Create desktop entry of application on Linux
Created: Tue 22 Aug 2023 Updated: 10 months, 1 week ago
In this article, I'll show you how you can create desktop entrie for application and do required changes in the sudoers file along with safety measures. You will also get to know how to run sudo privileged application from desktop entry without doing any changes in the sudoers file.
Introduction
Usually when we install a new application on Linux, an executable shortcut of that application is created in a desktop environment. This shortcut is a desktop entry for the application's executable file which can be used to launch the application. But there are some applications that do not come with a desktop entry mechanism and users have to start the app from the terminal.
There could be a couple of reasons why an application does not create a desktop entry by default. One possible reason could be that the application might not have any GUI to start with and the only way to utilize the application is through the use of CLI (Command line interface). Another reason could be that the application services might need privilege escalation.
To create desktop entries for such applications, user may need to do changes in the sudoers file to explicitly allow a no-password rule for a certain user over that application. It's the responsibility of System admin to manage the sudoer file and regular users along with any application should not mess with it.
Bash script to create desktop entry
If you are in a hurry and just want to create a desktop entry without gaining any insight how things work, just download the script from my GitHub repository and run it to automate the process of creating a desktop entry. There are two scripts in my GitHub repository. One is desktop_entry_arg.sh and other one is desktop_entry_inp.sh where purpose of them is same.
Script desktop_entry_arg
takes command line arguments while running the script and desktop_entry_inp takes user inputs to
proceed further. Check README before
running the script to know about them. Three things
you need before running the script: Desktop entry name, absolute execution application
file path, and absolute icon file path. Use bash desktop_entry_inp.sh to run the script.
This script will create desktop entry for current user and won't do any changes in the sudoers
file. If while changing sudoers file, you unintentally misconfigured it, run pkexec visudo command to open the sudoers file and
remove the appropriate line.
Creating Desktop Entry
Everything in Linux is a file. So for creating a desktop entry, the first thing we need to do is to create a new file in the appropriate location. Use the below command to create a new file and open it:
mkdir -p ~/.local/share/applications && nano ~/.local/share/applications/myapp.desktop
After running this command in the terminal, all required directories should be created (if not already present) and a new file will be opened. I'm using nano for editing the file but you can use vi if you prefer. Here I'm creating a myapp.desktop file. You should rename it with the name of your application. Make sure that your file name ends with .desktop for desktop entry to work.
Now you need to define all the keys and their relevant values that a desktop entry requires. In the opened file, add this block of content:
[Desktop Entry] Version=1.0 Type=Application Name=Myapp Keywords=Protocol Exec=bash /home/scripts/script.sh Icon=/home/icons/icon1.png Terminal=true
- [Desktop Entry]: This is initialization tag of the desktop entry file. It's a necessary attribute to have in the file at starting. Desktop entry will not work without this tag.
- Version=1.0: It specifies version of desktop entry. This tag should not be mistaken for the application version. The version attribute is optional.
- Type=Application: Used to define the type of service that this desktop entry will execute. In this case, It's an application but the possible options are Application, Link, or Directory. Type tag is necessary to include in the file.
- Name=Myapp: Name tag is used to set the name of the application. It will be the name of desktop shortcut file and any application search query in the desktop environment will refer to this tag. Name tag is necessary to have in the file.
- Keywords=Protocol: It defines what keywords can be used to search for this shortcut in the desktop environment. Here I'm using Protocol which means this shortcut will be visible in desktop environment menus when searched using Myapp or Protocol. This tag is optional and you can assign multiple values to it separated by single space.
- Exec=bash /home/scripts/script.sh: Defines the application path along with arguments of the executable file. Here I'm using a bash script file script.sh to execute. The script file is written in bash and needs bash interpreter to run, which is why you need to add bash in Exec= tag. This tag is necessary to use in the file.
- Icon=/home/icons/icon1.png: This tag is used to set an icon for desktop shortcut by providing the path of the icon file, locally present in the system. It is optional to use and supports png, ico, and svg image formats.
- Terminal=true: It's a boolean tag and Its value depends on what type of output will be provided by this desktop entry. If the executable path is a script file and prints output in the terminal (like in our case), the value should be set to true for this tag. If this desktop entry executes a GUI application, then the value should be set to false for this tag.
Optional: This is a very simple desktop entry file that executes a bash script file. Like in most cases, you may require privilege escalation to execute a certain GUI application. To create desktop entry file for this type of scenario, use this setting and replace it with existing Exec= and Terminal=option in file:
Exec=sh -c "pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY sudo /home/app_dir/myapp.run" Terminal=false
After doing the above changes, your desktop entry file content will be like the image below:
In this desktop entry file, we are trying to execute an application with privilege escalation. sh -c is used to execute a command in a new shell instance. Option -c tells the shell to consider the command as a whole string to be executed. pkexec is privilege escalation tool which is used to execute a specific command as another user. In our case, we are using pkexec to execute the application -myapp.run, using sudo privileges.
We also used env to define environment variables that are required to execute the application as another user. pkexec does not allow executing application as another user if these variables are not set. Next, we set Terminal to false because we are using GUI application and it does not require output in the terminal.
When we try to use this desktop entry, we'll be prompted with a password in GUI (as setup using pkexec) to execute the application. There are many more optional tags that can be used to further refine the desktop entry file. Use Desktop entry spec manual to know more about tags.
Privilege escalation using sudoers file
Instead of entering the password every time before running the desktop entry, you can set the role for a specific user to execute a specific file without providing any password. It is critical process and It should be avoided. However, if you are a System administratoror someone who knows what a misconfigured sudoersfile can cost, you may follow the rest of the process.
Let's say we have an application file that needs privilege escalation to execute. Instead of
using pkexec and defining environment
variables in the desktop entry file, we can simply write Exec= tag as Exec=sudo /home/my_app/app.run in desktop entry
file. Now run sudo visudo command or use sudo nano /etc/sudoers command in the terminal to
open the sudoers file. At the end of the file, add this line:
protocolten ALL=NOPASSWD: /home/app_dir/app.run
Save and close the file now. Do not change anything else and make sure the syntax is correct. By adding this entry in the sudoers file, protocolten is the name of the user that will be executing the desktop entry, ALL=NOPASSWD specifies that the particular user can perform execution from any host and app.run is the file that assigned to the user. Now this user will not require to input any password after executing the desktop entry file to run the application.
Known application issues in sudo privilege
If you have gone through the article, it should be clear to you by now how desktop entry works and how to utilize tools like pkexec for privilege escalation. Always keep one thing in mind that Exec= tag is for listing execution file path and arguments.
If you have used Xampp on a Linux environment, then you most probably have come across this issue where without using the sudoers file, pkexec takes password from user as input but does not start the desktop entry. The issue is using the Exec= to run command directly as Exec=pkexec /home/app_dir/app.run which is not possible. Remember, you need to use sh -c that will start a new terminal instance (in headless mode) to execute the command passed as a string. Also, you must pass the environment variables while executing the application file. So the complete desktop entry file for Xampp will look like this:
[Desktop Entry] Version=1.0 Type=Application Name=Xampp Exec=sh -c "pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY sudo /opt/lampp/manager-linux-x64.run" Icon=/home/webner/Harpreet/bash/icon3.png Terminal=false
This way user will be prompted to enter the password to execute the desktop entry file and Xampp application will be executed afterward.
