Permissions to run xfconf-query from systemd scripts

Support
,
1

I’d like my system to run the following command when going to sleep:

xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/presentation-mode -s false

The point is to disable presentation mode when manually put to sleep.

So I created a file /usr/lib/systemd/system-sleep/powermanage with 755 permission containing the lines:

#!/bin/sh
echo running powermanage: $1 run as $USER >> /var/log/suspend/suspend.log
case $1 in
    pre)
       xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/presentation-mode -s false 2> /var/log/suspend/error.log
    ;;
esac

It didn’t work. It logged “permission denied” in error.log and "running powermanage: pre run as " in suspend.log. So the $USER variable was empty. The log files were owned by root:root.

#!/bin/sh
echo running powermanage: $1 run as $USER >> /var/log/suspend/suspend.log
case $1 in
    pre)
       sudo /scripts/powerreset.sh 2> /var/log/suspend/powerman-sudo.log
    ;;
esac

created the file /scripts/powerreset.sh with 755 permission

#!/bin/bash
xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/presentation-mode -s false > /var/log/suspend/power.log 2> /var/log/suspend/power-err.log

and inserted into sudoers:

ALL ALL=(ALL) NOPASSWD: /scripts/powerreset.sh

Now /var/log/suspend/power-err.log contains

How can this permission issue be solved?

2

Is most likely you should export environment variables inside such script:

export DISPLAY=:0
export XAUTHORITY=/home/yourusername/.Xauthority
export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
3

Because scripts executed by systemd context is very dangerous systemd is picky when it comes to scripts.

Due to various requirements and experience with various hosting services - linode and hetzner - I have found that for scripts to execute successfully using systemd and either services or timers benefit from being put in /etc/systemd/scripts folder and limit the executable permissions limited to root.

4

Moving the script from /scripts to /etc/systemd/scripts didn’t change anything. Neither did chmod 700.
The script that calls this script is still in /usr/lib/systemd/system-sleep/
Thats the only place I know where it will be triggered on sleep event. All the default scripts in these folders have 755 permissions. But it runs even with 700.

That changed the error logged. Now it is

edit: typo

5

Maybe the current issue is that some service is stopped before the script tries to run?

6

xfconf-query command would save setting for presentation mode to file ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-power-manager.xml

I would expect only the user account has write access to the file

ls -l ~/.config/xfce4/xfconf/xfce-perchannel-xml/
7

File is writeable by user only. But I’d be surprised if that is stopping root from running the script. After all, adding to the script echo > file writable by root only works.
Could an alternative solution be to let the script edit the xml file directly?

8

You’re on the right path. root doesn’t have the user’s environment.

Take a look at this reddit thread.

One change, the dbus session socket file is /run/user/$(id -u)/bus.

9

Thanks. Finally it works. Final script looks like this:
700 root:root /scripts/powerreset

#!/bin/sh
export DISPLAY=:0
export XAUTHORITY=/home/MYUSER/.Xauthority
export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus

su MYUSER -c 'xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/presentation-mode -s false'

700 root:root /usr/lib/systemd/system-sleep/powermanage
and
700 root:root /usr/lib/systemd/system-shutdown/powermanage

#!/bin/sh
case $1 in
    pre)
	/scripts/powerreset
    ;;
esac
10

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.