Hello,
My app require sudo to fully operate.
In order to avoid start my app with sudo or pkexec, what are the good practices to ask the password while running the GUI app?
I tried the following, but each pkexec still ask password instead of once.

You could have a look at my program Sudo_solution that is on the Gambas Farm and available here

<IMG src="https://www.cogier.com/gambas/Sudo_Solution.png"> </IMG>

That is incorrect syntax for pkexec, you must pass Env vars "DISPLAY" and "XAUTHORITY" to your command or pkexec hides the info.

the bash/shell syntax is like this…
pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY

Note:  NOT  env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY pkexec   
the Envs must be passed to your command being run not pkexec itself.

gb.desktop command Desktop.RunAsRoot() uses pkexec correctly.  
(It was me who updated it from just using old gksudo/kdesudo commands that are mostly dead ducks now)
Deksktop.RunAsRoot("apt", "update") should work okay.

A Gambas Exec command should be done something like this…
Exec ["pkexec", "env", "DISPLAY=" & Env["DISPLAY"], "XAUTHORITY=" & Env["XAUTHORITY"], "apt", "update"] Wait

Note,  You cannot change a running programs sudo level.

You have to either run the program as root (then ANY commands are done at root level) or it's not root.

When using the Exec or RunAsRoot command it creates a shell process (using pkexec for root)  runs the command , then the process ends.
So IT WILL ask for root every time you run a command with pkexec or Desktop.RunAsRoot()

It is considered not-good to have a non-root application ask for sudo then quietly retain the privileges.

There are options…

Run the program as root.

Or you could use a Terminal gb.form.terminal then initiate it with TerminalView1.Exec("sudo","bash")
then the terminal has a root bash running in it until it is closed and multiple commands can be added to it.

or.
Put all your commands together in a temp file and run that.
<HIGHLIGHT highlight="gambas">
Dim sCom As String = "apt update && apt upgrade -y"
File.Save("/tmp/exec", sCom)
Chmod "/tmp/exec" To "rwxr-xr-x"
Shell "pkexec env DISPLAY=" & Env["DISPLAY"] & "XAUTHORITY=" & Env["XAUTHORITY"] & " /tmp/exec" Wait
Kill "/tmp/exec"

</HIGHLIGHT>

note: i used "apt update -y"  as the shell will not be interactive so you cannot enter and key text like y for yes to upgrade.

cogier said

You could have a look at my program Sudo_solution that is on the Gambas Farm and available here

<IMG src="https://www.cogier.com/gambas/Sudo_Solution.png"> </IMG>

I did it a try. It works, but it's not very good for security.
Why the command is executing twice?
First:
Then:
@bruce: I will check your comments soon, thanks

I did it a try. It works, but it's not very good for security.

You are right, but I didn't create this to be super secure.

Why the command is executing twice?

This is done to catch any errors, try putting the wrong password in or a command that can't work.

I like the solution to start a terminal (or internal shell) and keep alive with adding multiples commands, in order to ask once password. But, the problem remain: how to ask only once the password, in a security way. If we use pkexec, then each command beginning with pkexec ask password again, even in the same shell. If we use the solution from Cogier, then ok the password is asked once, but it's very ugly for security as it retain the root password. Thanks for proposals, I will continue to search a better way.
Bellow, from a standard terminal. Each pkexec ask password, even if password is correct.

Philippe734 said

I like the solution to start a terminal (or internal shell) and keep alive with adding multiples commands, in order to ask once password. But, the problem remain: how to ask only once the password, in a security way. If we use pkexec, then each command beginning with pkexec ask password again, even in the same shell. If we use the solution from Cogier, then ok the password is asked once, but it's very ugly for security as it retain the root password. Thanks for proposals, I will continue to search a better way.
Bellow, from a standard terminal. Each pkexec ask password, even if password is correct.

Code

user:~$ pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update
[...]
user:~$ pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update
Error executing command as another user: Request dismissed

how about ..
pkexec –user root env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY apt update

it's probably your username "user" is not in the sudo group
sudo adduser user
sudo adduser user sudo

or just something simple like this in your startup method…


How that works when you run the program…
if you are not root then the program launches itself again with any given args, then quits.
if you are root it will continue to run and show the use name and any arguments that were passed to the first instance.

Note:
 it HAS to happen that way that the program runs twice and the first instances stays alive until the root one closes. the first instance is the owning task of the root instance and if it exits all it's child tasks quit too.

So for the first instance the program does not properly load and run it just launches itself again with root then quits.

Hope that makes sense.

 I understand your point of view. However, I don't want users run as root my app. I want to only run some commands as root. Because, my apps are packaged as AppImage and can run on any Linux as Fedora, Arch, Debian…