Maniphest T6561

Polkit support in KIO
Closed, ResolvedPublic
Actions

Description

Add polkit support to KIO using KAuth library. This would allow file management inside read-only directories.

The following steps are taken for gaining root access,

Application starts a job with PrivilegeExecution flag.
The job, after testing for this flag, sets two variables m_privilegeExecutionEnabled and m_operationType. The former variable is responsible for notifying the slave that job wants privileges to be elevated and the latter sets the type of operation which will be used with confirmation dialog.
The job then sets the PrivilegeExecution flag in other sub-jobs which take KIO::JobFlags as argument. It also sets itself as the parent job for other sub-jobs it makes use of. This is also necessary for the confirmation dialog.
Then control transfers to slave. It continues as usual and when certain operation fails it will call execWithElevatedPrivilege() method. This method will first check if the error was caused due to insufficient privileges and if it is indeed the case it will emit privilegeExecData() signal twice.
First time it is for checking if the job actually wanted the privileges to be elevated. In this case once the signal is received by the job, value of m_privilegeExecutionEnabled (in case of SimpleJob it's parent job will be considered) is queried and if true ElevatePrivilege is sent back as reply.
The next signal by the slave asks the job to show the confirmation dialog. For this purpose job calls tryAskPrivilegeOpConfirmation(). This method first checks for the parent job. It will continue checking till there is no parent job.
Once the top-level job is obtained its tryAskPrivilegeOpConfirmation() method will be called and confirmation dialog is shown and if the user confirms then ActionConfirmed is sent back to the slave.
If every step mentioned above succeeds then the slave will call the kauth helper and perform the action with elevated privilege.

Current Status

ChmodJob, DeleteJob, CopyJob, MkPathJob support performing file operations in read-only location.
KNewFileMenu is partially usable. "Create New -> Link to Application" and "Create New -> Link to Location" are not working
Dolphin's context menu will also work is all the writability checks are disabled

ToDo

Finalise approach
Add support for PrivilegeExecution flag in SimpleJob
Add unit tests for the changes till now
Make changes to` KpropertiesDialog` for "Create New -> Link to Application" and "Create New -> Link to Location" work properly
Make changes to FileUndoManager
Add the support for new slave to DropJob
Currently if jobs like copyjob are executed in a loop then multiple warnings are shown. Add a new job for the sole purpose of acting as a parent to those complex jobs created in loop.

Details

Differential Revisions: D7430: Add unit tests for privilege excution in KIO
D7571: Enable modifying root-owned files in Dolphin
D7563: Add privilegeExecution field to file protocol description
D7272: [DropJob] Enable drag and drop in a read-only folder
D7270: [FileUndoManager] Enable undoing changes in read-only folders
D6834: [KNewFileMenu] Enable creating new files in read-only folders
D6833: Add support for privilege execution in KIO jobs
D6832: Integrate new file ioslave in KIO job
D6831: Make use of kauth helper in methods of file ioslave
D6830: Make use of kauth helper in copy method of file ioslave
D6829: Add ability to use the new kauth helper in file ioslave
D6709: Add support for sharing file descriptor between KIO slave and KAuth helper
D6197: Add kauth helper to file ioslave

Related Objects
Search...

		Status	Assigned	Task
		Resolved	chinmoyr	T6561 Polkit support in KIO
		Resolved	chinmoyr	T8075 Fix security issues with KAuth support in KIO

chinmoyr created this task.Jul 22 2017, 9:45 AM

chinmoyr added a revision: D6709: Add support for sharing file descriptor between KIO slave and KAuth helper.Jul 22 2017, 10:40 AM

chinmoyr updated the task description. (Show Details)Jul 22 2017, 10:51 AM

chinmoyr added a revision: D6197: Add kauth helper to file ioslave.Jul 22 2017, 10:59 AM

chinmoyr added a revision: D6829: Add ability to use the new kauth helper in file ioslave.Jul 22 2017, 11:35 AM

chinmoyr removed revisions: D6197: Add kauth helper to file ioslave, D6709: Add support for sharing file descriptor between KIO slave and KAuth helper.

chinmoyr added a revision: D6709: Add support for sharing file descriptor between KIO slave and KAuth helper.

chinmoyr added a revision: D6197: Add kauth helper to file ioslave.

chinmoyr mentioned this in D6831: Make use of kauth helper in methods of file ioslave.Jul 22 2017, 12:03 PM

chinmoyr mentioned this in D6834: [KNewFileMenu] Enable creating new files in read-only folders.Jul 22 2017, 12:42 PM

chinmoyr added revisions: D6830: Make use of kauth helper in copy method of file ioslave, D6831: Make use of kauth helper in methods of file ioslave, D6832: Integrate new file ioslave in KIO job, D6833: Add support for privilege execution in KIO jobs, D6834: [KNewFileMenu] Enable creating new files in read-only folders.

chinmoyr removed revisions: D6834: [KNewFileMenu] Enable creating new files in read-only folders, D6833: Add support for privilege execution in KIO jobs, D6832: Integrate new file ioslave in KIO job, D6831: Make use of kauth helper in methods of file ioslave, D6830: Make use of kauth helper in copy method of file ioslave, D6709: Add support for sharing file descriptor between KIO slave and KAuth helper, D6829: Add ability to use the new kauth helper in file ioslave.Jul 22 2017, 2:38 PM

chinmoyr added a revision: D6709: Add support for sharing file descriptor between KIO slave and KAuth helper.

chinmoyr added a revision: D6829: Add ability to use the new kauth helper in file ioslave.

