On červenec 14th, 2014, 9:43 dop. CEST, Jan Synacek wrote:

doc/polkit/polkit-authorization.md (Diff revision 1)
		25	2. The provider process must *start a PAM session* and register its own *polkit agent*. PAM session must be started while the process still runs as root, before it changes its UID to the remote user. Therefore it must be done in our `/usr/libexec/pegases/<providername>-cimprovagt` script, like this:

Does this mean that every provider will be basically forking at least twice whenever run?

Yes, we fork a lot. Also note that every command in our <providername>-cimprovagt script involves a fork() and exec(). However, once started, the provider process runs for longer time and handles all requests from an user. It exits only after 5 (or 10?) minutes of inactivity. It's not started for each new request.

On červenec 14th, 2014, 9:43 dop. CEST, Jan Synacek wrote:

doc/polkit/polkit-authorization.md (Diff revision 1)
		122	* `cmpi<provider name>-cimprovagt` has the right SELinux context to ensure each provider has different one.
		123	* `cmpi<provider name>-cimprovagt` is just a simple script, which executes `lmipolkitagent -u <the remote user> /usr/libexec/pegasus/cimprovagt`.

Hmm, we're wrapping wrappers here. If I understand this right, there's not much that can be done here because of the SELinux labels. Otherwise the agent could be improved so that it handled everything that the original wrapper handles. Correct?

Interesting idea... We would need to ship copies of the agent with different names (cmpiLMI_Networking-cimprovagt, cmpiLMI_Service-cimprovagt, ...), it's easier to copy just a scripts here instead of a binary.

Still, the script logic could be hidden in the lmipolkitagent binary and the script could be simple 'lmipolkitagent $@'.

- Jan

On červenec 11th, 2014, 12:31 odp. CEST, Jan Safranek wrote:

Add documentation of polkit usage.