The correct Linux root access method for Qt applications

good afternoon

Background:

I am creating an OpenVPN shell application for Linux systems that is almost complete. I ran into a little grip.

OpenVPN requires root access to modify routing tables (add and remove routes). Here everything becomes a little vague and confusing.

Let's hope that by expanding this question , some industry answers and solutions can be shared.

Documentation:

So, after several hours of searching, I made a list of possible methods for obtaining root access, however, none of them is official and does not contain any real reliable recommendations for obtaining this SU privilege.

Consider the following methods.

1. Using pkexec and polkits

, freedesktop

, pkexec polkits  - , polkit.  - SO Thread  - Qt

( ) pkexec polkits:

• polkits:

polkits (. ). . , , , , ( ),

• pkexec:

, polkit root.

/usr/share/polkit-1/actions/ /usr/share/polkit-1/rules.d/ ( . )

, -, ( , , imo)

. qt-polkit, , . github

TL; DR . this

polkit ( , , ):

, / ( )

/usr/share/polkit-1/actions

:   com.myappname.something.policy// .policy

:

com.myappname.something

( , )

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
<policyconfig>
  <vendor>My App Name</vendor>
  <vendor_url>http://myappurl.com/</vendor_url>

  <action id="com.myappname.something.myaction-name">
    <description>Run the polkit for My App which requires it for X usage</description>
    <message>My App requires access to X, which requires root authentication, please let me have su access</message>
    <icon_name>myappname</icon_name>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
      <allow_inactive>auth_admin_keep</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/myappname</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  </action>

</policyconfig>

( )

• , . :
• <vendor>My App Name</vendor> - ,

• <action id="com.myappname.something.myaction-name"> .

• ! → com.myappname.something.policy , action id → com.myappname.something.myaction-name

• freedesktop,

TL; DR ( ): :

 1. /home/yourusername/.icons (sometimes not there)
 2. /home/yourusername/.local/share/icons
 2. /usr/share/icons

.png, ( )

• Very Important:

  <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/myappname</annotate>
  <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  

pkexec <myappname> ( , ), , :

2017-12-19 12::58:24 Fatal: QXcbConnection: Could not connect to display  ((null):0, (null))

Aborted (core dumped)

. key , , , exec.path .

?

, , ( ), .

:

pkexec <myappname> 

( ) root.

actions ( , ). , action id .., .

, (. ), :

auth_admin_keep

auth_admin, (, ).

, ( OpenVPN) OpenVPN 5 , .

2. Sudo (/etc/sudoers):

, , root-, , :

. root , singleShot QProcess :

/bin/sh -c sudo -v

1 Linux ( )

3. ():

, , Linux , , .

, :

chmod +x <executable>

, s getuid(), getgid(), .

Linux, :

<sys/types.h> // defines structs
<unistd.h>    // defines methods

, , Linux. s, () :

2017-12-19 12::21:08 Fatal: FATAL: The application binary appears to be running setuid, this is a security hole. ((null):0, (null))

Aborted (core dumped)

, setuid()

4. :

• PAM

, .

• /

• A QT PAM

  • QT usermode Qt , Linux- yum.

, . QT Forum

:

, , , , .

, , , .

:

, (PAM vs polkits vs simple sudo), , ?