Congratulations to our 2022 Qt Champions!

Enter admin rights once, use it in multiple process calls to terminal [Linux]

  • Hello,
    I have a lot of process calls that runs commands in the terminal. This is done by calling the following line multiple times:

    process.start("pkexec", QStringList() << "--user" << "root" << [command]);

    This works, but it's not very convenient as the user gets a prompt to enter admin password every time these processes run.

    So my question is, how should i do if i only want the user to enter admin rights once and still get root privileges multiple times?

  • Lifetime Qt Champion

    @fleppe You could execute "sh" as command with "-c" parameter + "sudo" + "&&" + "pkexec", QStringList() << "--user" << "root" << [command]) + "&&" ... (all other commands).

  • @jsulm
    I'm a little lost looking at your proposed command line. I don't see any -c, I don't know what the first occurrence of && is about, I don't know how you're quoting/joining into one command, etc. Possibly fixed font would make it clearer.... Also, by the time you're sudo-ing, do we need the --user root any longer?

    If all you're suggesting to OP is to use sudo, that accepts the command as-is on the line. So what about something like:

    process.start("sudo " + command)

    (There are various ways of passing arguments separately/together, each have their advantages/disadvantages. To be clear I'm using the straightforward QString overload. There may be quoting issues, but yours will have those too.)

  • Lifetime Qt Champion

    @JonB There is -c in my "example".
    && is simply to chain several commands in one command line (com1 && com2 && com3...).
    But now I realised that this --user parameter is for the pkexec command (whatever it is), so my suggestion isn't valid.

  • @jsulm
    I could be wrong, but if you try a command like you say which goes

    sudo && pkexec ...

    I would imagine that, since each segment separated by &&s (or whatever similar) is run its own separate sub-shell, the sudo's "lifetime" will only be its own sub-shell, and therefore assuming your intention was to run the later pkexec ... on the command-line under sudo (that was what you were intending, right?) it will in fact have "been & gone", leaving the pkexec ... running not as sudo after all...

    To be clear: not trying to nit-pick on you, I too am not always 100% and like to learn, am just trying to produce a heads-up clarification for @fleppe if he tries yours and it doesn't work.

    As I said earlier, I would expect

    process.start("sudo " + pkexec_command)

    to correctly run the pkexec as sudo.

    However, unless OP has marked his sudo to require no password (as I do, on my own machine), this might prompt for sudo credentials each time for each pkexec, which he says he wishes to avoid? From man sudo I think this approach relies on:

    Security policies may support credential caching to allow the user to run
    sudo again for a period of time without requiring authentication. The
    sudoers policy caches credentials for 15 minutes, unless overridden in
    sudoers(5). By running sudo with the -v option, a user can update the
    cached credentials without running a command.

    If that is no good, one solution would be: Assuming you know what multiple pkexecs you wish to execute, send them all off to a text file as separate commands and run that file once via sudo.

  • Good idea to put the commands in a text file, thought the problem is that i need to do stuff in the QT-application in between command calls.

    pkexecas i understand is: "A application used to interface with the polkit actions and authenticate an application to acquire root access." So that's a part of getting root access.

    Think of it as i calling sudo apt update multiple times in the program and doing things in the QT application in between.

    I'm grateful for your answers.

  • Lifetime Qt Champion

    @JonB Yes, the && between sudo and first command is not needed, I was in hurry when I wrote my first comment in this thread.

  • @fleppe
    And there was I thinking pkexec was something to do with running some pkzip command.....

    This "polkit" stuff is all very good, and if that's what you want to use fine. But it's going to require a bit of setting up to use. I do not know how much configuring you want to do, or how "secure" you need to be for your purposes.

    I will just say that in terms of "simplicity", if that's really what you want, my two thoughts would be:

    • Use sudo and rely on what I quoted from the man page to ensure the user only gets prompted for password once every 15 minutes, if that works for you.

    • Use setuid. It sounds like all your commands are apt updates? I would not make your Qt program itself setuid (unless you really know what you are doing). Rather, a tiny executable wrapper program supplied with your Qt app to just do apt update with setuid would suffice (installed with just chown root & chmod u+s). I would suggest this might be the simplest solution if you want to avoid any password prompting at all, as per your original question. Have you at least considered/do you know about setuid, even if you have good reason to reject it?

Log in to reply