Creating a polkit authentication agent
Miloslav Trmač
mitr at redhat.com
Mon Sep 30 12:32:13 PDT 2013
> On Mon, Sep 30, 2013 at 8:40 PM, Miloslav Trmač < mitr at redhat.com > wrote:
> > Hello,
>
> > ----- Original Message -----
>
> > > What I'm trying to do is register a polkit authentication agent in a
> > > python
>
> > > script, through the dbus api. I have attached, a rather simplistic, first
>
> > > start of this. From what I can read out of the logs it seems to register
>
> > > alright but nothing is relayed to it for authentication.
>
> > > First question is that it seems like RegisterAuthenticationAgent takes a
> > > few
>
> > > different subject kinds . unix-process and unix-session. What is the
>
> > > difference between these and what should I be using?
>
> > You can register more than one agent; each agent is only called for those
> > subject they register for. unix-process is obviously limited to that single
> > process. So if you want to register for all processes running within the
> > session / within the appliance UI, unix-session is more appropriate.
>
> Does this mean that if xbmc runs within another session, say gnome, and we
> use packagekit for installing our addons, if we'd register a unix-process
> that one will take precedence over the one in gnome?
Yes. (You can also register a "fallback agent" for a unix-process, but you wouldn't to in this case.)
> Or perhaps that only holds true for a polkit action which isn't registered in
> the session agent?
No, agents register for subjects, not for actions.
> > > When registering I submit my object path, which is '/org/xbmc/polkit' but
>
> > > what is the destination for this object? I'm using 'org.xbmc.polkit' for
> > > my
>
> > > service, but how does polkit knows this?
>
> > An agent can only register itself; polkit uses the identity of the caller
> > of
> > the RegisterAuthenticationAgent operation (technically using the :number
> > unique identifier). I don't think it's necessary to register a
> > well-known-name.
>
> So polkit is able to deduct the destination from the object path and the bus
> used for the call? I'm not a dbus expert so wasn't aware that this was
> possible?
Yes; this is fundamental to being able to send a reply to a request at all.
> So if I understand you correctly I just need to make sure I use the same bus
> for the service as the registration?
That should be basically it. But I'm not a D-Bus expert either I'm afraid, and especially not an expert in the various interface libraries.
> > > Could this be why its not called to
>
> > > authenticate even if register went through alright?
>
> > These two lines seem rather suspect:
>
> > > 'session-id': getSessionID(),
>
> > > 'session_id': ""
>
> > Other than that, if there are no error messages returned through the D-Bus
> > API, I can suggest only running polkitd without --no-debug and capturing
> > the
> > output, and attaching a debugger to polkitd.
>
> Yeah I'm very uncertain on those, from the RegisterAuthenticationAgent
> documentation I found this line
> " Note that current versions of PolicyKit will only work if session_id is set
> to the empty string. In the future it might work for non-empty strings if
> the caller is sufficiently privileged."
> I thought that referred to be on the subject but it strikes me know that I
> might have misunderstood this. If so I'm not sure at all where I should set
> "session_id" :)
(For others looking, it is data/org.freedesktop.PolicyKit1.Authority.xml . I'm afraid this is a bug in the documentation; for now filed as https://bugs.freedesktop.org/show_bug.cgi?id=69980 ).
> I tried to start polkitd with --no-debug (if I did it correctly)
Note that, at least on Fedora, --no-debug is default, so it is necessary to _remove_ it (and then capture stderr).
> and checked auth.log, it gave some interesting results (which I'm not
> entirely sure how to interpret)
> (at line3 is when I closed polkitd with a killall -9 polkitd)
> topfs at tobias-desktop:/var/log$ tail -f auth.log
> Sep 30 21:01:16 tobias-desktop polkitd(authority=local): Registered
> Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session10
> (system bus name :1.119 [python simple-unix-session-agent.py], object path
> /org/xbmc/polkit, locale sv_SE)
> Sep 30 21:05:07 tobias-desktop polkitd(authority=local): Operator of
> unix-session:/org/freedesktop/ConsoleKit/Session10 FAILED to authenticate to
> gain authorization for action com.ubuntu.softwareproperties.applychanges for
> system-bus-name::1.126 [/usr/bin/python3 /usr/bin/software-properties-gtk -n
> -t 0] (owned by unix-user:topfs)
> So from what I can see it seems like it registers alright but it never calls
> my python scripts method (begin authentication et al).
I'm afraid it's time for gdb then; there is no logging inside the code of get_authentication_agent_for_subject AFAICS.
> I've registered it under locale sv_SE, perhaps thats wrong or not what
> fluxbox (which is my testing session) is using by default?
> Can I register my agent on any locale?
The locale is not involved in choosing which agent to run, only what messages to give to it.
Mirek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20130930/41795eb9/attachment-0001.html>
More information about the polkit-devel
mailing list