Integrate high privileges in KIO and GHNS

Nicola Gigante nicola.gigante at gmail.com
Fri Aug 21 12:23:48 BST 2009 

Il giorno 21/ago/09, alle ore 12:55, David Faure ha scritto:

> Sounds great. A very much needed feature.
>
Thank you :D

> I see several approaches, but since I don't know kauth, no idea  
> which is
> better... Let me do a bit of brainstorming:
>
> Is there some caching of passwords?
> If yes: then we can indeed "ask for permission" at the lowlevel (kio  
> file-copy
> job, or inside the kioslave itself) and other files to be copied  
> (e.g. as part
> of a higher-level directory CopyJob) will be copied using the cached  
> password.
>
KAuth it's not a matter of "passwords". It works with policies, just  
like PolicyKit (which is its linux backend). That means the  
authentication is handled and credientials are granted by "someone  
else", which on linux is policykit. Currently, policykit and the mac  
backend handle the authentication asking passwords, but it's only an  
implementation detail that we don't have to care.

> In fact, do we have to use a password dialog from kauth, or could the
> kioslaves request for auth just like they do already when going to  
> an ftp or
> http site that needs a password, and then give that password to kauth?
>
The password (if needed) is asked by the policykit authentication  
agent, which is a separate process. The app using libkauth doesn't  
have access to the password or to any authentication detail. It simply  
knows that it can or can't do what it asked.

> So, one idea is that the slave could detect the problem, ask for
> authentication (via the main process, of course, we don't want GUIs in
> slaves), and proceed;
> we would have the issue of sharing that information with other  
> kioslaves
> involved in the same operation (e.g. recursive directory listing),  
> though
> (I guess we don't want to just cache the password in kpasswdserver  
> like we do
> for FTP/HTTP, that would allow -other- operations to have root  
> access).
>
> A different approach would be that libkio reacts on the error codes  
> that
> indicate a lack of permission, call kauth, and "try again"? There  
> are quite a
> few jobs that would need touching, but that's less duplication/work  
> than the
> solution below.
>
I think the second approach is the better, for two reasons:
1) We don't have control over credential caching. We can provide an  
hint to tell that credentials should be cached, but the backend can  
ignore it, for example if the system admin has changed that setting.  
Even if the admin doesn't touch the configs, the policykit  
authorization dialog will ask the user if it wants to save the  
credentials or not. This means we have to reduce the number of  
authorization requests needed to perform an operation, because every  
authorization request could result in a password dialog, if the user  
chose to not save the credentials. I think doing the auth request at  
an high-level allows us to do that.

2) If we implement support in every single slave, the code duplication  
is _really_ a _lot_. Remember we have to write an helper tool that  
actually perform the action. With the first approach we have to  
duplicate a lot of slave's code into the helper, for every slave that  
we want to support. With the second approach, we only have to write an  
helper that relaunch the job: a lot less work.

> Finally another approach would be that the application's slotResult  
> detects
> the error and retries the _whole_ job after authentication. But that  
> limits
> the feature to file managers (and GHNS), so I guess we don't want  
> that, if we
> want "save file" in any application, to be able to save in /etc for  
> instance.
>
yeah I think this is what we want: developer-transparent support for  
this feature, so I think we've to exclude this approach.

> All of this depends on whether kauth can give other processes  
> (kioslaves)
> permissions, or if it's all in-process.
Yes it can. Actually, it doesn't matter which process requests the  
action authorization and which process actually perform the action.


bye bye,

Nicola
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090821/c1be4da0/attachment.htm>

More information about the kde-core-devel mailing list