Polkit and Gvfs

Hi all:

I need to get access to some of the files of another user (GDM user in this case). Currently I’m using pkexec to run a little script that makes what I need, but I want to do some extra things, like reading some configuration files and accessing the dconf data.

Is it possible to use Polkit and Gvfs for that? My intention is to add an “unlock” button that, when pressed, asks the user to give permissions to access the GDM folder, and then be able to do what I need.

My idea is to allow to set from Gnome Control Center the “energy” settings (thus allowing to disable the “suspend after 20 minutes” in GDM) and configure the screen (which, currently, I’m doing with pkexec in https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/1290 , but it isn’t very elegant).


I would copy whatever the Region & Language panel does for this.

“Region” uses a dbus daemon for that, systemd-locale… So maybe the best way would be to add to /usr/sbin/gdm3 or gdm-session-worker (which run as root) a DBus interface to allow to do this…

Do you think that it would be accepted?

Oh sorry, I assumed it was just changing gsettings, but that’s not true.

You can talk to @halfline about changes in gdm. What you really want is a way to change arbitrary settings for the gdm user. Polkit will surely be required, but I’m not sure why you would need gvfs.

Currently I’m just copying the file ~/.config/monitors.xml into the GDM’s corresponding folder, because that is how the monitor configuration is managed (dconf has nothing to do with that). But in order to do that, I need root permission. That’s why I asked for GVFS and PolKit.

But since I’m already working on this, I also want to allow to set the “energy” settings too, because it is also something that I had to change in my system and a lot of other users ask for too, and yes, that has to do with dconf.

My question was mainly if there is already something “in place” in Gvfs that allows me to copy the file using PolKit to manage the privileges.

if there is already something “in place” in Gvfs that allows me to copy the file using PolKit to manage the privileges.

No there isn’t, because all the gvfs backend daemons run as your user with your privileges. There is no way they can do things which you don’t already have permission to do.

Edit: I’m wrong, an admin backend exists whose daemon runs as pkexec and which prompts for polkit auth for each file operation.

This sounds similar to gvfs’s admin:// protocol.

1 Like

Oh… interesting… I’ll check it.

Oh, interesting, I didn’t know that existed. It does seem to do what’s being asked

Yes, there is the gvfsd-admin daemon, but I am convinced that it would be better to use a custom wrapper script instead. Similar scripts are already used in g-c-c/g-s-d in various places. The main reason is to open polkit prompt with something less generic than “Authentication is required to perform file operations”. Also, the daemon, when started for the first time for a standard user (not administrator, ie. not part of wheel/sudo group), requires one more prompt with “Authentication is required to run gvfsd-admin daemon” to be filled. However, such messages are not really something I would expect to see when changing monitor configuration…

1 Like

So, in your opinion, it is better to just leave my patch as currently is…

More or less, yes, but I’m not polkit expert, neither g-c-c maintainer, so wait for a review. But you should add a .policy file with some message about why the password is needed. E.g. something like: https://gitlab.gnome.org/GNOME/gnome-control-center/-/blob/master/panels/sharing/org.gnome.controlcenter.remote-login-helper.policy.in.in.

1 Like

Good point, I’ll try it.

Done! Thanks for the tip!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.