#Linux admin priviledges

Hi all,
I'm using tauri v2. I know it is not in a stable release. My project is new and I decided to use it and not to migrate in future.

My issue is that my app need to have the root priviledges to do some file system operations. In detail I need to read/write some files to some directory like /user/share/<etc>.

At the moment the only way I found to solve this problem was to run a command through pkexec.

The problem is that I would like to avoid using this approach otherwise I have to ask via GUI for the administrator pw for each command to execute. This can be very frustrating for a user since I could potentially have to run a hundred commands.

I have already considered as a possible improvement to gather all the commands into an sh file and run it with privileges, but this requires a huge effort at the development level since one has to build at runtime an sh script that can be very complex.

Hence the question: is there a way to configure the entire tauri application to run with administrator privileges? Or is there a way to have the necessary permissions to write to certain protected directories?

If you want to take a look and you have other suggestion fot this I leave here my project link: https://github.com/francesco-gaglione/AppHub

Thank you

I have already considered as a possible improvement to gather all the commands into an sh file and run it with privileges, but this requires a huge effort at the development level since one has to build at runtime an sh script that can be very complex.
This is almost the recommended/typical approach, just that you'd not use a bash script but another rust project compiled as a cli program for example.

We generally never recommend running the whole tauri app as admin but if there's no way around it, i saw someone do this: https://stackoverflow.com/a/62528760 but instead of the panic they'd use pkexec in a Command with the app name as an arg.

"not use a bash script but another rust project compiled as a cli program for example" I actually hadn't thought about that, and it may be a good approach for my particular case, indeed it would be a major improvement that brings additional benefits. But I wonder--in this case can this second cli program be "packaged" into the tauri application package? Or does it have to be installed separately and thus have a custom installation as well?

It can be bundled with the app using the installer.

https://tauri.app/v1/guides/building/sidecar
https://tauri.app/v1/guides/building/resources

Great, I'm using tauri v2, there is a similar procedure or this is retroactive?

I'm not able to find something in the v2 doc

it's still mostly the same. The externalBin config still exists and the shell module is now a separate tauri-plugin-shell. The command specific config should be just this https://beta.tauri.app/features/shell/#permissions

process-command-api feature is not available in tauri v2

you don't need that feature flag. If the cli is complaining about it then some crate or the cli itself is outdated.

I was able to configure the sidecar and run it in this way:
let shell = app_handle.shell();
let (mut rx, mut child) = shell.sidecar("app_hub_backend")
.unwrap().args(&["--file-path", "/usr/share/applications/test.txt"])
.spawn()
.expect("Sidecar failed to start due to an error.");

while let Some(event) = rx.recv().await {
    match event {
        CommandEvent::Stderr(error) => {
            println!("error: {}", String::from_utf8(error).unwrap());
        }
        CommandEvent::Stdout(out) => {
            println!("out: {}", String::from_utf8(out).unwrap());
        }
        CommandEvent::Error(error) => {
            println!("error: {}", error);
        }
        CommandEvent::Terminated(terminated) => {
            println!("terminated: {:?}", terminated);
        }
        _ => {
            println!("other event");
        }
    }
}

but I'm not able to run the sidecar with sudo permissions. Is it possible to run it with sudo permissions?

the built-in apis don't support this, no. For macos and windows there's https://docs.rs/runas/latest/runas/ but that won't work for linux in tauri apps. For Linux we're back to the pkexec thing you and i mentioned before.

already tried to run it with pkexec but being a sidecar the OS doesn't recognize it (command not found) using .sidecar on the other hand it does (from this I can imagine that tauri runs the binary and thus doesn't actually install the sidecar on the OS)

does pkexec not accept a file path? Does it have to be a system-wide known app?

We don't have a sidecar path api but they should be fairly predicatble iirc, or even in the current working dir.

No I don't want to be a system-wide known app, I want it to be shiped into the tauri app.
For this reason I followed the documentation on how to create a sidecar, and actually it work. I mean I'm able to run this rust binary now placed into the binaries/sidecar-name-{triple).
My issue is that I need to run this binary with admin priviledges since I have to write some files into some system folder and so since I have to write a lot of files I want to avoid using pkexec couse it will require the admin password for each command.
I want to avoid to bundle all the commands in one single "pkexec command && other commands" because between each command I have to execute some code instructions.

The situation now is:

• I'm able to run the sidecar with the code in the previes message (but not with admin priviledges)
• I tryed to use pkexec to run the binary but the command fails because the os is not able to recognize the binary (even using the file path, and I don't want to use it since I want to ship this binary into the tauri app)
• I tryed to use polkit to acquire root priviledges into the binary but I failed

Now I'm trying to understand the best solution since I have to do some different root operations (and I know it is not a good practice to allow an entire binary to be executed with root priviledges) if there are some other "best practices" to do what I have to do

No I don't want to be a system-wide known app, I want it to be shiped into the tauri app.
I totally understood your issue, i was just surprised that pkexec didn't work for you, and my question was basically if it doesn't work with a full path to the sidecar which you answered here:
I tryed to use pkexec to run the binary but the command fails because the os is not able to recognize the binary (even using the file path [...]
Also this part:
and I don't want to use it since I want to ship this binary into the tauri app)
doesn't matter, you can dynamically create the path of the bundled sidecar, which my second sentence was about.

i'll try what i've had in mind with pkexec myself real quick and see if i can spot any issues.

This works for me to spawn the sidecar (in this case i used gedit) with admin privileges.

let mut cmd = std::process::Command::new("pkexec");
cmd.args([
  "env",
  &format!("DISPLAY="{}", std::env::var("DISPLAY")?),
  &format!("XAUTHORITY="{}", std::env::var("XAUTHORITY")?),
  "/usr/bin/gedit" // -> Path to your sidecar
]);
cmd.spawn(); // etc

since my sidecar is a bin (non installed in the os, but shipped with tauri) how can I set the path to the sidecar? (relative path not work, and I don't know where tauri will install the sidecar bin)

in an appimage it will be in <cwd>/usr/bin/

no idea about .deb, i thought it's in /local/usr/bin but it's probably somewhere in /local/usr/share/

hmm, according to the bundler source code it should indeed be in /local/usr/bin or /usr/bin, not in share

wait, no forget all that, you can get the path via ```
let p = std::env::current_exe()?.parent().unwrap().join("my-sidecar");

This will work in appimages, .deb, .rpm and maybe even in `tauri dev`

Great!! I will test it and I will let you know. In the maintime thank you very much.
If it work probabily we can think to include this in the a FAQ in the doc?

I confirm it works, at least with tauri dev, but from what u said I'm quite confident it should work using AppImage, deb and rpm.... I will test it. But for now, this can be a very good solution to run sidecar with sudo permissions

The build process fail bundling appImage file. Tried to run with --verbose but I can see only that there is a permission denied but I'm not able to understand wehre into the build_appimage.sh

In addition I tried to run NO_STRIP=true bash -x build_appimage.sh and it work so probably the issue is in the tauri build