How to identify etcher with polkit

Hello, I would like to allow a user group to use Etcher. I have debugged Polkit, but I think there is currently no way to identify the etcher program, because the output of the log shows a generated script /tmp/tmp-xxxx.cmd, which I cannot clearly proof to be etcher.

Any thoughts on how to solve the problem?
could you change this behavior by renaming the script to /tmp/etcher-xxx.cmd or something?

[Log]
polkitd[1102]: /etc/polkit-1/rules.d/20-rolkit-log.rules:3: action=[Action id=‘org.freedesktop.policykit.exec’ polkit.gettext_domain=‘polkit-1’ command_line=’/bin/bash -c echo SUDOPROMPT; sh ‘/tmp/tmp-3264V6MwkPhDUnSf.cmd’’ program=’/bin/bash’ user.gecos=‘root’ user=‘root’ polkit.message=‘Authentication is needed to run `$(program)’ as the super user’ user.display=‘root (root)’]

Hi @DerAndyK

I see that you have withdrawn your post, and just wanted to make sure whether you still need any assistance on this?

Kind regards
Alida

Hello @DerAndyK looking at the logs it seems like the error is caused by the program attempting to run with sudo. Have a look at http://www.admin-magazine.com/Articles/Assigning-Privileges-with-sudo-and-PolicyKit (this explains how to allow users to run apt-get with sudo, but it should equally apply to other programs like etcher). Let me know if this makes sense.

Hi @nazrhom i think i did not explan it right. I wrote that i want to allow a group use of etcher. What i realy ment was etcher works fine until i press the Flash button. I think then a script is beeing created in the tmp folder. This Script executes the neccecary commands i guess. But the user is not allowed to fire this script. Polkit then asks for the Password.

I tried to create a file with this content allowing all users to run etcher as root:

ALL ALL=(ALL) NOPASSWD: /opt/balenaEtcher/balena-etcher-electron

But still i get the same Error. See attatched Screenshot.

Hi @AlidaOdendaal , i need further assistance. Regards Andy

Hi Andy, my teammate maintaining Etcher notes that he’ll experiment with a potential solution and we’ll let you know how it goes. For now, the best option would be to run with sudo if possible.

Hi Andreas,

Implementing this change correctly is taking us more time that we expected. I’ve created a github issue to track its progress https://github.com/balena-io/etcher/issues/3065. I suggest you to subscribe to that issue so that you’ll be notified as soon as it is resolved

Thank you for asking us to make etcher better :slight_smile:

Best regards

federico

Thank you!

Here is my solution to allow the group ‘etcher’ the use of etcher:

/etc/polkit-1/rules.d/10-etcher.rules
polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.policykit.exec") { if ([[action.lookup("command_line") == "*/tmp/balena-etcher-electron-*"]] && subject.isInGroup("etcher")) { return polkit.Result.YES; } } });

Hey there, thank you for sharing the resolution with us, Glad to hear it worked.