[systemd-devel] Password agent for user services
Michal Koutný
mkoutny at suse.com
Mon May 13 18:30:36 UTC 2019
Hello,
I was pondering a user service that would ask for password via the
password agent infrastructure (as there is
systemd-gnome-ask-password-agent it could be quite integrated with the
desktop environment) as an alternative to saving it in (Gnome) keyring.
Naïve experiment with
> [Service]
> ExecStart=/usr/bin/systemd-ask-password "What is your pwd?"
lead to
> May 13 19:49:56 host systemd-ask-password[28844]: Failed to query password: Permission denied
Then I read about the password agent API [1] and realized that poor
agent cannot create the notification file in the watched directory. I
also noticed the auxiliary agent is not spawned for user services [2].
I'm not that familiar with policy-kit, however, IIUC, it is possible to
ask unprivileged systemd-gnome-ask-password-agent to provide a password
for system service. Is that correct?
What would then prohibit making /run/systemd/ask-password world writable
to allow unprivileged users to ask for a password?
(I understand the interface is so crude so that it works at early boot
stages w/out DBus. For the user requests it would perhaps make sense to
make have a parallel DBus API.)
Or is there an alternative approach to query interactively passwords for
user services (e.g. already existing user service that could queried via
DBus)?
Thanks,
Michal
[1] https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
[2] https://github.com/systemd/systemd/blob/a45ef5070d5875d70e39fc430e82eb26c221ded5/src/systemctl/systemctl.c#L238
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20190513/bb6c9b46/attachment.sig>
More information about the systemd-devel
mailing list