HOWTO: Xfce - Replace GKSU with PolicyKit

Share your own howto's etc. Not for support questions!

HOWTO: Xfce - Replace GKSU with PolicyKit

Postby devils_debian » 2011-12-10 11:45

Hello.
Another aggregation of super internet wide tips for your enjoyment. This time, exclusive
use of policykit for admin user rights with GUI applications.

Open mousepad (as root) and create the following text below, as file:- /usr/share/polkit-1/actions/org.freedesktop.policykit.pkexec.policy


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

<action id="org.freedesktop.policykit.pkexec.run-synaptic">
<description>Run Synaptic</description>
<message>Authentication is required to run Synaptic as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/synaptic</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>


<action id="org.freedesktop.policykit.pkexec.run-thunar">
<description>Run Thunar</description>
<message>Authentication is required to run Thunar as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/thunar</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-mousepad">
<description>Run Mousepad</description>
<message>Authentication is required to run Mousepad as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/mousepad</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-xfce4-taskmanager">
<description>Run Xfce4 Task Manager</description>
<message>Authentication is required to run Xfce4 Task Manager as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/xfce4-taskmanager</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-gparted">
<description>Run Gparted</description>
<message>Authentication is required to run Gparted as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/gparted</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-bleachbit">
<description>Run BleachBit</description>
<message>Authentication is required to run BleachBit as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/bleachbit</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-dbus-launch">
<description>Run Dbus Launch</description>
<message>Authentication is required to run Dbus-launch as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/dbus-launch</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-remsu">
<description>Run REMSU</description>
<message>Authentication is required to run REMSU as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/remsu</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-remastersys">
<description>Run Remastersys</description>
<message>Authentication is required to run Remastersys as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/remastersys</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-remastersys-gui">
<description>Run Remastersys-GUI</description>
<message>Authentication is required to run Remastersys-Backup as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/remastersys-gui</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-remastersys-installer">
<description>Run Remastersys-Installer-GUI</description>
<message>Authentication is required to run Remastersys-Installer-GUI as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/remastersys-installer</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>


<action id="org.freedesktop.policykit.pkexec.run-remastersys-usb-key-copy-tool">
<description>Run Remastersys-USB-Key-Copy-Tool</description>
<message>Authentication is required to run Remastersys-USB-Key-Copy-Tool as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/remastersys-usb-key-copy-tool</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-remastersys-grub-restore">
<description>Run Remastersys-GRUB-Restore</description>
<message>Authentication is required to run Remastersys-GRUB-Restore as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/remastersys-grub-restore</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

<action id="org.freedesktop.policykit.pkexec.run-remastersys-grubconfig">
<description>Run Remastersys-GRUB-Config</description>
<message>Authentication is required to run Remastersys-GRUB-Config as Root</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/remastersys-grubconfig</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>

</policyconfig>

#########################################

The above file allows policykit authentication for:-
BleachBit, Gparted, Mousepad, Remastersys, Thunar, Task Manager, Synaptic (add more as required).
to run authentication as root, simply open a terminal or create launcher:- pkexec <path to><application>

Thunar Custom Actions:-
*Open Thunar As Root*
Select Edit --> Configure custom actions --> + (Add new custom action)
Name: Open Thunar As Root
Description: Open current directory as root super user
Command: pkexec dbus-launch /usr/bin/thunar %f
Tickbox: 'Use Startup Notification'
Appearance Conditions:-
File Pattern: *
Tickbox: Directories

*Open Mousepad As Root*
Select Edit --> Configure custom actions --> + (Add new custom action)
Name: Open Mousepad As Root
Description: Edit text files as root super user
Command: pkexec dbus-launch /usr/bin/mousepad %f
Appearance Conditions:-
File Pattern: *
Tickbox: Text Files, Other Files

Have fun.
devils_debian
 
Posts: 30
Joined: 2011-10-15 17:30

Re: HOWTO: Xfce - Replace GKSU with PolicyKit

Postby nopposan » 2012-02-01 17:06

Greetings.

Please tell me if I might benefit from using policykit. I have been using gksudo to call synaptic because my default user account is set up as sudoer and I don't wish to enable root logins. If I use policykit, for example, would the end user receive an error message if he/she types their password incorrectly? The way the system is configured now, Synaptic just doesn't start if an incorrect password is typed for sudo, and the dialogue window asking for the password just closes automatically. This might be slightly inconvenient for an end user who thinks they've typed their password correctly and may not know that the application isn't beginning to load -- they might wait several minutes before giving up and retrying.

Thanks.
Don't Panic!
User avatar
nopposan
 
Posts: 351
Joined: 2007-01-14 22:48

Re: HOWTO: Xfce - Replace GKSU with PolicyKit

Postby devils_debian » 2012-02-03 19:42

Yes. The dialog box will 'shake' a little, indicating a failure. This is instantly complemented with a "Authentication Failure'" message directly below password entry box within the dialog box.

W.r.t. gksu vs. policykit, policykit is promoted as the intended replacement long term, though some applications might require gksu as a dependency.

