authentication agent and dbus services

Yclept Nemo orbisvicis at gmail.com
Tue Dec 22 01:21:45 PST 2009 

Hi,

I'm not sure if this is the right forum to discuss this: if not,
please be patient and forward me elsewhere :)

The original policykit 0.9 project provides the
"org.freedesktop.PolicyKit.AuthenticationAgent" interface at the path
("org.freedesktop.PolicyKit.AuthenticationAgent","/") on the session
bus. Furthermore it provides a dbus service that executes
"/usr/lib/PolicyKit/polkit-gnome-manager" when methods on the
interface a queried.

Therefore, the authentication agent is automatically started.
Furthermore, polkit-gnome-agent falls back onto polkit-auth (text) if
no X11 environment is available. So to sum, it is a reasonably
desktop-agnostic authentication agent.

This would be a simple example to obtain authorization (python):
session_bus = dbus.SessionBus()
policykit = session_bus.get_object("org.freedesktop.PolicyKit.AuthenticationAgent","/")
granted = policykit.ObtainAuthorization("org.freedesktop.policykit.exec",dbus.UInt32(0),dbus.UInt32(os.getpid()))

Is polkitd the policykit authority component? It seems that the above
is possible without polkitd, even though policykit 0.9 provides a
"org.freedesktop.PolicyKit" service that starts
"/usr/lib/PolicyKit/polkitd".

--------------------------

Things changed slightly in polkit-1 project: no dbus session services
are provided.

Instead, the polkit-1 project now provides the
"org.freedesktop.PolicyKit1.Authority" interface at the path
("org.freedesktop.PolicyKit1",
"/org/freedesktop/PolicyKit1/Authority") on the system bus.
Furthermore it provides a dbus service that executes
"/usr/lib/polkit-1/polkitd" as root when the
"org.freedesktop.PolicyKit1" path is accessed.

While this ensures that polkitd (the policykit authority component?)
will always be running during a query, no authentication agents are
provided/started. However, the additional package "polkit-gnome"
provides a polkit-1 authentication agent at
"/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1" which is
able to register itself to running polkitd daemons.

This would be a simple example to obtain authorization (python):
system_bus = dbus.SystemBus()
policykit = system_bus.get_object("org.freedesktop.PolicyKit1",
"/org/freedesktop/PolicyKit1/Authority")
pk_authority = dbus.Interface(policykit, "org.freedesktop.PolicyKit1.Authority")
pid = os.getpid()
(pk_granted,pk_other,pk_details) = pk_authority.CheckAuthorization(
        ('unix-process',{'pid':dbus.UInt32(pid,variant_level=1),'start-time':dbus.UInt64(0,variant_level=1)}),
        "org.freedesktop.policykit.exec",{},dbus.UInt32(1),'',timeout=600)

Unfortunately authorization cannot procede without an authentication
agent. So, in which way should the authentication agent be started?

Should a dbus service file be provided by polkit-gnome or polkit-1?
Should an entry ~/.xinitrc or similar be used to start
"/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1" alongside
a windowmanager ?
Should polkitd automatically spawn a default authentication-agent, one
that works in qt/gtk/other/text-only modes ?

While possibly not an issue, some choices might not start the
authentication agent as the current user. If the dbus service was
provided over the session bus, how would it communicate with the
system bus.. etc?

thanks,

More information about the polkit-devel mailing list