feat(pkexec): elevate privileges only if necessary

NotAShelf · Mar 18, 2024 · 7fcdd5a · 7fcdd5a
1 parent 8d7d8dc
commit 7fcdd5a
Show file tree

Hide file tree

Showing 5 changed files with 151 additions and 26 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -19,4 +19,5 @@ resvg = "0.40.0"
 serde = {version = "1.0", features = ["derive"]}
 serde_json = "1.0"
 which = "6.0"
+whoami = "1.5.1"
 wl-clipboard-rs = "0.8"
diff --git a/src/pkexec.rs b/src/pkexec.rs
@@ -1,5 +1,6 @@
 use std::path::PathBuf;
 use which::which;
+use whoami::username;
 
 pub fn get_pkexec_path() -> PathBuf {
     match which("pkexec") {
@@ -8,6 +9,15 @@ pub fn get_pkexec_path() -> PathBuf {
     }
 }
 
-pub fn pkexec_found(pkexec_path: &PathBuf) -> bool {
-    pkexec_path.is_file()
+// We don't need to elevate privileges if we're using the Tray service
+// as the root user. This shouldn't really happen, but it's possible
+// depending on how Tailran is ran.
+pub fn should_elevate_perms() -> bool {
+    let parent_user = username().to_string();
+
+    if parent_user.eq("root") {
+        return false;
+    }
+
+    true
 }
diff --git a/src/tailscale/status.rs b/src/tailscale/status.rs
@@ -42,17 +42,19 @@ pub fn get_status_json() -> String {
 }
 
 pub fn get_status() -> Result<Status, serde_json::Error> {
-    let mut st: Status = serde_json::from_str(get_status_json().as_str())?;
-    let dnssuffix = st.magic_dnssuffix.to_owned();
-    st.tailscale_up = match st.backend_state.as_str() {
+    let mut status: Status = serde_json::from_str(get_status_json().as_str())?;
+    let dnssuffix = status.magic_dnssuffix.to_owned();
+    status.tailscale_up = match status.backend_state.as_str() {
         "Running" => true,
         "Stopped" => false,
         _ => false,
     };
 
-    dns::dns_or_quote_hostname(&mut st.this_machine, &dnssuffix);
-    st.peers
+    dns::dns_or_quote_hostname(&mut status.this_machine, &dnssuffix);
+    status
+        .peers
         .values_mut()
         .for_each(|m: &mut Machine| dns::dns_or_quote_hostname(m, &dnssuffix));
-    Ok(st)
+
+    Ok(status)
 }
diff --git a/src/tray/menu.rs b/src/tray/menu.rs
@@ -1,4 +1,4 @@
-use crate::pkexec::{get_pkexec_path, pkexec_found};
+use crate::pkexec::{get_pkexec_path, should_elevate_perms};
 use crate::svg::renderer::ResvgRenderer;
 use crate::tailscale::peer::copy_peer_ip;
 use crate::tailscale::status::{get_current_status, Status};
@@ -46,19 +46,34 @@ impl SysTray {
 
     fn do_service_link(&mut self, verb: &str) {
         let pkexec_path = get_pkexec_path();
+        let elevate = should_elevate_perms();
+        let command = if elevate {
+            info!("Elevating permissions for pkexec.");
+            Command::new(pkexec_path)
+                .arg("tailscale")
+                .arg(verb)
+                .stdout(Stdio::piped())
+                .spawn()
+        } else {
+            Command::new("tailscale")
+                .arg(verb)
+                .stdout(Stdio::piped())
+                .spawn()
+        };
+
+        // Check if command was successfully created
+        let command = match command {
+            Ok(cmd) => cmd,
+            Err(err) => {
+                // Handle error appropriately, e.g., log and return early or panic
+                panic!("Failed to execute process: {:?}", err);
+            }
+        };
 
-        // TODO: consider using https://stackoverflow.com/a/66292796/554150
-        // or async? https://rust-lang.github.io/async-book/03_async_await/01_chapter.html
-        let child = Command::new(pkexec_path)
-            .arg("tailscale")
-            .arg(verb)
-            .stdout(Stdio::piped())
-            .spawn()
-            .expect("Failed to execute process");
+        let output = command.wait_with_output().expect("Failed to read stdout");
 
-        let output = child.wait_with_output().expect("Failed to read stdout");
         info!(
-            "link {}: [{}]{}",
+            "Link {}: [{}]{}",
             &verb,
             output.status,
             String::from_utf8_lossy(&output.stdout)
@@ -70,11 +85,15 @@ impl SysTray {
             } else {
                 "disconnected"
             };
+
+            // send notification through dbus
             let _result = Notification::new()
                 .summary(format!("Connection {}", verb).as_str())
                 .body(format!("Tailscale service {verb_result}").as_str())
                 .icon("info")
                 .show();
+
+            // update status
             self.update_status();
         }
     }
@@ -116,10 +135,6 @@ impl Tray for SysTray {
     }
 
     fn menu(&self) -> Vec<MenuItem<Self>> {
-        // TODO: build pkexec_exists into pkexec_path by failing early
-        // if pkexec cannot be found
-        let pkexec_path = get_pkexec_path();
-        let pkexec_exist: bool = pkexec_found(&pkexec_path);
         let my_ip = self.ctx.ip.clone();
 
         let mut my_sub = Vec::new();
@@ -147,7 +162,7 @@ impl Tray for SysTray {
                 label: "Connect".into(),
                 icon_name: "network-transmit-receive".into(),
                 enabled: !self.enabled(),
-                visible: pkexec_exist,
+                visible: true,
                 activate: Box::new(|this: &mut Self| this.do_service_link("up")),
                 ..Default::default()
             }
@@ -156,7 +171,7 @@ impl Tray for SysTray {
                 label: "Disconnect".into(),
                 icon_name: "network-offline".into(),
                 enabled: self.enabled(),
-                visible: pkexec_exist,
+                visible: true,
                 activate: Box::new(|this: &mut Self| this.do_service_link("down")),
                 ..Default::default()
             }