run0: implement -v/--validate to renew temporary auth

This is meant to mirror sudo's -v/--validate options, which autohrize
the user without running a command.

diff --git a/man/run0.xml b/man/run0.xml
index 1bc38470c500d20a6ab62d73b86e75e568753785..1887c145eaf1e775b43333e86c1d09f8938a8f42 100644 (file)
--- a/man/run0.xml
+++ b/man/run0.xml
@@ -187,6 +187,17 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>-v</option></term>
+        <term><option>--validate</option></term>
+
+        <listitem><para>Request authorization from polkit. Can be used to create a temporary authorization
+        without running a command.</para>
+
+        <xi:include href="version-info.xml" xpointer="v262"/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--via-shell</option></term>
 

diff --git a/shell-completion/bash/run0 b/shell-completion/bash/run0
index ab174492286eb7186d2393367b1ac5e3200cdea9..911633aaf8c16d5082e56484c827cfa7215d0e04 100644 (file)
--- a/shell-completion/bash/run0
+++ b/shell-completion/bash/run0
@@ -38,7 +38,7 @@ _run0() {
         --setenv --background
     )
     local OPTS="${opts_with_values[*]} -h --help -V --version --no-ask-password --slice-inherit --empower"
-    OPTS="$OPTS -k --reset-timestamp -K --remove-timestamp"
+    OPTS="$OPTS -k --reset-timestamp -K --remove-timestamp -v --validate"
 
     local i
     for (( i=1; i <= COMP_CWORD; i++ )); do

diff --git a/shell-completion/zsh/_run0 b/shell-completion/zsh/_run0
index f8c1e8a08ce7a91b23f50bf2912b3e7fa344e414..de767678de1e02c75ec4bae4a59669627abd361e 100644 (file)
--- a/shell-completion/zsh/_run0
+++ b/shell-completion/zsh/_run0
@@ -49,6 +49,7 @@ local -a args=(
     '(--chdir -D -i --same-root-dir)'{--chdir=,-D+}'[Run within the specified working directory]:directory:_files -/'
     '(-k --reset-timestamp)'{-k,--reset-timestamp}'[Revoke temporary authorization for this terminal]'
     '(-K --remove-timestamp)'{-K,--remove-timestamp}'[Revoke temporary authorizations for this user session]'
+    '(-v --validate)'{-v,--validate}'[Request authorization from polkit]'
     '(-i)'--via-shell"[Invoke command via target user's login shell]"
     '(--via-shell --chdir -D --same-root-dir)'-i"[Shortcut for --via-shell --chdir='~']"
     '*--setenv=[Set the specified environment variable in the session]:environment variable:_parameters -g "*export*" -S = -q'

diff --git a/src/run/run.c b/src/run/run.c
index 4ef3fc940c54ae9257637653440d751207ab99a6..2d12f23ef77705f161993f7ae8f4f59e25ccd9b4 100644 (file)
--- a/src/run/run.c
+++ b/src/run/run.c
@@ -78,6 +78,7 @@ static bool arg_wait = false;
 static bool arg_default_command = false;
 static bool arg_remove_timestamp = false;
 static bool arg_reset_timestamp = false;
+static bool arg_validate = false;
 static const char *arg_unit = NULL;
 static char *arg_description = NULL;
 static char *arg_slice = NULL;
@@ -839,6 +840,10 @@ static int parse_argv_sudo_mode(int argc, char *argv[]) {
                         arg_remove_timestamp = true;
                         break;
 
+                OPTION('v', "validate", NULL, "Request temporary authorization from polkit"):
+                        arg_validate = true;
+                        break;
+
                 OPTION('u', "user", "USER", "Run as system user"):
                         r = free_and_strdup_warn(&arg_exec_user, opts.arg);
                         if (r < 0)
@@ -984,6 +989,9 @@ static int parse_argv_sudo_mode(int argc, char *argv[]) {
         _cleanup_strv_free_ char **l = NULL;
         char **args = option_parser_get_args(&opts);
         if (!strv_isempty(args)) {
+                if (arg_validate)
+                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "Option '--validate' cannot be used with a command");
                 l = strv_copy(args);
                 if (!l)
                         return log_oom();
@@ -3146,6 +3154,23 @@ static int revoke_temporary_authorizations(sd_bus *bus) {
         return 0;
 }
 
+static int polkit_validate(sd_bus *bus) {
+        PolkitFlags flags = POLKIT_ALWAYS_QUERY;
+        int r;
+
+        if (arg_ask_password)
+                flags |= POLKIT_ALLOW_INTERACTIVE;
+
+        (void) polkit_agent_open_if_enabled(arg_transport, arg_ask_password);
+        r = polkit_check_authorization(bus, (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL);
+        if (r < 0)
+                return r;
+        if (r == 0) /* not authorized */
+                return 1;
+
+        return 0;
+}
+
 static int run(int argc, char* argv[]) {
         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
         int r;
@@ -3235,6 +3260,8 @@ static int run(int argc, char* argv[]) {
                         return 0;
         }
 
+        if (arg_validate)
+                return polkit_validate(bus);
         if (arg_scope)
                 return start_transient_scope(bus);
         if (arg_path_property)