如何使用 pkexec 以 root 身份运行 GUI 应用程序？

Question

我正在使用Gnome3 Flashback桌面环境附带的Trisquel GNU/Linux-Libre 。

我知道我可以通过sudo&以 root 身份运行 GUI 应用程序，gksudo但我想知道如何在 的帮助下以 root 身份运行 GUI 应用程序pkexec？

当我尝试运行gedit（或像任何其他应用程序：nautilus）由pkexec gedit然后，它会提示输入密码进行验证： -

输入密码后，它退出并出现错误：-

$ pkexec gedit
error: XDG_RUNTIME_DIR not set in the environment.

(gedit:6135): Gtk-WARNING **: cannot open display:

---

所以，似乎显示环境出了问题。

我也试过，DISPLAY=:0 pkexec gedit但不起作用。

---

以下信息可从man pkexec：-

PROGRAM 将运行它的环境将设置为最小的已知和安全环境，以避免通过 LD_LIBRARY_PATH 或类似机制注入代码。此外，PKEXEC_UID 环境变量设置为调用 pkexec 的进程的用户 ID。因此，pkexec 将不允许您以其他用户身份运行 X11 应用程序，因为 $DISPLAY 和 $XAUTHORITY 环境变量未设置。如果操作上的 org.freedesktop.policykit.exec.allow_gui 注释设置为非空值，则将保留这两个变量；但是，这是不鼓励的，并且应该仅用于遗留程序。

现在我不知道该怎么做才能做到这一点。

因此，请帮助我了解如何通过pkexec. 或者这可能吗？

---

顺便说一句，受到gparted-pkexec运行良好的命令的启发。怎么gparted用pkexec？

Answer 1

可以通过向 policykit 添加自定义操作来完成。如果要以 root 身份运行 gedit，pkexec则必须创建新文件/usr/share/polkit-1/actions/org.freedesktop.policykit.gedit.policy，例如：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
    <action id="org.freedesktop.policykit.pkexec.gedit">
    <description>Run gedit program</description>
    <message>Authentication is required to run the gedit</message>
    <icon_name>accessories-text-editor</icon_name>
    <defaults>
        <allow_any>auth_admin</allow_any>
        <allow_inactive>auth_admin</allow_inactive>
        <allow_active>auth_admin</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gedit</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
    </action>
</policyconfig>

最后pkexec gedit应该按预期工作。

访问手册页或参考手册，其中解释了它的示例，例如：-

$ man pkexec | grep -i ^Example -A 60
EXAMPLE
       To specify what kind of authorization is needed to execute the program /usr/bin/pk-example-frobnicate as
       another user, simply write an action definition file like this

           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE policyconfig PUBLIC
            "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
            "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
           <policyconfig>

             <vendor>Examples for the PolicyKit Project</vendor>
             <vendor_url>http://hal.freedesktop.org/docs/PolicyKit/</vendor_url>

             <action id="org.freedesktop.policykit.example.pkexec.run-frobnicate">
               <description>Run the PolicyKit example program Frobnicate</description>
               <description xml:lang="da">Kør PolicyKit eksemplet Frobnicate</description>
               <message>Authentication is required to run the PolicyKit example program Frobnicate (user=$(user), program=$(program), command_line=$(command_line))</message>
               <message xml:lang="da">Autorisering er påkrævet for at afvikle PolicyKit eksemplet Frobnicate (user=$(user), program=$(program), command_line=$(command_line))</message>
               <icon_name>audio-x-generic</icon_name>
               <defaults>
                 <allow_any>no</allow_any>
                 <allow_inactive>no</allow_inactive>
                 <allow_active>auth_self_keep</allow_active>
               </defaults>
               <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/pk-example-frobnicate</annotate>
             </action>

           </policyconfig>

       and drop it in the /usr/share/polkit-1/actions directory under a suitable name (e.g. matching the namespace of
       the action). Note that in addition to specifying the program, the authentication message, description, icon
       and defaults can be specified. Note that occurences of the strings $(user), $(program) and $(command_line) in
       the message will be replaced with respectively the user (of the form "Real Name (username)" or just "username"
       if there is no real name for the username), the binary to execute (a fully-qualified path, e.g.
       "/usr/bin/pk-example-frobnicate") and the command-line, e.g. "pk-example-frobnicate foo bar". For example, for
       the action defined above, the following authentication dialog will be shown:

           [IMAGE][2]

               +----------------------------------------------------------+
               |                     Authenticate                     [X] |
               +----------------------------------------------------------+
               |                                                          |
               |  [Icon]  Authentication is required to run the PolicyKit |
               |          example program Frobnicate                      |
               |                                                          |
               |          An application is attempting to perform an      |
               |          action that requires privileges. Authentication |
               |          is required to perform this action.             |
               |                                                          |
               |          Password: [__________________________________]  |
               |                                                          |
               | [V] Details:                                             |
               |  Command: /usr/bin/pk-example-frobnicate                 |
               |  Run As:  Super User (root)                              |
               |  Action:  org.fd.pk.example.pkexec.run-frobnicate        |
               |  Vendor:  Examples for the PolicyKit Project             |
               |                                                          |
               |                                  [Cancel] [Authenticate] |
               +----------------------------------------------------------+

Answer 2

对于我来说，使用Ubuntu，以root身份运行hardinfo，

pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY hardinfo

效果很好。这个技巧来自nany（法国Ubuntu论坛）。