I have some problems regarding to adopting polkit into factory-reset-tools
, a utility for Ubuntu-preinstalled PCs to build USB reset media and reboot into Factory Reset or UEFI firmware setup.
That tool in question can run in text console so the same feature can be run remotely via SSH (which is what we usually do for PC hardware enablement), however in order to allow polkit prompt to appear in the same ssh session, the program has to run pkttyagent
to show the prompt, usually:
- user program runs
pkttyagent
- user program wait for
pkttyagent
to register topolkitd
- user program sends dbus message to the daemon program for action that requires authorization
- daemon program sends
CheckAuthorization
request toorg.freedesktop.PolicyKit1.Authority
to ask for authorization polkitd
finds an agent to ask user for authorization
Usually to prevent re-registration --fallback
parameter is used for pkttyagent
, but in snap package, --fallback
could cause the program to prefer displaying prompt in desktop (if the desktop session of the same admin user exists) although the program runs in SSH session. I found removing --fallback
could work but in polkit interface calling RegisterAuthenticationAgent
is not yet allowed (with --fallback
it calls RegisterAuthenticationAgentWithOptions
instead).
I tried fwupdmgr
(from fwupd
) in Snap, but if I am not using sudo
for updating firmware in SSH session, it would fail directly when executing functions that requires authorization, unless a desktop session of the same admin user exists. The problem does not exist in the Debian package version of fwupd
, which shows the authorization prompt from pkttyagent
correctly.
My questions are:
- What causes
polkitd
/pkttyagent
to act differently in snap vs out of snap? - Is removing
--fallback
a fix, or we should find a way to makepolkitd
treating agents running in snap the same as running outside of it? - Do we need to allow
RegisterAuthenticationAgent
to runpkttyagent
running without--fallback
?