Replace GKSu with consolehelper

Section: Linux

Gksu is a "library that provides a Gtk+ frontend to su and sudo". It is useful for running applications that require root permission from a menu item or any script that is run without having a console, but it uses a different interface to the adminstration applications in Fedora and other distros. The following article is a solution to use consolehelper - the back-end that powers the Fedora administration login - to have custom scripts using the standard distro root password request dialog.

Having previously used GKSu by installing Redhat Enterprise Linux RPMs in Fedora, I have now replaced it with the method below for better integration.

The manual process

The PAM configuration for the script was borrowed from Fedora's Smart package manager application, as it provided a suitable dialog box and gave root access as required. It was also a separate application, unlike the configuration applications that used their own PAM files with configuration application specific data.

The solution

The solution comes in a few parts, which are compiled in to a script at the end of the article for easy execution.

Firstly, a symbolic link is needed between the consolehelper and the executable you want to create. I have a /usr/local partition for my own scripts and executables, so I create it in there. This may require root access depending on the permissions of the folder you create the symbolic link in.

ln -s /usr/bin/consolehelper /usr/local/bin/app-you-create

The following will need root access, as they are creating files in system folders. Either su to your root account, use su -c, or use sudo if you have it configured in a suitable manner.

Next, you need to add the authentication in PAM. This is done by creating a file with a matching name in /etc/pam.d/ - in this example, app-you-create. Create the file /etc/pam.d/app-you-create using your favourite text editor and add the following:

#%PAM-1.0 auth sufficient auth sufficient auth include system-auth session required session optional session optional account required

If the user is not root, this configuration will prompt them for root's password using the system authentication dialog (the one the administration applications use).

Finally, you need to tell consolehelper what application to run and which user to run it as. This is done by creating a file with a matching name in /etc/security/console.apps/ - in this example, app-you-create. Create the file /etc/security/console.apps/app-you-create using your favourite text editor and add the following:

USER=root PROGRAM=/path/to/program/to/run SESSION=true

With all of this done you now have an application that is wrapped with a root password prompt.

The single script

The vast majority of the configuration above is common to any application. The parts that aren't common are still in a standard form. To ease the creation of links, I created the following script that combines all of the steps above.

#! /bin/bash if [ $# -ne 2 ] then echo "Usage: $0 appname pathofapptowrap" exit 1 fi CREATE_IN_FOLDER=/usr/local/bin/ if [ -e $CREATE_IN_FOLDER$1 ] then echo "$CREATE_IN_FOLDER$1 already exists" exit 2 fi if [ ! -e $2 ] then echo "$2 does not exist" exit 3 fi if [ ! -x $2 ] then echo "cannot su wrap a non-executable file" exit 4 fi #Symlink the app to consolehelper ln -s /usr/bin/consolehelper $CREATE_IN_FOLDER$1 #Configure the PAM part of console helper echo -e "#%PAM-1.0\nauth sufficient\nauth sufficient\nauth include system-auth\nsession required\nsession optional\nsession optional\naccount required" > /etc/pam.d/$1 #Configure the "what to run" part of console helper echo -e "USER=root\nPROGRAM=$2\nSESSION=true" > /etc/security/console.apps/$1

To use the script to create your own application links with root authentication then copy and paste the code in to a text editor, save it in a bin directory (e.g. I use 'su-wrap' in /usr/local/bin/), make it executable and then run it from the command-line as follows:

su -c "su-wrap app-you-create /path/to/program/to/run"

Alternatively, if you want to have a GUI version then you can run the script once on itself and then future links can be created from the run dialog instead of the command-line. Note, though, that the output will still be on the command-line. To do this, run the following from the command-line:

su -c "su-wrap su-wrap-gui /path/to/su-wrap"

Once it completes, you can use su-wrap-gui to create the same application links but with a graphical password prompt.

Using su-wrap

The main use I have is to start Apache and MySQL. My desktop machine is sometimes, but not always, used for web development and so it is more efficient and secure to not start Apache and MySQL by default, but only when requested. I have a short script called "dostarthttpd" that starts the Apache and MySQL services, but it requires root privileges. Previously I had a "starthttpd" script that just ran "gksu dostarthttpd" to prompt for the root password, but now I have a dostarthttpd wrapped and using a visually integrated dialog.