Ask for authentication when calling a DBus method on a non-root, other user's daemon

Question

I have a little DBus-activated daemon that registers itself in the system bus but runs as the GDM user (the idea is to allow to set dconf settings and other things from a normal user), and it works fine. The point is that I want to restrict the access to an specific UID, requiring the user to type their password when changing the UID allowed to make changes. I tried using polkit, defining a file with "auth_admin" and calling "polkit_authority_check_authorization" with the "POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION" flag, but I receive this error:

Error: GDBus.Error:org.freedesktop.PolicyKit1.Error.NotAuthorized: Only trusted callers (e.g. uid 0 or an action owner) can use CheckAuthorization() for subjects belonging to other identities

How can I do this authentication?

The piece of code in the daemon running as GDM user:

g_autoptr (PolkitAuthority) authority = NULL;
g_autoptr (PolkitAuthorizationResult) result = NULL;
g_autoptr (PolkitSubject) sender = NULL;
GError *error = NULL;

sender = polkit_system_bus_name_new (g_dbus_method_invocation_get_sender (invocation));
authority = polkit_authority_get_sync (NULL, NULL);
result = polkit_authority_check_authorization_sync (authority,
                                                    sender,
                                                    "org.gnome.GdmSettings.",
                                                    NULL,
                                                    POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
                                                    NULL,
                                                    &error);

set_timeout ();

if (error != NULL) {
    g_print("Error: %s\n", error->message);
}

(I know that I shouldn't use a _sync call with that flag, but this is still a proof-of-concept; when it works, I'll use the async version).

And this is the org.gnome.GdmSettings.SetAllowedUID.policy file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">

<policyconfig>
  <vendor>The GNOME Project</vendor>
  <vendor_url>http://www.gnome.org/</vendor_url>

  <action id="org.gnome.GdmSettings.SetAllowedUID">
    <description>Manage Gdm Settings</description>
    <message>Authentication is required to change GDM data</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

</policyconfig>

which is installed at /usr/share/polkit-1/actions. I tried with auth_admin_keep and auth_self_keep, but it always returns the same.

And this is the org.gnome.GdmSettings.service file:

[Unit]
Description=GNOME Display Manager Settings

[D-BUS Service]
Name=org.gnome.GdmSettings
Exec=/usr/bin/dbus-launch @daemon@
User=@gdm_user@

(I launch it with dbus-launch because dconf requires the session dbus to allow to set keys).

Answer 1

Ok, I found the solution: I have to add

<annotate key="org.freedesktop.policykit.owner">unix-user:@gdm_user@</annotate>

to the .policy file.