--- Comment #16 from Hrvoje Senjan firstname.lastname@example.org 2014-03-26 09:18:26 UTC --- (In reply to comment #14) First, just to say that this is a patch for polkit-qt-1, based and slightly extended on Raymond's.
Thats racy and the thing we want to fix. Your patch proposal also integrates the uid, but I fear thats the uid of the currently running process (root == 0). From the small patch I cannot see where the uid is coming from. If that would be the uid of the requesting user, that would be fine (although not perfect if suid helpers request DBUS services).
In reality, we have no SUID helpers in KDE - except for the kdeinit's OOM killer ;-) UID is the one of the requesting user - i've tested the patch, and from user perspective, things still operate as before - e.g. for killing other users processes in KSysGuard i need to enter root pass, also for changing clock, etc.
The preferred way is to use system-bus-name polkit authorization. polkit-qt bindings seem to offer SystemBusNameSubject class already, so is it possible to use that in KAuth rather than UnixProcess subjects?
As Raymond pointed out, our chances for chaning the internals are more for the KAuth framework/polkiq-qt-1 based on Qt5, rather than in kdelibs4/Qt4 world...