使用dbus和polkit运行调用root脚本的root特权python服务 [英] using dbus and polkit to run a root privilege python service that calls a root script
问题描述
我编写了一个python脚本,该脚本从启动板下载deb文件,然后调用shell脚本以使用Alien将Deb转换为rpm.
I have written a python script that downloads deb files from launchpad, and then calls out to a shell script to use alien to convert the debs to rpms.
shell脚本使用Alien,因此需要以root身份运行.
The shell script uses alien, and so it needs to be run as root.
程序使用线程池,使用threadpool.apply_async异步下载deb文件,然后使用处理池异步调用shell脚本,因此整个过程相当迅速.
The program uses a thread pool to download the deb files asynchronously, using threadpool.apply_async, and then uses a processing pool to call the shell script asynchronously, so the whole thing happens reasonably quickly.
一切正常,但是调用外星人的shell脚本必须是root用户,否则软件包将无法正确构建.当我第一次完成脚本时,在使用sudo之后,我将使用pkexec调用Alien.在这两种情况下,我都有两个问题.
It all works well, but the shell script that calls alien needs to be root otherwise packages don't get built properly. When I first finished the script, I would use pkexec to call alien, after using sudo. In both cases, I had a couple of problems.
首先是从root开始,我失去了用户的环境,因此失去了pip安装的python库.也许我可以使用sudo -s或类似的东西,但是第二个问题是我必须为每个生成的软件包输入root密码.
The first was that in starting in root, I lost the environment of the user, and so lost the pip installed python libraries. I could, perhaps, have used sudo -s or similar, but the second problem was that I had to enter my root password for every package that was built.
我想要做的是,以普通用户身份运行python脚本,qt gui和所有命令,选择要转换的文件,然后点击安装按钮,只输入我的超级用户密码一次.
What I want to do, is to run the python script, qt gui and all, as a normal user, select which files to convert, and then hit the install button and only enter my superuser password once.
我决定过滤掉python的安装部分,包括线程下载和对shell脚本的线程调用,然后尝试以root/superuser身份运行这些部分.
I decided to filter out the install parts of the python, which include the threaded download, and threaded call to the shell script, and then try and run those parts as root/superuser.
我为此安装部分创建了一个dbus服务,并且在经过艰苦的dbus学习之后,设法使该服务正常工作.但是,我不高兴对脚本进行身份验证并提高其特权.
I created a dbus service, for this install part, and, after a steep dbus learning curve, managed to get the service working. However, I had no joy getting the script authenticated, and raising its privileges.
我已经能够使用polkit显示密码对话框并授权超级用户,但是我不知道如何使用polkit的返回值
I have been able to use polkit to show the password dialog and authorise the super user, but I do not know how to use the return value from polkit
`authority.CheckAuthorization(subject, action_id, details, flags, cancellation_id)`
显示密码对话框,用于授权,但不处理提升脚本特权.
which shows the password dialog, for authorisation, but does not handle elevating the scripts privileges.
我已经将python安装服务设置为0500权限,因此希望一旦我弄清楚了如何提升特权,root用户就可以读取和执行服务,该服务当前是在会话总线上创建的.
I have set the python install service as 0500 perms, so that hopefully, once I have figured out how to elevate privileges, the root user has the ability to read and execute the service, which is currently created on the session bus.
如何提升权限,同时保留用户的环境变量,这样我就不必在根帐户中安装python模块了?
How can I elevate permissions, and, at the same time, keep the environment variables of the user, so that I don't have to install python modules into the root account?
非常感谢您的提前帮助...
Many thanks for your help in advance...
ps.我已经编写了一个polkit操作文件和一个polkit规则,但是在每种情况下,我都不确定操作ID与特权提升之间的关系. pps.我可以/应该使用pam吗?
ps. I have written a polkit action file, and a polkit rule, but in each case I am not sure how the action id relates to the elevation of privileges. pps. Can I/should I use pam?
推荐答案
我最终使用pkexec以密码对话框的身份以root身份运行了该进程.
I eventually ran the process as root, using pkexec to obtain a password dialog.
这篇关于使用dbus和polkit运行调用root脚本的root特权python服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
