semantics of POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION

Miloslav Trmač mitr at redhat.com
Wed Dec 18 08:53:03 PST 2013 

----- Original Message -----
> On Tue, 2013-12-17 at 16:39 -0500, Miloslav Trmač wrote:
> 
> > > What are the implications of setting the flag when a >
> > non-interactive application is accessing the server? If the
> > authorization result is a "challenge"
> > (polkit_authorization_result_get_is_challenge), polkitd without the
> > flag just returns the "challenge" result.
> > 
> > With the flag, polkitd tries to search for a registered authentication
> > agent, and asks that agent to authorize the operation.  If no agent is
> > registered (e.g. a system daemon running outside of an user session
> > with its own UID), polkitd will again just return the "challenge"
> > result.
> 
> I see. And I suppose that the agent is global, rather than per process
> so it doesn't make sense to always use the flag and expect the
> non-interactive applications to be silent.

The agent is either per-session (and there may be multiple simultaneous sessions existing, and some processes are not in a session), or per-process (if there are both, the per-process agent takes precedence).

> > In the case of smart cards (which I assume is the concern), it might be
> > reasonable to disable user interaction, and by default authorize access
> > to an active user session (in the same logic as an owner of an active
> > user session is automatically "authorized" to use the keyboard and
> > mouse); this would let the sysadmin authorize e.g. httpd to access the
> > card but allow it by default.  This suggestion, however, glosses over
> > whether anything needs to be done when the active user session changes
> > due to fast user switching.
> 
> In all I find this flag a bit peculiar. I don't think that the
> server communicating with hardware should be expected to have the
> knowledge of whether the user is in an interactive session or not.

Well, a GUI popping up a password dialog because of an background action that wasn't directly initiated by an user is really something to avoid - it's indistinguishable from phishing.  Hence my recommendation above to use polkit in a way that doesn't involve user interaction at all.
    Mirek

More information about the polkit-devel mailing list