On Tue, 2013-12-17 at 16:39 -0500, Miloslav Trmač wrote: > > What are the implications of setting the flag when a > > non-interactive application is accessing the server? If the > authorization result is a "challenge" > (polkit_authorization_result_get_is_challenge), polkitd without the > flag just returns the "challenge" result. > > With the flag, polkitd tries to search for a registered authentication > agent, and asks that agent to authorize the operation. If no agent is > registered (e.g. a system daemon running outside of an user session > with its own UID), polkitd will again just return the "challenge" > result.
I see. And I suppose that the agent is global, rather than per process so it doesn't make sense to always use the flag and expect the non-interactive applications to be silent. > In the case of smart cards (which I assume is the concern), it might be > reasonable to disable user interaction, and by default authorize access > to an active user session (in the same logic as an owner of an active > user session is automatically "authorized" to use the keyboard and > mouse); this would let the sysadmin authorize e.g. httpd to access the > card but allow it by default. This suggestion, however, glosses over > whether anything needs to be done when the active user session changes > due to fast user switching. In all I find this flag a bit peculiar. I don't think that the server communicating with hardware should be expected to have the knowledge of whether the user is in an interactive session or not. regards, Nikos _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
