Privileged helper for xdg-app

Fri Jan 8 14:20:00 UTC 2016

On fre, 2016-01-08 at 13:46 +0000, Emmanuele Bassi wrote:
> Hi;
> 
> On 8 January 2016 at 13:26, Richard Hughes <hughsient at gmail.com>
> wrote:
> > Hi all,
> > 
> > For gnome-software we need to do all actions with user permissions.
> > We'd then need a privileged helper to install applications
> > system-wide. Several thoughts come to mind:
> > 
> > 1. Just reuse PackageKit: I think this is using a steamroller to
> > crack
> > a nut, and also ties us to a lot of the traditional problems, and
> > would also need us to support mixed-backend functionality
> > 2. Just use a pkexec binary: I think this would work, but doesn't
> > give
> > us any of the progress information we need for a GUI client (i.e.
> > is
> > fire-and-forget)
> > 3. Create a small daemon (possibly living in xdg-app git) which
> > just
> > auto-launches, claims a bus name systemwide, does the operation and
> > then quits.
> 
> At Endless we have a daemon like this. It used to be way too clever,
> until we dropped 99% of it and made it fairly dumb.
> 
> The only things it does are:
> 
>  * sit on the system bus via auto-activation
>  * use polkit to do privilege escalation
>  * install
>  * update
>  * remove

I'd go even further. I don't want the root-privileged daemon doing
network i/o at all. So, I think we want to support:

 * install (update if already installed) ref from local repo
 * remove ref

Then, to use this the "client" would make a shallow clone of the local
xdg-app repo (by using the parent_repo feature of ostree) and then
doing the network i/o. When that is done it would call the dbus api to
trigger the import.

> > Option 3 makes most sense in my head, but does need the usual GDBus
> > overhead, XML interface files, dbus permission file, etc. We'd also
> > have to decide some key things like:
> > 
> > * default policy of who can do what: PK makes this even harder by
> > allowing "signed" applications to be installed without the admin
> > password

The xdg-app config does specify the rules, and the gpg keys to use for
each remote. One could assume that if root set it up to trust some
specific remote + key then it would be ok for "local" users to
update/install from it. Another alternative is to add a per-remote
metadata field that controls if any user can install from it.

> We have a default policy that allows "admin" users to install without
> a password, and that has worked fairly well for us.

What does that mean? Wheel group membership?

> > * do we support more than one operation to be done in parallel:
> > making
> > things simple means we have to just have a percentage property
> > without
> > worrying about "transactions" and things happening in threads
> 
> We really, really do want operations to run in parallel as much as
> possible. Users already try to install/update/remove multiple apps.
> One of the reasons for the simplification of our privileged installer
> daemon was that it made parallel operations really easy to handle.

xdg-app and the way it uses ostree is (meant to be) fully safe against
parallel use. (Some outstanding fixes pending). There should not be any
problem here.

> You need a transaction object on the bus, sure; but you don't need
> weird queues, since the object will be kept alive until the operation
> is either terminated or cancelled.

With my proposal above (downloads happen outside the daemon) I don't
really think it makes sense to cancel operations at all. While they are
not instant, they are at most the order of ten seconds.

> > 
> > * do we support adding and removing remotes system-wide as well, if
> > so, policy?

This one is more tricky, as adding a trusted remote hands over new
permissions to other users... I'd say lets avoid it for now and require
root/distro/initial-setup to set up things.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl at redhat.com            alexander.larsson at gmail.com 
He's a Nobel prize-winning white trash matador from the Mississippi 
delta. She's a mentally unstable mute vampire looking for love in all the 
wrong places. They fight crime! 