验证GTK应用程序以root权限运行 [英] Authenticating GTK app to run with root permissions
问题描述
我有一个用于Linux的UI应用程序(使用GTK),该应用程序需要以root用户身份运行(它读取和写入/dev/sd *).
I have a UI app (uses GTK) for Linux that requires to be run as root (it reads and writes /dev/sd*).
我不是在每次启动我的应用程序时都要求用户打开root外壳或手动使用"sudo",而是想知道该应用程序是否可以使用某些操作系统提供的API来获取root权限. (注意:gtk应用程序不能使用"setuid"模式,因此这里不是一个选择.)
Instead of requiring the user to open a root shell or use "sudo" manually every time when he launches my app, I wonder if the app can use some OS-provided API to get root permissions. (Note: gtk app's can't use "setuid" mode, so that's not an option here.)
这样做的好处是可以简化工作流程:用户可以使用其默认用户帐户从桌面上双击我的应用程序,而不必打开根终端并从那里启动它.
The advantage here would be an easier workflow: The user could, from his default user account, double click my app from the desktop instead of having to open a root terminal and launch it from there.
我之所以这样问,是因为OS X恰好提供了这一点:应用程序可以要求操作系统启动具有root权限的可执行文件-操作系统(而不是应用程序)然后要求用户输入其凭据,对其进行验证,然后启动根据需要定位.
I ask this because OS X offers exactly this: An app can ask the OS to launch an executable with root permissions - the OS (and not the app) then asks the user to input his credentials, verifies them and then launches the target as desired.
我想知道Linux是否有类似的东西(例如,Ubuntu)
I wonder if there's something similar for Linux (Ubuntu, e.g.)
说明:
Clarification:
因此,在PolicyKit提示之后,我想知道是否可以使用它来获得对"/dev/sd ..."块设备的读/写访问权限.我发现该文档很难理解,因此我想先问问这是否可行,然后再花几个小时尝试徒劳地理解它.
So, after the hint at PolicyKit I wonder if I can use that to get r/w access to the "/dev/sd..." block devices. I find the documention quite hard to understand, so I thought I'd first ask whether this is possible at all before I spend hours on trying to understand it in vain.
更新:
Update:
该应用程序是面向不懂Linux的用户的远程磁盘修复工具,而那些Linux菜鸟对使用sudo甚至更改用户的组成员资格不甚了解,特别是如果他们的磁盘刚刚开始工作并且他们重新吓坏了.这就是为什么我寻求避免此类技术性的解决方案的原因.
The app is a remote operated disk repair tool for the unsavvy Linux user, and those Linux noobs won't have much understanding of using sudo or even changing their user's group memberships, especially if their disk just started acting up and they're freaking out. That's why I seek a solution that avoids technicalities like this.
推荐答案
很简单,但现在已被淘汰的旧方法是这里是GKSu未来的讨论.
The old way, simple but now being phased out, is GKSu. Here is the discussion on GKSu's future.
新方法是使用 PolicyKit .我不太确定这是如何工作的,但我认为您需要使用pkexec命令启动您的应用.
The new way is to use PolicyKit. I'm not quite sure how this works but I think you need to launch your app using the pkexec command.
更新:
在 http://hal.freedesktop.org上查看示例代码/docs/polkit/polkit-apps.html ,看来您可以使用PolicyKit为某些操作获取授权,这些操作由/usr/share/polkit-1/actions中的.policy文件描述.以另一个用户身份执行程序的动作为org.freedesktop.policykit.exec.我似乎找不到直接访问块设备的操作,但是我不得不承认,PolicyKit文档也让我很头疼.
Looking at the example code on http://hal.freedesktop.org/docs/polkit/polkit-apps.html, it seems that you can use PolicyKit to obtain authorization for certain actions which are described by .policy files in /usr/share/polkit-1/actions. The action for executing a program as another user is org.freedesktop.policykit.exec. I can't seem to find an action for directly accessing block devices, but I have to admit, the PolicyKit documentation breaks my brain too.
因此,对您来说,最简单的操作可能是将需要特权的磁盘处理代码分离到命令行实用程序中,然后使用g_spawn_[a]sync()和pkexec从GUI应用程序运行该代码.这样,您就不必为请求操作之类的事情而烦恼.无论如何,以root用户身份运行整个GUI应用程序可能都是不好的做法.
So, perhaps the simplest course of action for you is to separate your disk-mangling code that requires privileges into a command-line utility, and run that from your GUI application using g_spawn_[a]sync() with pkexec. That way you wouldn't have to bother with requesting actions and that sort of thing. It's probably bad practice anyway to run your whole GUI application as root.
另一个建议是直接询问PolicyKit的作者(David Zeuthen).或者尝试将您的问题发布到gtk-app-devel列表中.
Another suggestion is to ask the author of PolicyKit (David Zeuthen) directly. Or try posting your question to the gtk-app-devel list.
这篇关于验证GTK应用程序以root权限运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
