On an Oracle Linux 8 installation, I am trying to implement a desktop launcher for the GNOME shell where the (graphical) program is to be run as a different (non-root) user. However, I want to enforce password authentication as the target user, i.e. a behavior similar to gksu in -w mode.
The idea is to provide a convenient way for an authorized operator to access the function thanks to knowledge of the target user's password, without unauthorized operators being able to use the program launched.(1)
I am aware that pkexec is currently the recommended way of launching programs as a different user. Another alternative, beesu, doesn't seem to be available for Oracle Linux 8.
However, when requiring password-based authentication, PolKit only allows to either
- authenticate with the password of the calling user (using
auth_self), or - authenticate with the password of an admin user (using
auth_admin).
I did not find an option to require the password of the target user, as specified in the
pkexec --user targetuser /usr/bin/graphical_program
command.
What I tried
My approach was trying to define the targetuser as administrative user for this individual use case. I do not want to globally add the targetuser to the list of administrators via the AdminIdentities setting in the [Configuration] section of the PolKit local authority.
So,
- I defined an action in
/usr/share/polkit-1/actions/that matches calls of the program viapkexecby setting
and requiring admin user authentication via<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/graphical_program</annotate><defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>auth_admin</allow_active> </defaults> - I defined an
AdminRulein/usr/share/polkit-1/rules.d/, stating
This should return thepolkit.addAdminRule(function(action, subject) { if (action.id == "org.my.rule.for.graphical_program") {return ["unix-user:targetuser"];} } );targetuseras admin user, (only) when theorg.my.rule.for.graphical_programis asking which user actually is an admin user.
Now, when running pkexec --user targetuser /usr/bin/graphical_program I can see that the action is correctly matched (the displayed message is exactly what I set in the <message> ... </message> node of the action file), but the AdminRule doesn't seem to take effect - the password dialog still requires the root password - although the system journal states that the rule was (at least) correctly loaded and compiled, so it shouldn't be a syntax problem.
Does anyone know how (if at all) to get this kind of setting to work using PolKit, or what alternative graphical authentication mechanism is available on Oracle Linux 8 (or similar RHEL 8 derivatives)?
(1) Note that in this setting, operators can't use individual user accounts, but use generic local user accounts with different privilege levels. Whoever needs the privilege is provided with the password to that specific user account. This is a design decision outside of my control.
