Polkit auth

[Tobias Arrskog]

On Sat, Apr 16, 2011 at 3:38 PM, David Zeuthen <zeuthen at gmail.com> wrote:

> Hi,
>
> On Fri, Apr 15, 2011 at 12:03 PM, Tobias Arrskog
> <topfs2 at xboxmediacenter.com> wrote:
> > I guess we can do what gnome does and create an auth agent but that
> agent,
> > afaict, needs to run as root?
>
> No, this does not require root - when authenticating an user (and only
> when doing that), however, the libpolkit-agent library calls upon a
> setuid root helper for authentication.
>
> > Seeing as XBMC is a single process application
> > we would need to create an extra daemon just for this
>
> You can easily do this from within your main process (that's what
> GNOME Shell is doing) without creating any extra process.
>
> Of course, if an existing authentication agent exists for the session
> in question, then you trying to become an authentication agent will
> fail (as it should). FYI, the docs have some information about writing
> authentication agents, see:
>
>  http://hal.freedesktop.org/docs/polkit/polkit-agents.html


Oh interesting, I think I may have read in the wrong documents then, the
ones I read seemed to be in regards to actually setuid on a process. Thanks
so very much for that link. It looks to be much more in line to what I want.


> FWIW, I disagree that your app (or any full-screen app) should take on
> the role of an authentication agent if running under e.g. GNOME or KDE
> or whatever. And, FWIW, I think it will work just fine under e.g.
> GNOME Shell where the authentication agent works like this
>
>  http://davidz25.blogspot.com/2011/02/gnome-3-authorization.html
>
> e.g. properly fades down the screen.
>
>    David
>

The problem is mostly when you have a user which uses a non-keyboard to
navigate XBMC (you can use LIRC devices but also gamepads and even phones to
navigate). We have a virtual keyboard which these devices can use (if they
need to) so if a user uses one of these non-HID devices they would actually
get stuck when the gnome3 auth pops up.

That being said, if its not possible (and not wanted by you guys to allow
this) its not a catastrophe as most users using xbmc from within gnome/kde
will have a keyboard accessible (or are using xbmc with a keyboard). So
allowing xbmc to temporarily take over auth from gnome/kde would mostly be a
niceness feature, one I thought worthy to bring up here for consideration.
Overall the gnome3 auth should work quite well for the majority of the users
in this case no matter.

Cheers,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20110416/403da5a8/attachment.html>