Can someone please give me some help setting up a working Mac backend for KAuth?
I currently have the basics right after porting the modifications I made to the
KDE4 predecessor, but there's a nasty not-so-little detail I've not yet
tackled: the helper process that does the actual work. The documentation
(tutorial) I've read about KAuth is both seriously outdated and designed to
hide implementation details because aimed at working with rather than on KAuth.
As far as I can see the default helper backend is based on DBus, which raises a
number of points to take into consideration:
1) applications can only connect to the user's session DBus if they have the
2) DBus ought to be able to start privileged helpers through its own setuid
dbus-daemon-launch-helper but can then run into 1) itself
3) KAuth should probably/ideally work without relying on DBus itself, on OS X
4) Qt5 refuses to run setuid applications on OS X
4) can be worked around easily enough, but I don't understand why running
setuid root isn't a problem on Linux; the same limitations ought to apply there.
The big unknown for me here is how KAuth is designed to communicate with the
helper process. Is that purely up to the HelperProxy implementation?
For my personal education: this stuff is based on a BSD backend on OS X. Should
that provide a means for applications to become EUID root *temporarily*? The
security framework does provide a function to call any application with the
setuid bit set transiently (meaning we trigger point 4) but that function is
deprecated and I have not yet investigated the alternative API.
Underlying all this is a more fundamental question: is KAuth supposed to do
more than just obtaining authorisation on platforms that don't run full-blown
The only KDE application I know of that requires authentication for an action
that ought to be possible on any platform is KWalletManager (rather, the Wallet
KCM). But to be honest I don't see the point in using a privileged helper to
save a user's own Wallet preferences, and best I can tell the implementation is
flawed anyway so I disable the whole authorisation aspect in my KWalletManager