2

As continuation of this question (How can I send a notification with polkit 0.106?), I've discovered that I have to execute notify-send as the user who I want to send notification.

But, with my current config, I can't do this, because polkit execute the script as polkitd user, and I can't do su $user without known user password.

By this reason, I need to create a new polkit action, to allow execute notify-send as other user from polkitd.

My polkit rule is this:

polkit.addRule(function(action, subject) {
     if (action.id == "org.freedesktop.consolekit.system.stop" ||
        action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" || 
        action.id == "org.xfce.session.xfsm-shutdown-helper")  
     {

        try{    
            polkit.spawn(["/usr/bin/pendrive-reminder/check_pendrive.sh", subject.user]);        
            return polkit.Result.YES;

        }catch(error){
            polkit.spawn(["/usr/bin/pendrive-reminder/send_notify.sh", subject.user]);
           return polkit.Result.NO;
        }
    }
});

This polkit rule must lock shutdown option in shutdown menu, and shows a notification with notify-send, with send_notify.sh script, which execute this:

#!/bin/bash

export DISPLAY=":0"

user=$1
pkexec --user $user notify-send  "Pendrive Reminder" "Shutdown lock enabled. Disconnect pendrive to enable shutdown" -u critical

exit 0

I tried to add this polkit policy file:

<policyconfig>
    <action id="org.freedesktop.notify-send">
    <description>Launch notify-send command</description>
    <defaults>
        <allow_any>yes</allow_any>
        <allow_inactive>yes</allow_inactive>
        <allow_active>yes</allow_active>
    </defaults>
   <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/notify-send</annotate>
   <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
   </action>
</policyconfig>

I put this file in /usr/share/polkit-1/actions/org.freedesktop.policykit.notify-send.policy

But, after put policy file in /usr/share/polkit-1/rules.d/ and press shutdown button, the shutdown menu took a long time to be showed, and notification didn't appeared. The shutdown option is locked correctly

How can I get that polkit can call notify-send from my script?

AlmuHS
  • 169
  • 8
  • Don't use `su $user -c`, try to allow `pkexec --user $user notify-send`. – mviereck Feb 25 '18 at 20:08
  • Ok, I'll try it – AlmuHS Feb 25 '18 at 20:08
  • After change this, the problem continues. Shutdown menu takes around 10 seconds in be showed, and notification isn't showed – AlmuHS Feb 25 '18 at 20:15
  • Add this in your bash script: `LOG_FILE=/tmp/script.log ; exec > >(tee -a ${LOG_FILE} ) ; exec 2> >(tee -a ${LOG_FILE} >&2)`. Check the log file afterwards to see possible error messages. Btw.: use @mviereck if you adress me, than I get a notification. – mviereck Feb 25 '18 at 20:56
  • @mviereck after add this in my script and press shutdown button, the log file is empty – AlmuHS Feb 25 '18 at 21:04
  • @mviereck may I could to add `polkitd` to sudoers file, only with notify-send allowed, and execute command with `sudo su $user notify-send` – AlmuHS Feb 25 '18 at 21:32
  • ok, add polkitd to sudoers don't runs – AlmuHS Feb 25 '18 at 21:49
  • That is possible, but I would not recommend that for a deployed solutions, only for custom home setups. `sudo` is not preset everywhere, for example, debian uses only `su` and `pkexec`. Btw., instead of `sudo su $user` use `sudo -u $user`. The most portable way would be a passwordless `pkexec --user $user notify-send`. I'm quite sure it is possible. – mviereck Feb 25 '18 at 21:50
  • @mviereck In any case, add `polkitd ALL=(ALL) NOPASSWD: /usr/bin/notify-send` only allows polkitd to execute `notify-send`, which isn't the problem, so It isn't solve my problem – AlmuHS Feb 25 '18 at 21:54
  • I just tried to launch `pkexec --user [myuser] notify-send "hello"` from tty, after doing `export DISPLAY=":0"` Executing this as root, the notification has been showed. So, pkexec can shows the notification from another user But, in my script not – AlmuHS Feb 25 '18 at 22:09
  • I just test to remove my action polkit file, and notification isn't showed, so my action file is correct @mviereck – AlmuHS Feb 25 '18 at 22:12
  • I created a new test user, not root, and repeat the command `pkexec --user almu notify-send "hola"` successfully – AlmuHS Feb 25 '18 at 22:39
  • @mviereck read this – AlmuHS Feb 25 '18 at 22:43

1 Answers1

0

After doing a few test, I got this results:

  • polkitd is a nologin user

  • If I execute this command, to execute my script with polkitd user, shows an error:

    sudo su polkitd -s /bin/bash -c aux_scripts/send_notify.sh almu

    Error executing command as another user: Not authorized

    This incident has been reported.

So, I think that polkitd user is a limited account, who it can't execute commands as other user

As a conclusion, I determine that this action isn't possible to do without modify system internal. I can't allow this in my application, so I can't launch commands as another user from polkit

AlmuHS
  • 169
  • 8