<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Sep 30, 2013 at 9:32 PM, Miloslav Trmač <span dir="ltr"><<a href="mailto:mitr@redhat.com" target="_blank">mitr@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:'times new roman','new york',times,serif"> <blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"><div>On Mon, Sep 30, 2013 at 8:40 PM, Miloslav Trmač <span dir="ltr"><<a href="mailto:mitr@redhat.com" target="_blank">mitr@redhat.com</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote"> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hello,<br><div><hr><div> > What I'm trying to do is register a polkit authentication agent in a python<br> > script, through the dbus api. I have attached, a rather simplistic, first<br> > start of this. From what I can read out of the logs it seems to register<br> > alright but nothing is relayed to it for authentication.<br><div><br></div> > First question is that it seems like RegisterAuthenticationAgent takes a few<br></div></div><div>> different subject kinds . unix-process and unix-session. What is the<br><div>> difference between these and what should I be using?<br> <div><br></div></div>You can register more than one agent; each agent is only called for those subject they register for. unix-process is obviously limited to that single process. So if you want to register for all processes running within the session / within the appliance UI, unix-session is more appropriate.<br> </div></blockquote><div><div><br></div><div>Does this mean that if xbmc runs within another session, say gnome, and we use packagekit for installing our addons, if we'd register a unix-process that one will take precedence over the one in gnome?</div> </div></div></div></div></blockquote><div>Yes. (You can also register a "fallback agent" for a unix-process, but you wouldn't to in this case.)<br></div></div></div></blockquote><div><br></div><div>This is amazing, this is exactly what we want to achieve and something I've asked for before! Awesome!</div> <div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:'times new roman','new york',times,serif"> <div></div><div> <div><br></div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"> <div class="gmail_extra"><div class="gmail_quote"><div> Or perhaps that only holds true for a polkit action which isn't registered in the session agent?</div></div></div></div></blockquote></div><div>No, agents register for subjects, not for actions.<br> </div><div><div><br></div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <div>> When registering I submit my object path, which is '/org/xbmc/polkit' but<br> > what is the destination for this object? I'm using 'org.xbmc.polkit' for my<br> > service, but how does polkit knows this?<br><div><br></div></div>An agent can only register itself; polkit uses the identity of the caller of the RegisterAuthenticationAgent operation (technically using the :number unique identifier). I don't think it's necessary to register a well-known-name.<br> </blockquote><div><br></div><div>So polkit is able to deduct the destination from the object path and the bus used for the call? I'm not a dbus expert so wasn't aware that this was possible?</div></div></div></div> </blockquote></div><div>Yes; this is fundamental to being able to send a reply to a request at all.<br></div></div></div></blockquote><div><br></div><div>Oh, that makes so much sense, thanks!</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <div><div style="font-size:12pt;font-family:'times new roman','new york',times,serif"><div></div><div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div> So if I understand you correctly I just need to make sure I use the same bus for the service as the registration?</div></div></div></div></blockquote> </div><div>That should be basically it. But I'm not a D-Bus expert either I'm afraid, and especially not an expert in the various interface libraries.<br></div><div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> <div>> Could this be why its not called to<br> > authenticate even if register went through alright?<br><div><br></div></div>These two lines seem rather suspect:<br> > 'session-id': getSessionID(),<br> > 'session_id': ""<br><div><br></div> Other than that, if there are no error messages returned through the D-Bus API, I can suggest only running polkitd without --no-debug and capturing the output, and attaching a debugger to polkitd.<br></blockquote><div><br> </div><div>Yeah I'm very uncertain on those, from the RegisterAuthenticationAgent documentation I found this line</div><div>"<span style="font-size:medium;font-family:'Times New Roman'">Note that current versions of PolicyKit will only work if </span><em style="font-size:medium;font-family:'Times New Roman'"><code>session_id</code></em><span style="font-size:medium;font-family:'Times New Roman'"> is set to the empty string. In the future it might work for non-empty strings if the caller is sufficiently privileged."</span></div> <div><br></div>I thought that referred to be on the subject but it strikes me know that I might have misunderstood this. If so I'm not sure at all where I should set "session_id" :)</div></div></div></blockquote> </div><div>(For others looking, it is data/org.freedesktop.PolicyKit1.Authority.xml . I'm afraid this is a bug in the documentation; for now filed as <a href="https://bugs.freedesktop.org/show_bug.cgi?id=69980" target="_blank">https://bugs.freedesktop.org/show_bug.cgi?id=69980</a> ).<br> </div><div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"> <div class="gmail_extra"><div class="gmail_quote"><div>I tried to start polkitd with --no-debug (if I did it correctly)</div></div></div></div></blockquote></div><div>Note that, at least on Fedora, --no-debug is default, so it is necessary to _remove_ it (and then capture stderr).<br> </div></div></div></blockquote><div><br></div><div>Sigh, when I read your response now I realized I ran the new polkitd _with_ --no-debug. I retried without --no-debug and got so much more information. Seems like my BeginAuthentication was wrong, I didn't have the proper parameters in my python script.</div> <div><br></div><div><div>** (polkitd:8053): WARNING **: Error parsing identity unix-group:admin: No UNIX group with name admin: Success</div><div>Error performing authentication: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: Method "BeginAuthentication" with signature "sssa{ss}sa(sa{sv})" on interface "org.freedesktop.PolicyKit1.AuthenticationAgent" doesn't exist</div> <div> (g-dbus-error-quark 19)</div><div><br></div><div>I do have 6 parameters but I suspect I've done something wrong in my python implementation (I'm more used to do dbus stuff in c++).</div><div> <br></div></div> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:'times new roman','new york',times,serif"> <blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div>and checked auth.log, it gave some interesting results (which I'm not entirely sure how to interpret)</div><div>(at line3 is when I closed polkitd with a killall -9 polkitd)</div> <div><br></div></div><div><div><div>topfs@tobias-desktop:/var/log$ tail -f auth.log</div></div><div>Sep 30 21:01:16 tobias-desktop polkitd(authority=local): Registered Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session10 (system bus name :1.119 [python simple-unix-session-agent.py], object path /org/xbmc/polkit, locale sv_SE)<div> Sep 30 21:05:07 tobias-desktop polkitd(authority=local): Operator of unix-session:/org/freedesktop/ConsoleKit/Session10 FAILED to authenticate to gain authorization for action com.ubuntu.softwareproperties.applychanges for system-bus-name::1.126 [/usr/bin/python3 /usr/bin/software-properties-gtk -n -t 0] (owned by unix-user:topfs)</div> </div></div><div><div><br></div><div>So from what I can see it seems like it registers alright but it never calls my python scripts method (begin authentication et al).</div></div></div></div></div></blockquote> <div>I'm afraid it's time for gdb then; there is no logging inside the code of get_authentication_agent_for_subject AFAICS.<br></div><div><div><br></div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:initial;font-weight:normal;border-left-width:2px;border-left-style:solid;border-left-color:rgb(16,16,255)"> <div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>I've registered it under locale sv_SE, perhaps thats wrong or not what fluxbox (which is my testing session) is using by default?</div><div>Can I register my agent on any locale?</div> </div></div></div></blockquote></div><div>The locale is not involved in choosing which agent to run, only what messages to give to it.<br></div><div> Mirek<br></div></div></div></blockquote><div><br></div><div><br></div> <div>I think I know what the error is now, thanks so much for helping me!</div><div><br></div><div>Cheers,</div><div>Tobias </div></div><br></div></div>