Clarification on the imply annotation

Link Dupont link at sub-pop.net
Sun May 14 14:58:02 UTC 2017


I'm not familiar with KAuth, but from a cursory read about it, it
sounds like a wrapper around PolKit. The imply annotation, according to
the docs:

> can be used to define meta actions. The way it works is that if a
> subject is authorized for an action with this annotation, then it is
> also authorized for any action specified by the annotation. A typical
> use of this annotation is when defining an UI shell with a single
> lock button that should unlock multiple actions from distinct
> mechanisms.

It sounds more like it was designed to group actions together rather
than sustain the authentication.

Regarding your goal of persisting authentication over multiple actions,
there is a PolKit action value called "auth_admin_keep".

> Like auth_admin but the authorization is kept for a brief period
> (e.g. five minutes).

I would suggest you look into whether KAuth Helper files support the
'auth_admin_keep' Policy value.

Your KAuth helper file also sets Persistence to 'session'. According to
the docs, that keeps the authentication for the entire logged in
session. Is that your goal?

> session: the authorization persists until the user logs out

The imply annotation might help you authorize all your actions using a
single request (delete, move, create, etc.). I think its your
Persistence value that's keeping all of them authorized though.

On Sun, 2017-05-14 at 19:06 +0530, chinmoy ranjan wrote:
> Hello devs,
> 
> I am a Google Summer of Code student working with KDE on the project
> "Polkit support in KIO[1]". The goal of this project is to enable KIO
> (this library provides file management functions in KDE softwares) to
> perform file handling operations with escalated privilege. This way
> the user can perform file handling operations in root owned location
> without having to start the whole application as root.
> My approach[2] involves using the KAuth library(authentication
> framework for KDE) to create separate polkit actions for each file
> handling operation, like delete, copy, symlink, rename etc. One of
> the behavioural changes that is expected is when a user authenticates
> himself for a polkit action, say delete, he should be able to perform
> other actions , like  copy or symlink, during the time period when
> privileges are escalated for a while without having to provide his
> credentials.
> So in pursuit of this I found the imply annotation in the reference
> manual of polkit. I used it in my PoC patch[3] (I directly modified
> the policy file) and it did produced the desired behaviour. When I
> authenticated myself for the delete operation, other actions like
> symlink were unlocked as well for a while. In other words it solved
> my little problem.
> 
> Now this is my first time working with polkit. So my doubts are,
> 1> Is this the actual work of imply annotation, i.e, to unlock(if I
> am putting it correctly) other actions after authenticating for one
> action? Although it is mentioned in the reference manual that it
> unlocks multiple actions from distinct mechanisms but a little
> clarification would help.
> 2> If its not the purpose of the imply annotation then what is it
> for? And what can I use in my project?
> 3> If imply annotation is indeed suitable for my project then I will
> have to add the support for annotations in KAuth library. In that
> case is there any guideline or specification that I must comply with?
> 
> I would be very grateful if anyone could provide any sort of help.
> 
> Regards,
> Chinmoy
> 
> [1]: https://community.kde.org/GSoC/2017/Ideas#Project:_Polkit_suppor
> t_in_KIO
> [2] GSOC proposal:  https://docs.google.com/document/d/1LhuHwwo_hCziM
> 2-3UsffpODwnjypYQjMnB7YHEQd4dQ/edit?usp=sharing
> [3]: https://git.reviewboard.kde.org/r/129983/
> 
> _______________________________________________
> polkit-devel mailing list
> polkit-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/polkit-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/polkit-devel/attachments/20170514/c24454d8/attachment.sig>


More information about the polkit-devel mailing list