About the last point: when are CopyJobs created in a loop? That surprises me, they can already deal with multiple source URLs, so one user operation should always result in a single CopyJob. That *is* the toplevel job.

The bit about emitting a signal twice sounds strange (maybe two signals is cleaner?) but I'll need to dig into it to understand better.

In T6561#102612, @dfaure wrote:

About the last point: when are CopyJobs created in a loop? That surprises me, they can already deal with multiple source URLs, so one user operation should always result in a single CopyJob. That *is* the toplevel job.

When renaming multiple files dolphin calls moveAs in a loop (case of multiple sources to multiple destinations).

elvisangelaccio added a project: Frameworks.Jul 29 2017, 10:09 AM

chinmoyr added a revision: D7270: [FileUndoManager] Enable undoing changes in read-only folders.Aug 12 2017, 9:42 AM

chinmoyr added a revision: D7272: [DropJob] Enable drag and drop in a read-only folder.Aug 12 2017, 11:21 AM

elvisangelaccio mentioned this in T5202: [kio_file] Implement KAuth support.Aug 18 2017, 7:53 AM

elvisangelaccio mentioned this in T5071: Polkit support in Dolphin/KIO.Aug 18 2017, 7:59 AM

From the old task T5071, list of bugs to be closed once everything lands:

@chinmoyr @dfaure: one thing we may have overlooked: how do we let clients know if they can set PrivilegeExecution ?

Currently the feature only works if:

KIO version is >= 5.38 (or whatever the version we will merge all the diffs in), and
OS is some Unix

So, if some apps use KIO and support Windows, they would probably have to implement some ifdefs checks.

I was thinking maybe we can extend all the supportsMoving()/supportsDeleting()/etc. KIO functions to return true if the underlying ioslave is polkit-enabled?

But does it hurt if PrivilegeExecution is set on Windows? Nothing different from today will happen, right? At least, that should be the goal.

Then it becomes simple: apps should set the flag if KIO >= 5.38 and the job is user-initiated (not e.g. the app copying some config file somewhere).

Oh, right. Then yes, it should be simpler than I was thinking. Cool!

chinmoyr mentioned this in D7430: Add unit tests for privilege excution in KIO.Aug 20 2017, 9:17 AM

chinmoyr added a revision: D7563: Add privilegeExecution field to file protocol description.Aug 26 2017, 5:47 PM

chinmoyr added a revision: D7571: Enable modifying root-owned files in Dolphin.Aug 27 2017, 1:04 PM

When renaming multiple files dolphin calls moveAs in a loop (case of multiple sources to multiple destinations).

There should be created a BatchRenameJob in KIO that takes care of this. Then we could get proper undo support (currently each rename is undone individually), proper progress display (I had to disable progress reporting or else you end up with a gazillion finished notifications) and now also privilege execution. See also https://phabricator.kde.org/D4372

dfaure added a revision: D7430: Add unit tests for privilege excution in KIO.Sep 3 2017, 8:14 AM

Zren added a subscriber: Zren.Sep 18 2017, 8:38 PM

The recent commit of some of the revisions caused breakage in KIO, possibly breaking BIC: when starting Dolphin I get.

/usr/lib64/qt5/plugins/kf5/kio/file.so: (/usr/lib64/qt5/plugins/kf5/kio/file.so: undefined symbol: _ZN3KIO9SlaveBase25requestPrivilegeOperationEv)

This occurred also to @rwooninck (openSUSE) and @broulik (Neon). This must be fixed and all revisions need to be accepted *before* merging.
Tomorrow I will unconditionally revert the 3 commits that landed unless this is acted upon.

cfeck added a subscriber: cfeck.Oct 13 2017, 10:01 AM

Thanks @lbeltrame and really sorry for the mess.

The commits have been reverted.

rikmills added a subscriber: rikmills.Oct 13 2017, 12:26 PM

Where are we with this? Any idea what caused the breakage, and can we get that fixed so we can move forward?

@ngraham The breakage occured because I didn't pushed D6830 and D6831 along with those three patches.
As for the project's status, the things left are addition of unit tests in KIO and modification of context menu in Dolphin. Well, these things are taking more time than I had expected.