You could execute "sh" as command with "-c" parameter + "sudo" + "&&" + "pkexec", QStringList() << "--user" << "root" << [command]) + "&&" ... (all other commands).
-
@jsulm
I'm a little lost looking at your proposed command line. I don't see any-c
, I don't know what the first occurrence of&&
is about, I don't know how you're quoting/joining into one command, etc. Possibly fixed font would make it clearer.... Also, by the time you'resudo
-ing, do we need the--user root
any longer?If all you're suggesting to OP is to use
sudo
, that accepts the command as-is on the line. So what about something like:process.start("sudo " + command)
(There are various ways of passing arguments separately/together, each have their advantages/disadvantages. To be clear I'm using the straightforward
QString
overload. There may be quoting issues, but yours will have those too.) -
@JonB There is -c in my "example".
&& is simply to chain several commands in one command line (com1 && com2 && com3...).
But now I realised that this --user parameter is for the pkexec command (whatever it is), so my suggestion isn't valid. -
@jsulm
I could be wrong, but if you try a command like you say which goessudo && pkexec ...
I would imagine that, since each segment separated by
&&
s (or whatever similar) is run its own separate sub-shell, thesudo
's "lifetime" will only be its own sub-shell, and therefore assuming your intention was to run the laterpkexec ...
on the command-line undersudo
(that was what you were intending, right?) it will in fact have "been & gone", leaving thepkexec ...
running not assudo
after all...To be clear: not trying to nit-pick on you, I too am not always 100% and like to learn, am just trying to produce a heads-up clarification for @fleppe if he tries yours and it doesn't work.
As I said earlier, I would expect
process.start("sudo " + pkexec_command)
to correctly run the
pkexec
assudo
.However, unless OP has marked his
sudo
to require no password (as I do, on my own machine), this might prompt forsudo
credentials each time for eachpkexec
, which he says he wishes to avoid? Fromman sudo
I think this approach relies on:Security policies may support credential caching to allow the user to run
sudo again for a period of time without requiring authentication. The
sudoers policy caches credentials for 15 minutes, unless overridden in
sudoers(5). By running sudo with the -v option, a user can update the
cached credentials without running a command.If that is no good, one solution would be: Assuming you know what multiple
pkexec
s you wish to execute, send them all off to a text file as separate commands and run that file once viasudo
. -
Good idea to put the commands in a text file, thought the problem is that i need to do stuff in the QT-application in between command calls.
pkexec
as i understand is: "A application used to interface with the polkit actions and authenticate an application to acquire root access." So that's a part of getting root access. https://stackoverflow.com/questions/47885043/proper-method-to-acquire-root-access-on-linux-for-qt-applicationsThink of it as i calling
sudo apt update
multiple times in the program and doing things in the QT application in between.I'm grateful for your answers.
Thanks. -
@JonB Yes, the && between sudo and first command is not needed, I was in hurry when I wrote my first comment in this thread.
-
@fleppe
And there was I thinkingpkexec
was something to do with running somepkzip
command.....This "polkit" stuff is all very good, and if that's what you want to use fine. But it's going to require a bit of setting up to use. I do not know how much configuring you want to do, or how "secure" you need to be for your purposes.
I will just say that in terms of "simplicity", if that's really what you want, my two thoughts would be:
-
Use
sudo
and rely on what I quoted from the man page to ensure the user only gets prompted for password once every 15 minutes, if that works for you. -
Use setuid. It sounds like all your commands are
apt update
s? I would not make your Qt program itself setuid (unless you really know what you are doing). Rather, a tiny executable wrapper program supplied with your Qt app to just doapt update
with setuid would suffice (installed with justchown root
&chmod u+s
). I would suggest this might be the simplest solution if you want to avoid any password prompting at all, as per your original question. Have you at least considered/do you know about setuid, even if you have good reason to reject it?
-