Creating a polkit authentication agent

Tobias Arrskog topfs2 at xboxmediacenter.com
Mon Sep 30 12:11:39 PDT 2013 

On Mon, Sep 30, 2013 at 8:40 PM, Miloslav Trmač <mitr at redhat.com> wrote:

> Hello,
> ----- Original Message -----
> > What I'm trying to do is register a polkit authentication agent in a
> python
> > script, through the dbus api. I have attached, a rather simplistic, first
> > start of this. From what I can read out of the logs it seems to register
> > alright but nothing is relayed to it for authentication.
>
> > First question is that it seems like RegisterAuthenticationAgent takes a
> few
> > different subject kinds . unix-process and unix-session. What is the
> > difference between these and what should I be using?
>
> You can register more than one agent; each agent is only called for those
> subject they register for.  unix-process is obviously limited to that
> single process.  So if you want to register for all processes running
> within the session / within the appliance UI, unix-session is more
> appropriate.
>

Does this mean that if xbmc runs within another session, say gnome, and we
use packagekit for installing our addons, if we'd register a unix-process
that one will take precedence over the one in gnome? Or perhaps that only
holds true for a polkit action which isn't registered in the session agent?


> > When registering I submit my object path, which is '/org/xbmc/polkit' but
> > what is the destination for this object? I'm using 'org.xbmc.polkit' for
> my
> > service, but how does polkit knows this?
>
> An agent can only register itself; polkit uses the identity of the caller
> of the RegisterAuthenticationAgent operation (technically using the :number
> unique identifier).  I don't think it's necessary to register a
> well-known-name.
>

So polkit is able to deduct the destination from the object path and the
bus used for the call? I'm not a dbus expert so wasn't aware that this was
possible? So if I understand you correctly I just need to make sure I use
the same bus for the service as the registration?


>
> > Could this be why its not called to
> > authenticate even if register went through alright?
>
> These two lines seem rather suspect:
> >    'session-id': getSessionID(),
> >    'session_id': ""
>
> Other than that, if there are no error messages returned through the D-Bus
> API, I can suggest only running polkitd without --no-debug and capturing
> the output, and attaching a debugger to polkitd.
>

Yeah I'm very uncertain on those, from the RegisterAuthenticationAgent
documentation I found this line
"Note that current versions of PolicyKit will only work if *session_id* is
set to the empty string. In the future it might work for non-empty strings
if the caller is sufficiently privileged."

I thought that referred to be on the subject but it strikes me know that I
might have misunderstood this. If so I'm not sure at all where I should set
"session_id" :)

I tried to start polkitd with --no-debug (if I did it correctly) and
checked auth.log, it gave some interesting results (which I'm not entirely
sure how to interpret)
(at line3 is when I closed polkitd with a killall -9 polkitd)

topfs at tobias-desktop:/var/log$ tail -f auth.log
Sep 30 20:59:44 tobias-desktop sudo: pam_unix(sudo:session): session opened
for user root by topfs(uid=0)
Sep 30 20:59:44 tobias-desktop sudo: pam_unix(sudo:session): session closed
for user root
Sep 30 20:59:57 tobias-desktop sudo:    topfs : TTY=pts/1 ; PWD=/home/topfs
; USER=root ; COMMAND=/usr/bin/killall polkitd
Sep 30 20:59:57 tobias-desktop sudo: pam_unix(sudo:session): session opened
for user root by topfs(uid=0)
Sep 30 20:59:57 tobias-desktop sudo: pam_unix(sudo:session): session closed
for user root
Sep 30 21:00:25 tobias-desktop gnome-keyring-daemon[4236]: couldn't set
environment variable in session: The name org.gnome.SessionManager was not
provided by any .service files
Sep 30 21:00:25 tobias-desktop gnome-keyring-daemon[4236]: keyring alias
directory: /home/topfs/.local/share/keyrings
Sep 30 21:01:10 tobias-desktop sudo:    topfs : TTY=pts/1 ; PWD=/home/topfs
; USER=root ; COMMAND=/usr/lib/policykit-1/polkitd --no-debug
Sep 30 21:01:10 tobias-desktop sudo: pam_unix(sudo:session): session opened
for user root by topfs(uid=0)
Sep 30 21:01:16 tobias-desktop polkitd(authority=local): Registered
Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session10
(system bus name :1.119 [python simple-unix-session-agent.py], object path
/org/xbmc/polkit, locale sv_SE)
Sep 30 21:05:07 tobias-desktop polkitd(authority=local): Operator of
unix-session:/org/freedesktop/ConsoleKit/Session10 FAILED to authenticate
to gain authorization for action com.ubuntu.softwareproperties.applychanges
for system-bus-name::1.126 [/usr/bin/python3
/usr/bin/software-properties-gtk -n -t 0] (owned by unix-user:topfs)


So from what I can see it seems like it registers alright but it never
calls my python scripts method (begin authentication et al).
I've registered it under locale sv_SE, perhaps thats wrong or not what
fluxbox (which is my testing session) is using by default?
Can I register my agent on any locale?


>     Mirek
>

Thanks so much for the help!

Cheers,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20130930/c0ccd70a/attachment.html>

More information about the polkit-devel mailing list