I have written a python script that downloads deb files from launchpad, and then calls out to a shell script to use alien to convert the debs to rpms.
The shell script uses alien, and so it needs to be run as root.
The program uses a thread pool to download the deb files asynchronously, using threadpool.apply_async, and then uses a processing pool to call the shell script asynchronously, so the whole thing happens reasonably quickly.
It all works well, but the shell script that calls alien needs to be root otherwise packages don't get built properly. When I first finished the script, I would use pkexec to call alien, after using sudo. In both cases, I had a couple of problems.
The first was that in starting in root, I lost the environment of the user, and so lost the pip installed python libraries. I could, perhaps, have used sudo -s or similar, but the second problem was that I had to enter my root password for every package that was built.
What I want to do, is to run the python script, qt gui and all, as a normal user, select which files to convert, and then hit the install button and only enter my superuser password once.
I decided to filter out the install parts of the python, which include the threaded download, and threaded call to the shell script, and then try and run those parts as root/superuser.
I created a dbus service, for this install part, and, after a steep dbus learning curve, managed to get the service working. However, I had no joy getting the script authenticated, and raising its privileges.
I have been able to use polkit to show the password dialog and authorise the super user, but I do not know how to use the return value from polkit
`authority.CheckAuthorization(subject, action_id, details, flags, cancellation_id)`
which shows the password dialog, for authorisation, but does not handle elevating the scripts privileges.
I have set the python install service as 0500 perms, so that hopefully, once I have figured out how to elevate privileges, the root user has the ability to read and execute the service, which is currently created on the session bus.
How can I elevate permissions, and, at the same time, keep the environment variables of the user, so that I don't have to install python modules into the root account?
Many thanks for your help in advance...
ps. I have written a polkit action file, and a polkit rule, but in each case I am not sure how the action id relates to the elevation of privileges. pps. Can I/should I use pam?
I eventually ran the process as root, using pkexec to obtain a password dialog.