From: Ronan Pigott Date: Thu, 4 Jun 2026 03:56:16 +0000 (-0700) Subject: run0: implement -v/--validate to renew temporary auth X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a48d18f2005ee704d198159a84b3fd0fe6862fe;p=thirdparty%2Fsystemd.git run0: implement -v/--validate to renew temporary auth This is meant to mirror sudo's -v/--validate options, which autohrize the user without running a command. --- diff --git a/man/run0.xml b/man/run0.xml index 1bc38470c50..1887c145eaf 100644 --- a/man/run0.xml +++ b/man/run0.xml @@ -187,6 +187,17 @@ + + + + + Request authorization from polkit. Can be used to create a temporary authorization + without running a command. + + + + + diff --git a/shell-completion/bash/run0 b/shell-completion/bash/run0 index ab174492286..911633aaf8c 100644 --- a/shell-completion/bash/run0 +++ b/shell-completion/bash/run0 @@ -38,7 +38,7 @@ _run0() { --setenv --background ) local OPTS="${opts_with_values[*]} -h --help -V --version --no-ask-password --slice-inherit --empower" - OPTS="$OPTS -k --reset-timestamp -K --remove-timestamp" + OPTS="$OPTS -k --reset-timestamp -K --remove-timestamp -v --validate" local i for (( i=1; i <= COMP_CWORD; i++ )); do diff --git a/shell-completion/zsh/_run0 b/shell-completion/zsh/_run0 index f8c1e8a08ce..de767678de1 100644 --- a/shell-completion/zsh/_run0 +++ b/shell-completion/zsh/_run0 @@ -49,6 +49,7 @@ local -a args=( '(--chdir -D -i --same-root-dir)'{--chdir=,-D+}'[Run within the specified working directory]:directory:_files -/' '(-k --reset-timestamp)'{-k,--reset-timestamp}'[Revoke temporary authorization for this terminal]' '(-K --remove-timestamp)'{-K,--remove-timestamp}'[Revoke temporary authorizations for this user session]' + '(-v --validate)'{-v,--validate}'[Request authorization from polkit]' '(-i)'--via-shell"[Invoke command via target user's login shell]" '(--via-shell --chdir -D --same-root-dir)'-i"[Shortcut for --via-shell --chdir='~']" '*--setenv=[Set the specified environment variable in the session]:environment variable:_parameters -g "*export*" -S = -q' diff --git a/src/run/run.c b/src/run/run.c index 4ef3fc940c5..2d12f23ef77 100644 --- a/src/run/run.c +++ b/src/run/run.c @@ -78,6 +78,7 @@ static bool arg_wait = false; static bool arg_default_command = false; static bool arg_remove_timestamp = false; static bool arg_reset_timestamp = false; +static bool arg_validate = false; static const char *arg_unit = NULL; static char *arg_description = NULL; static char *arg_slice = NULL; @@ -839,6 +840,10 @@ static int parse_argv_sudo_mode(int argc, char *argv[]) { arg_remove_timestamp = true; break; + OPTION('v', "validate", NULL, "Request temporary authorization from polkit"): + arg_validate = true; + break; + OPTION('u', "user", "USER", "Run as system user"): r = free_and_strdup_warn(&arg_exec_user, opts.arg); if (r < 0) @@ -984,6 +989,9 @@ static int parse_argv_sudo_mode(int argc, char *argv[]) { _cleanup_strv_free_ char **l = NULL; char **args = option_parser_get_args(&opts); if (!strv_isempty(args)) { + if (arg_validate) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Option '--validate' cannot be used with a command"); l = strv_copy(args); if (!l) return log_oom(); @@ -3146,6 +3154,23 @@ static int revoke_temporary_authorizations(sd_bus *bus) { return 0; } +static int polkit_validate(sd_bus *bus) { + PolkitFlags flags = POLKIT_ALWAYS_QUERY; + int r; + + if (arg_ask_password) + flags |= POLKIT_ALLOW_INTERACTIVE; + + (void) polkit_agent_open_if_enabled(arg_transport, arg_ask_password); + r = polkit_check_authorization(bus, (uint32_t) (flags & _POLKIT_MASK_PUBLIC), NULL); + if (r < 0) + return r; + if (r == 0) /* not authorized */ + return 1; + + return 0; +} + static int run(int argc, char* argv[]) { _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; int r; @@ -3235,6 +3260,8 @@ static int run(int argc, char* argv[]) { return 0; } + if (arg_validate) + return polkit_validate(bus); if (arg_scope) return start_transient_scope(bus); if (arg_path_property)