Skip to content

KIO Admin

Thursday, 4 August 2022


I’ve gotten annoyed with the inability to manage system files so I’ve made a KIO worker that enables Dolphin to view and edit files as root.

This is dolphin viewing the system root with administrative access.

The way this works is actually fairly exciting. It’s pulling off worker chaining: The admin worker itself contains gloriously little logic, all it does is translate all worker calls to dbus calls, and those dbus calls go out to a privileged polkit helper. The polkit helper then translates the URIs from admin:///foo to file:///foo and uses the regular KIO API to recreate the request in root-scope. KIO then, behind the scenes, acts just like it would in dolphin proper, using the existing file worker code to execute the file operations.

The advantages are amazing! It’s fairly little actual code (albeit a lot of boilerplate). Since it’s an ordinary worker on the Dolphin side we can expect all file operations to just work™ because really admin:// is just like trash:// or desktop://. Because ultimately the file worker is actually in charge of doing the work, all things are generally expected to work (it’s the same code that powers regular file operations).

Disadvantageously it’s a fair large portal into root-scope, meaning the worker should really only be used in trusted environments (e.g. with only sandboxed applications on the system ;)). Even with polkit guarding the entrance, once you have given permissions you have to trust the application (e.g. dolphin) to not get exploited.

“But why a dedicated worker instead of integrated polkit support in the file worker?” Why, I’m glad you asked! Integrated polkit support sounds simple but is really rocket science. For example there is currently no good architectural way to “catch” operations that had gone wrong - you try to copy a file to `/srv` and that fails with 🤖PERMISSION DENIED🤖 but there is no consistent way to then go “well, let’s retry this entire operation with privileges then” so without huge code refactoring first, we’d end up tucking fallback logic onto every which error scenario… it’s messy and also easy to miss or mess up edge cases. There are also user experience problems. You’d not want to have every internal operation require dedicated permission, so you kind of have to bundle them up and then request permission for the bundle; but how do you know when a bundle is complete? It’s really frightfully complicated.

In conclusion admin:// is awesome today. Maybe one day integrated polkit will also be awesome.

Reviews and testing appreciated https://invent.kde.org/sitter/kio-admin (mind the readme - this currently wants some patching elsewhere in the stack).