run: enable interactive authorization

man/systemd-run.xml

@@ -112,6 +112,13 @@
     <para>The following options are understood:</para>
 
     <variablelist>
+      <varlistentry>
+        <term><option>--no-ask-password</option></term>
+
+        <listitem><para>Do not query the user for authentication for
+        privileged operations.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--scope</option></term>
 

shell-completion/bash/systemd-run

@@ -36,7 +36,7 @@ _systemd_run() {
                 -r --remain-after-exit --send-sighup -H --host -M --machine --service-type
                 --on-active --on-boot --on-startup --on-unit-active --on-unit-inactive
                 --on-calendar --timer-property -t --pty -q --quiet --no-block
-                --uid --gid --nice --setenv -p --property'
+                --uid --gid --nice --setenv -p --property --no-ask-password'
 
     local mode=--system
     local i

src/run/run.c

@@ -36,7 +36,9 @@
 #include "ptyfwd.h"
 #include "formats-util.h"
 #include "signal-util.h"
+#include "spawn-polkit-agent.h"
 
+static bool arg_ask_password = true;
 static bool arg_scope = false;
 static bool arg_remain_after_exit = false;
 static bool arg_no_block = false;
@@ -64,6 +66,18 @@ static char *arg_on_calendar = NULL;
 static char **arg_timer_property = NULL;
 static bool arg_quiet = false;
 
+static void polkit_agent_open_if_enabled(void) {
+
+        /* Open the polkit agent as a child process if necessary */
+        if (!arg_ask_password)
+                return;
+
+        if (arg_transport != BUS_TRANSPORT_LOCAL)
+                return;
+
+        polkit_agent_open();
+}
+
 static void help(void) {
         printf("%s [OPTIONS...] {COMMAND} [ARGS...]\n\n"
                "Run the specified command in a transient scope or service or timer\n"
@@ -71,6 +85,7 @@ static void help(void) {
                "specified with --unit option then command can be omitted.\n\n"
                "  -h --help                       Show this help\n"
                "     --version                    Show package version\n"
+               "     --no-ask-password            Do not prompt for password\n"
                "     --user                       Run as user unit\n"
                "  -H --host=[USER@]HOST           Operate on remote host\n"
                "  -M --machine=CONTAINER          Operate on local container\n"
@@ -108,6 +123,7 @@ static int parse_argv(int argc, char *argv[]) {
 
         enum {
                 ARG_VERSION = 0x100,
+                ARG_NO_ASK_PASSWORD,
                 ARG_USER,
                 ARG_SYSTEM,
                 ARG_SCOPE,
@@ -160,6 +176,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "on-calendar",       required_argument, NULL, ARG_ON_CALENDAR      },
                 { "timer-property",    required_argument, NULL, ARG_TIMER_PROPERTY   },
                 { "no-block",          no_argument,       NULL, ARG_NO_BLOCK         },
+                { "no-ask-password",   no_argument,       NULL, ARG_NO_ASK_PASSWORD },
                 {},
         };
 
@@ -177,6 +194,10 @@ static int parse_argv(int argc, char *argv[]) {
                         help();
                         return 0;
 
+                case ARG_NO_ASK_PASSWORD:
+                        arg_ask_password = false;
+                        break;
+
                 case ARG_VERSION:
                         puts(PACKAGE_STRING);
                         puts(SYSTEMD_FEATURES);
@@ -745,6 +766,10 @@ static int start_transient_service(
         if (r < 0)
                 return bus_log_create_error(r);
 
+        r = sd_bus_message_set_allow_interactive_authorization(m, arg_ask_password);
+        if (r < 0)
+                return bus_log_create_error(r);
+
         /* Name and mode */
         r = sd_bus_message_append(m, "ss", service, "fail");
         if (r < 0)
@@ -768,6 +793,8 @@ static int start_transient_service(
         if (r < 0)
                 return bus_log_create_error(r);
 
+        polkit_agent_open_if_enabled();
+
         r = sd_bus_call(bus, m, 0, &error, &reply);
         if (r < 0) {
                 log_error("Failed to start transient service unit: %s", bus_error_message(&error, -r));
@@ -860,6 +887,10 @@ static int start_transient_scope(
         if (r < 0)
                 return bus_log_create_error(r);
 
+        r = sd_bus_message_set_allow_interactive_authorization(m, arg_ask_password);
+        if (r < 0)
+                return bus_log_create_error(r);
+
         /* Name and Mode */
         r = sd_bus_message_append(m, "ss", scope, "fail");
         if (r < 0)
@@ -883,6 +914,8 @@ static int start_transient_scope(
         if (r < 0)
                 return bus_log_create_error(r);
 
+        polkit_agent_open_if_enabled();
+
         r = sd_bus_call(bus, m, 0, &error, &reply);
         if (r < 0) {
                 log_error("Failed to start transient scope unit: %s", bus_error_message(&error, -r));
@@ -1025,6 +1058,10 @@ static int start_transient_timer(
         if (r < 0)
                 return bus_log_create_error(r);
 
+        r = sd_bus_message_set_allow_interactive_authorization(m, arg_ask_password);
+        if (r < 0)
+                return bus_log_create_error(r);
+
         /* Name and Mode */
         r = sd_bus_message_append(m, "ss", timer, "fail");
         if (r < 0)
@@ -1077,6 +1114,8 @@ static int start_transient_timer(
         if (r < 0)
                 return bus_log_create_error(r);
 
+        polkit_agent_open_if_enabled();
+
         r = sd_bus_call(bus, m, 0, &error, &reply);
         if (r < 0) {
                 log_error("Failed to start transient timer unit: %s", bus_error_message(&error, -r));