Re: Secure privilege escalation

[Ethan C]

On 2/1/25 16:52, James Carthew wrote:
> Hi,
>
> I've done most of the Power Management settings SystemPreferences.app 
> plugin. I can adjust everything except the IdleActionSec setting. When 
> I try to adjust my slider bar the console is showing.
>
> 2025-02-02 09:18:24.450 SystemPreferences[305786:305786] Failed to set 
> IdleActionSec: Permission denied
>
> I want a way to escalate the privileges of my application to root 
> level, but only for the specific function. I also only want the user 
> to authenticate once and then have their escalated privilege exist 
> until they close the plugin. Similar to the unlock padlock button in 
> OSX's SystemPreferences.app. Does anyone know howto implement this?

I believe the correct way to do this on XDG-compliant Linux systems is 
to use polkit. See 
https://polkit.pages.freedesktop.org/polkit/polkit-apps.html for 
guidance. I would recommend using the GObject library rather than using 
DBusKit in order to control polkit.

Other ways you could do this are to have a setuid binary installed to 
perform the privileged actions, or to simply have another binary that 
runs in a privileged process and listens via some IPC mechanism. I don't 
know if Distributed Objects is secure enough for this; if not you could 
try using D-Bus.

Of course you should try to make sure that there is no other way to 
adjust IdleActionSec, and that adjusting IdleActionSec as root will 
actually perform the desired effect (when the main user is of course not 
root). Also, it might be better to have the application modify the 
permissions during installation or at first start to make IdleActionSec 
editable without root.

Do you know of any other desktop environments that allow adjusting 
IdleActionSec without root? If so, you should see how they implemented it.