Help requested with KAuth backends : OS X

René J.V. Bertin rjvbertin at gmail.com
Sat Sep 17 08:54:30 UTC 2016


Hi,

Can someone please give me some help setting up a working Mac backend for KAuth?

I currently have the basics right after porting the modifications I made to the KDE4 predecessor, but there's a nasty not-so-little detail I've not yet tackled: the helper process that does the actual work. The documentation (tutorial) I've read about KAuth is both seriously outdated and designed to hide implementation details because aimed at working with rather than on KAuth.

As far as I can see the default helper backend is based on DBus, which raises a number of points  to take into consideration:

1) applications can only connect to the user's session DBus if they have the same EUID
2) DBus ought to be able to start privileged helpers through its own setuid dbus-daemon-launch-helper but can then run into 1) itself
3) KAuth should probably/ideally work without relying on DBus itself, on OS X
4) Qt5 refuses to run setuid applications on OS X

4) can be worked around easily enough, but I don't understand why running setuid root isn't a problem on Linux; the same limitations ought to apply there.

The big unknown for me here is how KAuth is designed to communicate with the helper process. Is that purely up to the HelperProxy implementation?

For my personal education: this stuff is based on a BSD backend on OS X. Should that provide a means for applications to become EUID root *temporarily*? The security framework does provide a function to call any application with the setuid bit set transiently (meaning we trigger point 4) but that function is deprecated and I have not yet investigated the alternative API.

Underlying all this is a more fundamental question: is KAuth supposed to do more than just obtaining authorisation on platforms that don't run full-blown Plasma sessions?

The only KDE application I know of that requires authentication for an action that ought to be possible on any platform is KWalletManager (rather, the Wallet KCM). But to be honest I don't see the point in using a privileged helper to save a user's own Wallet preferences, and best I can tell the implementation is flawed anyway so I disable the whole authorisation aspect in my KWalletManager builds.

Thanks,
René


More information about the Kde-frameworks-devel mailing list