pkexec: add support for argv1 annotation and mention shebang-wrappers

Signed-off-by: David Zeuthen <zeuthen@gmail.com>
author: David Zeuthen <zeuthen@gmail.com> 2012-07-11 12:58:06 -0400
committer: David Zeuthen <zeuthen@gmail.com> 2012-07-11 13:09:50 -0400
commit: 963692acad3cd4e6e431162d203c61f369b14620 (patch)
tree: 097a3a07af460fa28e304c3331c67267bf9bc7c5
parent: 50dcb370edc365114fa6640770ebc253d39570ab (diff)
download: polkit-963692acad3cd4e6e431162d203c61f369b14620.tar.gz
2 files changed, 55 insertions, 2 deletions
diff --git a/docs/man/pkexec.xml b/docs/man/pkexec.xml
index a8868b2..fffcea4 100644
--- a/docs/man/pkexec.xml
+++ b/docs/man/pkexec.xml
@@ -134,7 +134,9 @@
       annotation on an action with the value set to the full path of
       the program. In addition to specifying the program, the
       authentication message, description, icon and defaults can be
-      specified.
+      specified. If the <emphasis>org.freedesktop.policykit.exec.argv1</emphasis>
+      annotation is present, the action will only be picked if the
+      first argument to the program matches the value of the annotation.
     </para>
     <para>
       Note that authentication messages may reference variables (see
@@ -144,6 +146,43 @@
     </para>
   </refsect1>
 
+  <refsect1 id="pkexec-wrapper"><title>WRAPPER USAGE</title>
+    <para>
+      To avoid modifying existing software to prefix their
+      command-line invocations with <command>pkexec</command>,
+      it's possible to use <command>pkexec</command> in a
+      <ulink url="http://en.wikipedia.org/wiki/Shebang_(Unix)">she-bang wrapper</ulink>
+      like this:
+    </para>
+    <programlisting><![CDATA[
+#!/usr/bin/pkexec /usr/bin/python
+
+import os
+import sys
+
+print "Hello, I'm running as uid %d"%(os.getuid())
+
+for n in range(len(sys.argv)):
+    print "arg[%d]=`%s'"%(n, sys.argv[n])
+]]></programlisting>
+    <para>
+      If this script is installed into <filename>/usr/bin/my-pk-test</filename>,
+      then the following annotations
+    </para>
+    <programlisting><![CDATA[
+  [...]
+  <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/python</annotate>
+  <annotate key="org.freedesktop.policykit.exec.argv1">/usr/bin/my-pk-test</annotate>
+  [...]
+]]></programlisting>
+    <para>
+      can be used to select the appropriate polkit action. Be careful
+      to get the latter annotation right, otherwise it will match any
+      <command>pkexec</command> invocation of
+      <filename>/usr/bin/python</filename> scripts.
+    </para>
+  </refsect1>
+
   <refsect1 id="pkexec-variables"><title>VARIABLES</title>
     <para>
       The following variables are set by
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index d87825c..840eb3c 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -230,6 +230,7 @@ fdwalk (FdCallback callback,
 static gchar *
 find_action_for_path (PolkitAuthority *authority,
                       const gchar     *path,
+                      const gchar     *argv1,
                       gboolean        *allow_gui)
 {
   GList *l;
@@ -255,6 +256,7 @@ find_action_for_path (PolkitAuthority *authority,
   for (l = actions; l != NULL; l = l->next)
     {
       PolkitActionDescription *action_desc = POLKIT_ACTION_DESCRIPTION (l->data);
+      const gchar *argv1_for_action;
       const gchar *path_for_action;
       const gchar *allow_gui_annotation;
 
@@ -262,8 +264,17 @@ find_action_for_path (PolkitAuthority *authority,
       if (path_for_action == NULL)
         continue;
 
+      argv1_for_action = polkit_action_description_get_annotation (action_desc, "org.freedesktop.policykit.exec.argv1");
+
       if (g_strcmp0 (path_for_action, path) == 0)
         {
+          /* check against org.freedesktop.policykit.exec.argv1 but only if set */
+          if (argv1_for_action != NULL)
+            {
+              if (g_strcmp0 (argv1, argv1_for_action) != 0)
+                continue;
+            }
+
           action_id = g_strdup (polkit_action_description_get_action_id (action_desc));
 
           allow_gui_annotation = polkit_action_description_get_annotation (action_desc, "org.freedesktop.policykit.exec.allow_gui");
@@ -664,7 +675,10 @@ main (int argc, char *argv[])
       goto out;
     }
 
-  action_id = find_action_for_path (authority, path, &allow_gui);
+  action_id = find_action_for_path (authority,
+                                    path,
+                                    exec_argv[1],
+                                    &allow_gui);
   g_assert (action_id != NULL);
 
   details = polkit_details_new ();
author	David Zeuthen <zeuthen@gmail.com>	2012-07-11 12:58:06 -0400
committer	David Zeuthen <zeuthen@gmail.com>	2012-07-11 13:09:50 -0400
commit	963692acad3cd4e6e431162d203c61f369b14620 (patch)
tree	097a3a07af460fa28e304c3331c67267bf9bc7c5
parent	50dcb370edc365114fa6640770ebc253d39570ab (diff)
download	polkit-963692acad3cd4e6e431162d203c61f369b14620.tar.gz