[systemd-devel] Password agent for user services

Michal Koutný mkoutny at suse.com
Mon May 13 18:30:36 UTC 2019

I was pondering a user service that would ask for password via the
password agent infrastructure (as there is
systemd-gnome-ask-password-agent it could be quite integrated with the
desktop environment) as an alternative to saving it in (Gnome) keyring.

Naïve experiment with

> [Service]
> ExecStart=/usr/bin/systemd-ask-password "What is your pwd?"

lead to

> May 13 19:49:56 host systemd-ask-password[28844]: Failed to query password: Permission denied

Then I read about the password agent API [1] and realized that poor
agent cannot create the notification file in the watched directory. I
also noticed the auxiliary agent is not spawned for user services [2].

I'm not that familiar with policy-kit, however, IIUC, it is possible to
ask unprivileged systemd-gnome-ask-password-agent to provide a password
for system service. Is that correct?
What would then prohibit making /run/systemd/ask-password world writable
to allow unprivileged users to ask for a password?

(I understand the interface is so crude so that it works at early boot
stages w/out DBus. For the user requests it would perhaps make sense to
make have a parallel DBus API.)

Or is there an alternative approach to query interactively passwords for
user services (e.g. already existing user service that could queried via


[1] https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
[2] https://github.com/systemd/systemd/blob/a45ef5070d5875d70e39fc430e82eb26c221ded5/src/systemctl/systemctl.c#L238
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20190513/bb6c9b46/attachment.sig>

More information about the systemd-devel mailing list