Feedback from OpenSUSE review
Copy pasta from https://bugzilla.suse.com/show_bug.cgi?id=1217178
-
this s_watchershashmap is no longer used: https://invent.kde.org/frameworks/kauth/-/blob/master/src/executejob.cpp?ref_type=heads#L43 -
the function DBusHelperProxy::callerUid() and related functions seem unused: https://invent.kde.org/frameworks/kauth/-/blob/master/src/backends/dbus/DBusHelperProxy.cpp?ref_type=heads#L352 it's still called in HelperProxy::callerUid(), but this in turn isn't called by anybody. Except it would be called externally, but why should that happen? -
in DBusHelperProxy::performAction() this hack here: is really awful. The process is basically multithreaded and the hack isn't thread safe, influences the Qt framework for the complete process. Wouldn't there be a better way to prevent the sketched problem?
The logic was introduced in commit fc70fb01.
-
This "ExtraCallerIDVerificationMethod" is really strange: The
callerIDis an untrusted value supplied by the unprivileged client, when using Polkit. I can only imagine this very strange design is due to the need to also cover the MAC backend with the same interface. It makes absolutely no sense to pass-on this callerID when using Polkit/D-Bus on Linux, it is just a confusing burden. -
It is not great that we pass file paths, we should be able to pass file ids so (see discussion below).
Since this is a KDE6 major release it might be a good time to address some of the problematic design aspects mentioned in c) and d), even if it breaks interfaces.