Hi Hamish, Bear in mind I don't know Polkit so this is the result of a quick poke about.
> However, I've found that auth_admin_keep doesn't work across sessions, These sessions are what loginctl(1) lists, and referred to by `allow_any', `allow_active', and `allow_inactive'? What two sessions do you have in mind where it is authorised in one, still needs authorising in the second, and you wonder if it should? > unless you put it in the "allow_any" key, which I don't want to do - > it's insecure. Is it? It's just a XML kludge to state `allow_active or allow_inactive' AFAICS? > The other issue is that the GUI has to run a lot of different > commands, some of them repeatedly. I'd like to use auth_admin_keep for > some subsets of these commands - repeatedly prompting for a password > is really annoying. Sounds fine. polkit(8) points out the authorisation will continue to be valid even if variables in subsequent requests differ and the rules depend on those variables, i.e. it's a loop-hole. Given Javascript was chosen as the language for the rule files, pfft, it goes on to mention Date() can be used for temporary authorisations. But doesn't show how, and Google didn't find an example for me either. > However, I'm unsure how to be absolutely sure that the GUI is calling > pkexec, and that it isn't an attacker / some other program. Your GUI runs pkexec itself in some manner? What threat are you concerned about if it's not the real pkexec? > Does anyone know where I might be able to ask for help on > polkit-related issues? https://wiki.archlinux.org/index.php/Polkit was helpful. > they do have a development mailing list - probably the wrong place to > ask I think. The archives suggest they respond to the odd question from a developer that's having to use it. https://lists.freedesktop.org/archives/polkit-devel/2017-November/000565.html And if they didn't welcome that traffic then they should fill in the Mailman variable that would appear below `About polkit-devel' on https://lists.freedesktop.org/mailman/listinfo/polkit-devel :-) Cheers, Ralph. -- Next meeting: Bournemouth, Tuesday, 2018-06-05 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
