On Sat, 12 Oct 2013 10:44:24 +0000 systemdkiosk@xxxxxxxxxxx wrote: > My main complaint is sudo/root usage. There again, the sys > interactions are the gotchas. It's not the app but how it > gets called, reads configs, etc. Other FMs run as root user > aren't so itchy. My thoughts ATM are: 1. command line option Re-purpose current -u option (it's practically useless, -h is enough) -u,--user=ID ID is name or number 2. optional plugin Optional due to extra dependencies WITH_POLKIT = 0 At session start, pop up a password dialog. Use PAM to validate, change installed file /etc/pam.d/emelfm2-session, with e.g. #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session optional pam_xauth.so session include system-auth On success, reconfigure environment etc, much like su command libpam dependency WITH_POLKIT = 1 At session start, check for authorised already (is this possible?) If not, get authority, persistent through session. On success, reconfigure environment etc - needed ? libpolkit-gobject dependency Most of the infrastructure for the above already exists. I need to figure out how to manipulate PAM and polkit. Maybe your org.archlinux.custom.pkexec.emelfm2.policy is one starting point. Help welcome. Regards Tom > Here are my root user setup files, which come to think of, > I need to fix with the -2 switch someplace, egad. > XDG_CONFIG_VOLATILE is my own env var, not a standard XDG one. > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE policyconfig PUBLIC > "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" > "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd";> > <policyconfig> > > <action id="org.archlinux.custom.pkexec.emelfm2"> > <message>Authentication is required to manage system files</message> > <icon_name>emelfm2</icon_name> > <defaults> > <allow_any>auth_admin</allow_any> > <allow_inactive>auth_admin</allow_inactive> > <allow_active>auth_admin</allow_active> > </defaults> > <annotate > key="org.freedesktop.policykit.exec.path">/usr/bin/emelfm2</annotate> > <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate> > </action> > > </policyconfig> -- Users can unsubscribe from the list by sending email to emelfm2-request@xxxxxxxxxxxxx with 'unsubscribe' in the subject field or by logging into the web interface.