On Mo, 13.05.19 20:30, Michal Koutný (mkoutny@xxxxxxxx) wrote: > Hello, > I was pondering a user service that would ask for password via the > password agent infrastructure (as there is > systemd-gnome-ask-password-agent it could be quite integrated with the > desktop environment) as an alternative to saving it in (Gnome) keyring. > > Naïve experiment with > > > [Service] > > ExecStart=/usr/bin/systemd-ask-password "What is your pwd?" > > lead to > > > May 13 19:49:56 host systemd-ask-password[28844]: Failed to query password: Permission denied > > Then I read about the password agent API [1] and realized that poor > agent cannot create the notification file in the watched directory. I > also noticed the auxiliary agent is not spawned for user services [2]. > > I'm not that familiar with policy-kit, however, IIUC, it is possible to > ask unprivileged systemd-gnome-ask-password-agent to provide a password > for system service. Is that correct? > What would then prohibit making /run/systemd/ask-password world writable > to allow unprivileged users to ask for a password? So, the idea was always that the ask-pw logic is for asking unpriv users for passphrases for priv infrastructure. I figure extending the logic to allow unpriv infrastructure asking pws from the same unpriv users would be ok to add. however, this should be implemented by introducing $XDG_RUNTIME_DIR/ask-password/ or so, as a separate per-user dir to add these files to. I figure adding such a patch that adds that would be ok. > (I understand the interface is so crude so that it works at early boot > stages w/out DBus. For the user requests it would perhaps make sense to > make have a parallel DBus API.) Yeah, we added this stuff so that we can query passwords without dbus around in early boot, and dbus still isn't available even now in early boot. The design also was intended to work without continously running centralized daemon. Ideally some infrastructure like PK would supply this mechanism instead of us btw. Or at least the kernel keyring userspace code woul, but I still don't see that happening. Hence, maybe the easiest and most acceptable solution would be to simply extend the ask-pw stuff to support a per-user concept too... > Or is there an alternative approach to query interactively passwords for > user services (e.g. already existing user service that could queried via > DBus)? Nothing I was aware of. Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Password agent for user services
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Password agent for user services
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Mon, 20 May 2019 11:49:42 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <20190513183036.GG13687@blackbody.suse.cz>
- References: <20190513183036.GG13687@blackbody.suse.cz>
- Follow-Ups:
- Re: Password agent for user services
- From: Simon McVittie
- Re: Password agent for user services
- References:
- Password agent for user services
- From: Michal Koutný
- Password agent for user services
- Prev by Date: Re: systemd-nspawn and cgroup hybrid mode
- Next by Date: Re: sd-bus dynamic property table
- Previous by thread: Password agent for user services
- Next by thread: Re: Password agent for user services
- Index(es):
 |