Pkexec: use a single password prompt & implement a complete bluetooth toggle

boredsquirrel · May 14, 2024, 2:18pm

Hi,

I use a custom desktop entry for enabling and disabling bluetooth using systemctl.

KDE Plasma has a toggle using rfkill, so that may be fine, but better be paranoid than sorry and it works really well.

What it does is enable or disable the bluetooth service, and mask or unmask it, to be extra sure.

This results in 2 password prompts, which is suboptimal.

How could I spawn a pkexec GUI password prompt, pipe that password into some file and just use sudo for the other one, piping the password there?

Into what file, how to protect it? Just a tempfile and delete it after piping? Or use it as a variable in both commands?

I should possibly overthink this:

Changing the bluetooth service to a user systemd service would allow users to control it.
Using a general “pkexec” prompt would not allow using dedicated groups for certain actions, locking users to the wheel group.

Solution without `wheel` group:

# copy the service
sudo cp /usr/lib/systemd/system/bluetooth.service /etc/systemd/user/bluetooth-user.service

# disable the system service
sudo systemctl disable --now bluetooth
sudo systemctl mask bluetooth

systemctl --user daemon-reload
systemctl --user enable --now bluetooth-user

boredsquirrel · May 14, 2024, 2:18pm

Added systemd

job79 · May 14, 2024, 2:29pm

Writing the password to a file doesn’t sound like a good idea. Even if you delete the file after the commands are executed it might still be recoverable (think software as recuva). Another problem is that a random process could read the file during the short time that it exists.

But unless I am missing something, cant you just start a shell session that executes both commands?

pkexec sh -c "systemctl disable --now bluetooth && systemctl mask bluetooth"

boredsquirrel · May 14, 2024, 2:38pm

thanks! This is the solution for keeping the traditional bluetooth service (for whatever reason).

I edited both files and will personally now use the user service

strange, it worked first, now the service fails to start.

Also I noticed that all SELinux contexts are set to unconfined for /etc/systemd/user/ services I created myself. This needs fixing too

boredsquirrel · July 1, 2024, 9:16pm

Added docs-team

boredsquirrel · July 1, 2024, 9:16pm

This would also be cool as a quick doc

Topic		Replies	Views
Convert Bluetooth (and other) systemd services to user services Ask Fedora kde , kde-plasma , systemd , sudo , bluetooth , selinux-confined-users , wheel	4	271	June 17, 2024
Sudo password entry using gnome password prompt Ask Fedora gnome	4	1007	January 3, 2022
After upgrading to Fedora 32, Dolphin requests root password for mounting partitions Ask Fedora f32 , kde	4	1202	December 19, 2020
Trying to enable bluetooth before decrypting disk Ask Fedora f35 , encryption , bluetooth , intel , kernel , silverblue	3	2906	March 21, 2022
How to prevent by default any non-wheel (standard) users from use polkit? Ask Fedora	9	1926	July 9, 2019

Pkexec: use a single password prompt & implement a complete bluetooth toggle

Solution without wheel group:

Related topics

Solution without `wheel` group: