From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andy Wingo <wingo@igalia.com>
Subject: Re: [PATCH] gnu: services: Install policies for polkit service.
Date: Mon, 22 Feb 2016 15:33:24 +0100
Message-ID: <87io1grf0r.fsf@igalia.com>
References: <87egc54vbh.fsf@pobox.com> <87fuwkomp0.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47123)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wingo@igalia.com>) id 1aXrYK-0005tj-Ky
	for guix-devel@gnu.org; Mon, 22 Feb 2016 09:33:33 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <wingo@igalia.com>) id 1aXrYG-0006fg-JX
	for guix-devel@gnu.org; Mon, 22 Feb 2016 09:33:32 -0500
In-Reply-To: <87fuwkomp0.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
	=?utf-8?Q?s?= message of "Mon, 22 Feb 2016 15:15:55 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

On Mon 22 Feb 2016 15:15, ludo@gnu.org (Ludovic Court=C3=A8s) writes:

> Andy Wingo <wingo@igalia.com> skribis:
>
>> Concretely: what to do about gnome-settings-daemon, xfce4-session, and
>> thunar?
>
> What about adding a =E2=80=98gnome-session-service=E2=80=99 and an
> =E2=80=98xfce4-session-service=E2=80=99, each of which would extend polki=
t (the latter
> would also pass the Thunar policies)?
>
> Eventually, we could change the SLiM service to be extended by these two
> things.

Makes sense to me.  We are effectively granting permission to these
desktop environment to do a limited set of things as root, so they do
need to be services.

Incidentally, when with this patch I tried to run "pkexec ls", I was
able to go farther in the process -- the pkexec program embeds an
authentication agent, if the desktop environment doesn't provide one,
which can read a password from the console.  So you're asked for the
root password to be able to run "ls", but then it fails with a message
that polkit knew "no session for cookie".  I guess this means that there
still is something not quite working between logind and polkit.  Or, it
could be related to X -- at startup X warns about not being able to
integrate with logind for some reason, so perhaps that's it.

Relatedly, for the power button and lid switch under GNOME: I assume
that GNOME inhibits logind's default power button handler in favor of
its own.  There's an interface for that.  But then somehow the
permissions don't work out right, probably due to the same reason, that
polkit can't make the link between the user and their session.  Well,
we'll figure it out I guess :)

Andy