My motivation for the above 'how to' was for a uniform approach to authentication.
devils_debian
 
Posts: 30
Joined: 2011-10-15 17:30

Re: HOWTO: Xfce - Replace GKSU with PolicyKit

Postby MechanicalCat » 2013-07-12 00:39

Dear Devil,

I had no idea of the mess I was creating by simply doing an install of Wheezy without a root account. I just assumed that if I was being given the option to setup Debian this way that it was ok to do so??? Silly me?

Actually this messed me up three times. I am creating three Debian system setups out of 6, to create remasters out of.

Gnome 3 has me doing a lot of extra work attempting to create as nice a desktop as I had with Gnome 2.

I am making Debian-Mate only, a Debian-Cinnamon only and Debian-Xfce only, custom setups to, hopefully, remaster.
I am also currently creating Mint13-Mate only, Ubuntu-Mate only and Xubuntu, custom setups to hopefully remaster.

Gnome 3 stuff is messing with the Mate desktops, and upgrades to Mate 1.6 destroyed all my custom setups, and my already created remasters are now useless; as soon as they are installed and then upgraded, they too loose there custom desktop. Grrrrrrr!

Anyway, I am having issues with Debian setups with no root account. Some software asks for the root password, which doesn't exist.

Finally I found your post and have some idea what to do. At first I followed your instructions, but found there was more to the story, and then had to undo your instructions to have a better look. Clearly there are some things missing from your instructions, although they are the best I have found. I think you will be able to make more sense of my setup questions than anyone else...I hope.

I set aside Debian-Mate for now. Haven't got a single remaster to go according to plan as yet. Same with Mint-Mate and Ubuntu-Mate.

Both Debian-Cinnamon and Debian-Xfce setups, had similar difficulties with software asking for the non existent root password.

Some applications merely needed gksudo added in the Menu command lines and I am now asked for my user password, as I foolishly expected would be setup when I installed them. I managed to fix most of them using gksudo.

Dealing with Wheezy-Xfce for the moment as it seems to have the best chance of recreating my custom style desktop. Probably would be done already if not for doing a user only installation; not sure why I did that just now??? I guess I thought that would be simpler. Hmmmmm.

Anyway, while following your instructions I noticed that there were already some xml files in /usr/share/polkit-1/actions

Specifically there are entries there already for Synaptic and GParted along with 14 more entries.
Here is the entry for Synaptic:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

<action id="com.ubuntu.pkexec.synaptic">
<message>Authentication is required to run the Synaptic Package Manager</message>
<message xml:lang="ru">Для запуска менеджера пакетов Synaptic требуется аутентификация</message>
<icon_name>synaptic</icon_name>
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>auth_admin</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/synaptic</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
</action>

</policyconfig>

Your instructions also include an entry for Synaptic, and I was not being asked for a root password to run it; just my user password. Seeing as how it wasn't broken, I undid your suggested changes to get better informed.

I installed lxmed "Main Menu Editor", so I could fix up all the applications, that did ask for a root password. In fact lxmed also asked for a root password; so I had to start lxmed with a terminal- gksudo lxmed, and then I added gksudo to the command line within lxmed - (Main Menu Editor); now that lxmed was running.

Now that I had a working Menu Editor, that was for some unknown to me reason, not included in Xfce, I was able to fix GUFW and Gdebi so that I only needed my user password. Your instructions also worked to start GUFW and Gdebi by putting- gksudo pkexec in front of the start up commands, within the Menu Editor(lxmed).

I got scared though when I noticed that the startup commands were not all the same. Synaptic and GParted use synaptic-pkexec and gparted-pkexec, and these command lines remain, after undoing your instructions, and both apps work as they did when installed; user password for administrative type job. I have to assume that the reason that they worked is due to there preexisting entries into the /usr/share/polkit-1/actions folder.

Long story, I know, but I like to be clear. This is what has me stumped and stopped my next attempt to remaster a beautiful Debian-Xfce setup IMHO:

I noticed that in your instructions, at the beginning of this forum thread, there is a section for <action id="org.freedesktop.policykit.pkexec.run-remsu">

remsu???

And you also added an entry to run remastersys!

I also noticed that Remastersys Backup had the startup command- remsu /usr/bin/remastersys-gui

I wasn't having any luck with gksudo remsu or sudo remsu or pkexec remsu or gksudo pkexec remsu or /usr/bin/remastersys-gui-pkexec???? After using your instructions.

I could, however, remove the remsu and simply change the menu line to: gksudo /usr/bin/remastersys-gui and Remastersys started, apparently fine, with my user password.


Now to my questions- that took awhile, what?

Is it ok to remove the remsu from:
remsu /usr/bin/remastersys-gui
and
remsu /usr/bin/remastersys-grub-restore gui
and
remsu /usr/bin/remastersys-usb-key-copy-tool

and replace it with gksudo? And! Will remastersys be able to do its' job with these changes to the startup commands? Or is there a better, or necessary, way to do this with PolicyKit?
MechanicalCat
 
Posts: 1
Joined: 2013-07-11 12:40


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable