hi,
For those who need it : my little hack in pkexec
Many X applications require root privileges, but at the same time want to keep the original $USER env variable.
This option (see attached patch), while preserving the sanitized*environment, and also while still honoring the org.freedesktop.policykit.exec.allow_gui*annotate key : allow the user to preserve the $USER environment variable.
I believe, this option is both safe, clean, and a must have for pkexec.
JP
Code:
diff -rNaud polkit-0.105/src/programs/pkexec.c polkit-0.105-new/src/programs/pkexec.c
--- polkit-0.105/src/programs/pkexec.c 2012-04-24 18:05:34.000000000 +0200
+++ polkit-0.105-new/src/programs/pkexec.c 2016-02-27 13:15:21.683832135 +0100
@@ -76,6 +76,7 @@
" --help |\n"
" --disable-internal-agent |\n"
" [--user username] PROGRAM [ARGUMENTS...]\n"
+ " [--keep-user-env] PROGRAM [ARGUMENTS...]\n"
"\n"
"See the pkexec manual page for more details.\n");
}
@@ -391,6 +392,7 @@
gboolean opt_show_help;
gboolean opt_show_version;
gboolean opt_disable_internal_agent;
+ gboolean opt_keep_user_env;
PolkitAuthority *authority;
PolkitAuthorizationResult *result;
PolkitSubject *subject;
@@ -417,6 +419,8 @@
"LC_ALL",
"TERM",
"COLORTERM",
+ /* option to keep $USER env Jean-Philippe Guillemin <h1p8r10n@gmail.com> */
+ "USER",
/* By default we don't allow running X11 apps, as it does not work in the
* general case. See
@@ -478,6 +482,7 @@
opt_show_help = FALSE;
opt_show_version = FALSE;
opt_disable_internal_agent = FALSE;
+ opt_keep_user_env = FALSE;
for (n = 1; n < (guint) argc; n++)
{
if (strcmp (argv[n], "--help") == 0)
@@ -503,6 +508,11 @@
{
opt_disable_internal_agent = TRUE;
}
+ /* option to keep $USER env Jean-Philippe Guillemin <h1p8r10n@gmail.com> */
+ else if (strcmp (argv[n], "--keep-user-env") == 0)
+ {
+ opt_keep_user_env = TRUE;
+ }
else
{
break;
@@ -783,13 +793,19 @@
else
s = g_strdup_printf ("/usr/sbin:/usr/bin:/sbin:/bin:%s/bin", pw->pw_dir);
g_ptr_array_add (saved_env, s);
- g_ptr_array_add (saved_env, g_strdup ("LOGNAME"));
- g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
- g_ptr_array_add (saved_env, g_strdup ("USER"));
- g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
+
+ /* option to keep $USER env Jean-Philippe Guillemin <h1p8r10n@gmail.com> */
+ if (opt_keep_user_env == FALSE)
+ {
+ g_ptr_array_add (saved_env, g_strdup ("USER"));
+ g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
+
+ }
g_ptr_array_add (saved_env, g_strdup ("HOME"));
g_ptr_array_add (saved_env, g_strdup (pw->pw_dir));
-
+ g_ptr_array_add (saved_env, g_strdup ("LOGNAME"));
+ g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
+
s = g_strdup_printf ("%d", getuid ());
g_ptr_array_add (saved_env, g_strdup ("PKEXEC_UID"));
g_ptr_array_add (saved_env, s);