[英]Gnome shell privilege escalation
I'm building a Gnome shell extension, and I want to be able to do some things with escalated privileges.我正在构建一个 Gnome shell 扩展,我希望能够通过提升权限来做一些事情。 So, I'm thinking I need to use "policy kit", but I don't know how to do go about doing this.所以,我在想我需要使用“政策工具包”,但我不知道该怎么做 go 。
So, say I wanted to do something like ifconfig eth0 down
or ifconfig eth0 up
所以,假设我想做一些像ifconfig eth0 down
或ifconfig eth0 up
这样的事情
I can run from the terminal: pkexec ifconfig eth0 down
and it will prompt for a password and then do it.我可以从终端运行: pkexec ifconfig eth0 down
它会提示输入密码然后执行。
But, how am I supposed to do it from inside an extension?但是,我应该如何从扩展内部做到这一点?
I'm pretty sure it has something to do with making a file in /usr/share/polkit-1/actions, but I can't find anything on the inte.net or otherwise.我很确定它与在 /usr/share/polkit-1/actions 中创建文件有关,但我在 inte.net 或其他地方找不到任何东西。
I want to be able to set it up so that there is no need for a password to be typed in, and the extension can just run the certain command whenever.我希望能够对其进行设置,以便无需输入密码,并且扩展程序可以随时运行特定命令。
I know that it is a really bad idea to allow any command to be run.我知道允许运行任何命令是一个非常糟糕的主意。 That is not what I am asking for, I want to be able to just run a single program/command.那不是我要的,我希望能够只运行一个程序/命令。
EDIT: I'm not sure, but I think it might be impossible for there to be no need to type in a password.编辑:我不确定,但我认为不需要输入密码可能是不可能的。 I just know that sudo doesn't ask for the password for a while after the first time, so I kind of want similar functionality.我只知道 sudo 第一次后一段时间不会要求输入密码,所以我有点想要类似的功能。 Not sure what possible.不确定有什么可能。
It's a long time since I didn't work with PolicyKit, but from what I remember, you have indeed to create a file in the actions/ directory, with contents like:我已经很久没有使用 PolicyKit,但据我所知,你确实必须在 actions/ 目录中创建一个文件,其内容如下:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<action id="org.freedesktop.policykit.pkexec.run-ifconfig">
<description>Configure network</description>
<message>Authentication is required to set ifconfig parameters</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>...</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/sbin/ifconfig</annotate>
</action>
</policyconfig>
You have to change the value in:您必须更改以下值:
<allow_active>...</allow_active>
To the value you want.到你想要的值。 Selecting a value of:选择以下值:
Changing the allow_active key's value to "yes" should stop the authentication demands.将 allow_active 键的值更改为“yes”应该会停止身份验证要求。
Then you need to adapt the action file to your needs and to call it.然后您需要根据需要调整操作文件并调用它。
Hugo,雨果,
I was having much the same issue to try and implement a selector for tuned.我遇到了很多同样的问题来尝试为 tuned 实现一个选择器。 Here is what I came up with.这是我想出的。
As others answered, you may need to write a policy file (I used "auth_admin").正如其他人回答的那样,您可能需要编写一个策略文件(我使用了“auth_admin”)。 I placed it in "/usr/share/polkit-1/actions/tuned-adm.policy."我把它放在“/usr/share/polkit-1/actions/tuned-adm.policy”中。 I don't think I can distrib that through the extensions model, so I will have to ask upstream to include it.我不认为我可以通过扩展 model 分发它,所以我将不得不要求上游包含它。
Next, I used pkexec and my command to get the "sudo popup" and got it to work.接下来,我使用 pkexec 和我的命令来获取“sudo 弹出窗口”并使其运行。
const GLib = imports.gi.GLib;
const Util = imports.misc.util;
this.pkexec_path = GLib.find_program_in_path('pkexec');
this.tunedadm_path = GLib.find_program_in_path('tuned-adm');
let result = Util.trySpawnCommandLine(this.pkexec_path + " " + this.tunedadm_path + " list")
The real kicker here was I used a couple of other methods to run the command line and they would lock up gnome-shell.真正的问题是我使用了其他几种方法来运行命令行,它们会锁定 gnome-shell。 I found the code here: https://github.com/nodefourtytwo/gnome-shell-extension-cpu-freq/blob/master/extension.js to be particularly handy.我在这里找到了代码: https://github.com/nodefourtytwo/gnome-shell-extension-cpu-freq/blob/master/extension.js特别方便。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.