Can someone please give me some help setting up a working Mac backend for KAuth?

I currently have the basics right after porting the modifications I made to the 
KDE4 predecessor, but there's a nasty not-so-little detail I've not yet 
tackled: the helper process that does the actual work. The documentation 
(tutorial) I've read about KAuth is both seriously outdated and designed to 
hide implementation details because aimed at working with rather than on KAuth.

As far as I can see the default helper backend is based on DBus, which raises a 
number of points  to take into consideration:

1) applications can only connect to the user's session DBus if they have the 
same EUID
2) DBus ought to be able to start privileged helpers through its own setuid 
dbus-daemon-launch-helper but can then run into 1) itself
3) KAuth should probably/ideally work without relying on DBus itself, on OS X
4) Qt5 refuses to run setuid applications on OS X

4) can be worked around easily enough, but I don't understand why running 
setuid root isn't a problem on Linux; the same limitations ought to apply there.

The big unknown for me here is how KAuth is designed to communicate with the 
helper process. Is that purely up to the HelperProxy implementation?

For my personal education: this stuff is based on a BSD backend on OS X. Should 
that provide a means for applications to become EUID root *temporarily*? The 
security framework does provide a function to call any application with the 
setuid bit set transiently (meaning we trigger point 4) but that function is 
deprecated and I have not yet investigated the alternative API.

Underlying all this is a more fundamental question: is KAuth supposed to do 
more than just obtaining authorisation on platforms that don't run full-blown 
Plasma sessions?

The only KDE application I know of that requires authentication for an action 
that ought to be possible on any platform is KWalletManager (rather, the Wallet 
KCM). But to be honest I don't see the point in using a privileged helper to 
save a user's own Wallet preferences, and best I can tell the implementation is 
flawed anyway so I disable the whole authorisation aspect in my KWalletManager 


Reply via email to