Polkit interface and pkttyagent in snap

I have some problems regarding to adopting polkit into factory-reset-tools, a utility for Ubuntu-preinstalled PCs to build USB reset media and reboot into Factory Reset or UEFI firmware setup.

That tool in question can run in text console so the same feature can be run remotely via SSH (which is what we usually do for PC hardware enablement), however in order to allow polkit prompt to appear in the same ssh session, the program has to run pkttyagent to show the prompt, usually:

  1. user program runs pkttyagent
  2. user program wait for pkttyagent to register to polkitd
  3. user program sends dbus message to the daemon program for action that requires authorization
  4. daemon program sends CheckAuthorization request to org.freedesktop.PolicyKit1.Authority to ask for authorization
  5. polkitd finds an agent to ask user for authorization

Usually to prevent re-registration --fallback parameter is used for pkttyagent, but in snap package, --fallback could cause the program to prefer displaying prompt in desktop (if the desktop session of the same admin user exists) although the program runs in SSH session. I found removing --fallback could work but in polkit interface calling RegisterAuthenticationAgent is not yet allowed (with --fallback it calls RegisterAuthenticationAgentWithOptions instead).

I tried fwupdmgr (from fwupd) in Snap, but if I am not using sudo for updating firmware in SSH session, it would fail directly when executing functions that requires authorization, unless a desktop session of the same admin user exists. The problem does not exist in the Debian package version of fwupd, which shows the authorization prompt from pkttyagent correctly.

My questions are:

  • What causes polkitd / pkttyagent to act differently in snap vs out of snap?
  • Is removing --fallback a fix, or we should find a way to make polkitd treating agents running in snap the same as running outside of it?
  • Do we need to allow RegisterAuthenticationAgent to run pkttyagent running without --fallback?