polkit does not have any mean to ask directly the user for confirmation and/or to type in its password. This is done by *desktop session*, which registers a *polkit agent*, a tiny [DBus API](http://www.freedesktop.org/software/polkit/docs/latest/eggdbus-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.html), which polkit uses to confirm an action. The desktop's polkit agent then pops up an window "Action XYZ requires authentication, please provide your password." To prevent cheating, polkit requires that the final confirmation of action is sent from process with uid=0. Therefore the polkit agent (running as the user) executes small SUID *polkit helper*, which checks the password and tells polkit that the action has been confirmed.

2. The provider process must *start a PAM session* and register its own *polkit agent*. PAM session must be started while the process still runs as root, before it changes its UID to the remote user. Therefore it must be done in our `/usr/libexec/pegases/<providername>-cimprovagt` script, like this:

        /usr/libexec/pegasus/lmipolkitagent -u "$USERNAME" -c $INPUT_FD -c $OUTPUT_FD /usr/libexec/pegasus/cimprovagt 0 "$@"

  Also, **no changes in existing provider code is needed.**

This tools prepares Pegasus provider process to work with polkit.

   * `cmpi<provider name>-cimprovagt` has the right SELinux context to ensure each provider has different one.

   * `cmpi<provider name>-cimprovagt` is just a simple script, which executes `lmipolkitagent -u <the remote user> /usr/libexec/pegasus/cimprovagt`.

Our `lmipolkitagent` must be started by root, otherwise it cannot confirm polkit that an user has been reauthenticated (polkit checks it). Therefore it cannot be misused by regular users for cheating polkit and performing actions on DBus without retyping a password.