[systemd-devel] Work on adding polkit support to systemd1
Stef Walter
stef at thewalter.net
Mon Sep 1 06:28:47 PDT 2014
On 01.09.2014 11:47, David Herrmann wrote:
> Hi
>
> On Mon, Sep 1, 2014 at 9:51 AM, Stef Walter <stefw at redhat.com> wrote:
>> On 18.08.2014 18:22, Lennart Poettering wrote:
>>> I have now pushed this, after reworking this on top some major changes
>>> to bus_verify_polkit(), which avoids having to pass the original
>>> callbacks through to the function that ultimately does the verification.
>>>
>>> While merging I also made another change, you are probably not going to
>>> like: I turned of the interactivity for the polkit checks. Interactivity
>>> needs to be optional, and it currently is for all out polkit-enabled bus
>>> methods. And we should do the same for the PID 1 offered methods.
>>
>> Ugh.
>>
>>> Now, of course, we should open this up for inetractive (after all,
>>> that's what polkit is good for), but we probably need a new set of
>>> methods for that, which take the original arguments but also take a
>>> boolean argument to enable ineractivity. Hence, we probably should have
>>> StartUnit2() in addition to StartUnit().
>>
>> That seems ugly. I think we should either:
>>
>> * Have a method which we can invoke to make a client opt into
>> interactive polkit prompting for any invoked method.
>>
>> * Version all the org.freedesktop.systemd1.Manager to
>> org.freedesktop.systemd1.Manager2 or something like that and support
>> both interfaces.
>
> We had the idea to reserve a single bit in the dbus message header for
> that. See the discussion on the dbus-ML:
> http://lists.freedesktop.org/archives/dbus/2014-August/016294.html
Thanks.
> It looks like the most sane way to resolve this issue, imho.
I guess so. Makes a lot of sense.
We'll need to see how backportable this ends up being for all of
libdbus, gdbus ... of hand it doesn't that seem *that* invasive if it's
just a flag.
Otherwise (for Cockpit) we'll end up doing the brain-dead wrapping all
systemd APIs with yet another daemon that just does interactive polkit
authentication :S
Will keep an eye on this.
Cheers,
Stef
More information about the systemd-devel
mailing list