Use pkexec instead of gksudo for adding users to group.

remoting/host/linux/linux_me2me_host.py

 #!/usr/bin/python
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Virtual Me2Me implementation.  This script runs and manages the processes
 # required for a Virtual Me2Me desktop, which are: X server, X desktop
 # session, and Host process.
 # This script is intended to run continuously as a background daemon
 # process, running under an ordinary (non-root) user account.
 
 import atexit
 import errno
 import fcntl
 import getpass
 import grp
 import hashlib
 import json
 import logging
 import optparse
 import os
 import pipes
 import platform
 import psutil
 import platform
+import pwd
 import re
 import signal
 import socket
 import subprocess
 import sys
 import tempfile
 import time
 import uuid
 
 LOG_FILE_ENV_VAR = "CHROME_REMOTE_DESKTOP_LOG_FILE"
@@ skipping 990 matching lines @@
                     action="store_true",
                     help="Return 0 if the daemon is running, or 1 otherwise.")
   parser.add_option("", "--config", dest="config", action="store",
                     help="Use the specified configuration file.")
   parser.add_option("", "--reload", dest="reload", default=False,
                     action="store_true",
                     help="Signal currently running host to reload the config.")
   parser.add_option("", "--add-user", dest="add_user", default=False,
                     action="store_true",
                     help="Add current user to the chrome-remote-desktop group.")
+  parser.add_option("", "--add-user-as-root", dest="add_user_as_root",
+                    action="store", metavar="USER",
+                    help="Adds the specified user to the chrome-remote-desktop "
+                    "group (must be run as root).")
   parser.add_option("", "--host-version", dest="host_version", default=False,
                     action="store_true",
                     help="Prints version of the host.")
   parser.add_option("", "--watch-resolution", dest="watch_resolution",
                     type="int", nargs=2, default=False, action="store",
                     help=optparse.SUPPRESS_HELP)
   (options, args) = parser.parse_args()
 
   # Determine the filename of the host configuration and PID files.
   if not options.config:
@@ skipping 32 matching lines @@
 
   if options.reload:
     proc = get_daemon_proc()
     if proc is None:
       return 1
     proc.send_signal(signal.SIGHUP)
     return 0
 
   if options.add_user:
     user = getpass.getuser()
+
     try:
       if user in grp.getgrnam(CHROME_REMOTING_GROUP_NAME).gr_mem:
         logging.info("User '%s' is already a member of '%s'." %
                      (user, CHROME_REMOTING_GROUP_NAME))
         return 0
     except KeyError:
       logging.info("Group '%s' not found." % CHROME_REMOTING_GROUP_NAME)
 
+    command = [SCRIPT_PATH, '--add-user-as-root', user]
     if os.getenv("DISPLAY"):
-      sudo_command = "gksudo --description \"Chrome Remote Desktop\""
+      # TODO(rickyz): Add a Polkit policy that includes a more friendly message
+      # about what this command does.
+      command = ["/usr/bin/pkexec"] + command
     else:
-      sudo_command = "sudo"
-    command = ("sudo -k && exec %(sudo)s -- sh -c "
-               "\"groupadd -f %(group)s && gpasswd --add %(user)s %(group)s\"" %
-               { 'group': CHROME_REMOTING_GROUP_NAME,
-                 'user': user,
-                 'sudo': sudo_command })
-    os.execv("/bin/sh", ["/bin/sh", "-c", command])
+      command = ["/usr/bin/sudo", "-k", "--"] + command
+
+    # Run with an empty environment out of paranoia, though if an attacker
+    # controls the environment this script is run under, we're already screwed
+    # anyway.
+    os.execve(command[0], command, {})
     return 1
 
+  if options.add_user_as_root is not None:
+    if os.getuid() != 0:
+      logging.error("--add-user-as-root can only be specified as root.")
+      return 1;
+
+    user = options.add_user_as_root
+    try:
+      pwd.getpwnam(user)
+    except KeyError:
+      logging.error("user '%s' does not exist." % user)
+      return 1
+
+    try:
+      subprocess.check_call(["/usr/sbin/groupadd", "-f",
+                             CHROME_REMOTING_GROUP_NAME])
+      subprocess.check_call(["/usr/bin/gpasswd", "--add", user,
+                             CHROME_REMOTING_GROUP_NAME])
+    except (ValueError, OSError, subprocess.CalledProcessError) as e:
+      logging.error("Command failed: " + str(e))
+      return 1
+
+    return 0
+
   if options.host_version:
     # TODO(sergeyu): Also check RPM package version once we add RPM package.
     return os.system(locate_executable(HOST_BINARY_NAME) + " --version") >> 8
 
   if options.watch_resolution:
     watch_for_resolution_changes(options.watch_resolution)
     return 0
 
   if not options.start:
     # If no modal command-line options specified, print an error and exit.
@@ skipping 193 matching lines @@
         else:
           logging.info("Host exited with status %s." % os.WEXITSTATUS(status))
       elif os.WIFSIGNALED(status):
         logging.info("Host terminated by signal %s." % os.WTERMSIG(status))
 
 
 if __name__ == "__main__":
   logging.basicConfig(level=logging.DEBUG,
                       format="%(asctime)s:%(levelname)s:%(message)s")
   sys.exit(main())