I have a little DBus-activated daemon that registers itself in the system bus but runs as the GDM user (the idea is to allow to set dconf settings and other things from a normal user), and it works fine. The point is that I want to restrict the access to an specific UID, requiring the user to type their password when changing the UID allowed to make changes. I tried using polkit, defining a file with "auth_admin" and calling "polkit_authority_check_authorization" with the "POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION" flag, but I receive this error:
Error: GDBus.Error:org.freedesktop.PolicyKit1.Error.NotAuthorized: Only trusted callers (e.g. uid 0 or an action owner) can use CheckAuthorization() for subjects belonging to other identities
How can I do this authentication?
The piece of code in the daemon running as GDM user:
g_autoptr (PolkitAuthority) authority = NULL;
g_autoptr (PolkitAuthorizationResult) result = NULL;
g_autoptr (PolkitSubject) sender = NULL;
GError *error = NULL;
sender = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation));
authority = polkit_authority_get_sync (NULL, NULL);
result = polkit_authority_check_authorization_sync (authority,
sender,
"org.gnome.GdmSettings.",
NULL,
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
NULL,
&error);
set_timeout ();
if (error != NULL) {
g_print("Error: %s\n", error->message);
}
(I know that I shouldn't use a _sync call with that flag, but this is still a proof-of-concept; when it works, I'll use the async version).
And this is the org.gnome.GdmSettings.SetAllowedUID.policy file
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
<vendor>The GNOME Project</vendor>
<vendor_url>http://www.gnome.org/</vendor_url>
<action id="org.gnome.GdmSettings.SetAllowedUID">
<description>Manage Gdm Settings</description>
<message>Authentication is required to change GDM data</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
which is installed at /usr/share/polkit-1/actions. I tried with auth_admin_keep and auth_self_keep, but it always returns the same.
And this is the org.gnome.GdmSettings.service file:
[Unit]
Description=GNOME Display Manager Settings
[D-BUS Service]
Name=org.gnome.GdmSettings
Exec=/usr/bin/dbus-launch @daemon@
User=@gdm_user@
(I launch it with dbus-launch because dconf requires the session dbus to allow to set keys).
Ok, I found the solution: I have to add
to the .policy file.