Hi,
this is really great job.
I have one question that came to my mind:
What happens when there is already a polkit agent running in the system?
Let's say I'm connecting to pegasus on my desktop computer where polkit-kde- authentication-agent-1 is already running as part of desktop session. Is it possible to have multiple agents running? Which one will be used to authenticate the request?
Radek
On Thu 17 of Jul 2014 10:38:29 Jan Safranek wrote:
Hello,
I've been working on reusing polkit authorization for OpenLMI providers, which use a DBus service (e.g. NetworkManager, PackageKit, realmd, systemd, ...).
I've documented the architecture on our wiki [1] and I submitted review in our review-board. I won't push the patches until we get to an agreement that it's the way to go and also the implementation is secure
- please review carefully. There are *no* changes needed in our provider
code and/or in the DBus services we work with.
1: https://fedorahosted.org/openlmi/wiki/PolkitAuthorization 2: https://reviewboard-openlmi.rhcloud.com/users/jsafrane/
In short, the concept is similar to Cockpit's reauthorization [3], we just don't play tricks with user passwords - we don't have one on CIM provider level. Instead, we register a polkit agent, which bluntly authenticates every request from polkit in its PAM session.
3: https://github.com/cockpit-project/cockpit/blob/master/doc/reauthorize.md
[Kudos to Cockpit guys, I used their code to implement polkit agent and helper.]
Just a side note: right now, users with remote CIM access must be members of 'pegasus' group, otherwise they cannot start a provider. Is it good or bad? Should _any_ user be able to use CIM by default and let polkit decide? It's trivial to fix, just set different file/directory permissions in tog-pegasus.rpm. And there is /etc/Pegasus/access.conf, which can control access properly if sysadmin wishes, so the question is just about the default setting.
Jan
openlmi-devel mailing list openlmi-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/openlmi-devel