Commit 963692ac authored by David Zeuthen's avatar David Zeuthen
Browse files

pkexec: add support for argv1 annotation and mention shebang-wrappers

Signed-off-by: David Zeuthen's avatarDavid Zeuthen <>
parent 50dcb370
......@@ -134,7 +134,9 @@
annotation on an action with the value set to the full path of
the program. In addition to specifying the program, the
authentication message, description, icon and defaults can be
specified. If the <emphasis>org.freedesktop.policykit.exec.argv1</emphasis>
annotation is present, the action will only be picked if the
first argument to the program matches the value of the annotation.
Note that authentication messages may reference variables (see
......@@ -144,6 +146,43 @@
<refsect1 id="pkexec-wrapper"><title>WRAPPER USAGE</title>
To avoid modifying existing software to prefix their
command-line invocations with <command>pkexec</command>,
it's possible to use <command>pkexec</command> in a
<ulink url="">she-bang wrapper</ulink>
like this:
#!/usr/bin/pkexec /usr/bin/python
import os
import sys
print "Hello, I'm running as uid %d"%(os.getuid())
for n in range(len(sys.argv)):
print "arg[%d]=`%s'"%(n, sys.argv[n])
If this script is installed into <filename>/usr/bin/my-pk-test</filename>,
then the following annotations
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/python</annotate>
<annotate key="org.freedesktop.policykit.exec.argv1">/usr/bin/my-pk-test</annotate>
can be used to select the appropriate polkit action. Be careful
to get the latter annotation right, otherwise it will match any
<command>pkexec</command> invocation of
<filename>/usr/bin/python</filename> scripts.
<refsect1 id="pkexec-variables"><title>VARIABLES</title>
The following variables are set by
......@@ -230,6 +230,7 @@ fdwalk (FdCallback callback,
static gchar *
find_action_for_path (PolkitAuthority *authority,
const gchar *path,
const gchar *argv1,
gboolean *allow_gui)
GList *l;
......@@ -255,6 +256,7 @@ find_action_for_path (PolkitAuthority *authority,
for (l = actions; l != NULL; l = l->next)
PolkitActionDescription *action_desc = POLKIT_ACTION_DESCRIPTION (l->data);
const gchar *argv1_for_action;
const gchar *path_for_action;
const gchar *allow_gui_annotation;
......@@ -262,8 +264,17 @@ find_action_for_path (PolkitAuthority *authority,
if (path_for_action == NULL)
argv1_for_action = polkit_action_description_get_annotation (action_desc, "org.freedesktop.policykit.exec.argv1");
if (g_strcmp0 (path_for_action, path) == 0)
/* check against org.freedesktop.policykit.exec.argv1 but only if set */
if (argv1_for_action != NULL)
if (g_strcmp0 (argv1, argv1_for_action) != 0)
action_id = g_strdup (polkit_action_description_get_action_id (action_desc));
allow_gui_annotation = polkit_action_description_get_annotation (action_desc, "org.freedesktop.policykit.exec.allow_gui");
......@@ -664,7 +675,10 @@ main (int argc, char *argv[])
goto out;
action_id = find_action_for_path (authority, path, &allow_gui);
action_id = find_action_for_path (authority,
g_assert (action_id != NULL);
details = polkit_details_new ();
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment