git.delta.rocks / remowt / refs/commits / 7c2fb57d5b71

--- /dev/null
+++ b/cmds/polkit-agent/Cargo.toml
@@ -0,0 +1,18 @@
+[package]
+name = "polkit-agent"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = "1.0.86"
+pam-client = "0.5.0"
+polkit-shared = { version = "0.1.0", path = "../../crates/polkit-shared" }
+rand = "0.8.5"
+serde = { version = "1.0.204", features = ["derive"] }
+tokio = { version = "1.39.2", features = ["rt-multi-thread", "fs", "macros"] }
+tracing = "0.1.40"
+tracing-subscriber = "0.3.18"
+ui-prompt = { version = "0.1.0", path = "../../crates/ui-prompt" }
+uuid = { version = "1.10.0", features = ["v4"] }
+zbus = { version = "4.4.0", features = ["tokio"] }
+zbus_polkit = { version = "4.0.0", features = ["tokio"] }

--- /dev/null
+++ b/cmds/polkit-agent/src/main.rs
@@ -0,0 +1,177 @@
+use std::collections::HashMap;
+use std::future;
+use std::marker::PhantomData;
+use std::sync::{Mutex, RwLock};
+
+use polkit_shared::{BackendRequest, Identity};
+use tokio::runtime::Handle;
+use tokio::task::{AbortHandle, JoinHandle, LocalSet};
+use tracing::trace;
+use ui_prompt::dbus::DbusPrompterInterface;
+use ui_prompt::rofi::RofiPrompter;
+use ui_prompt::Prompter;
+use zbus::zvariant::{OwnedValue, Str};
+use zbus::ObjectServer;
+use zbus::{interface, proxy, Connection};
+use zbus_polkit::policykit1::Subject;
+
+struct TemporaryPrompterInterface<P: Prompter + Send + Sync + 'static> {
+    connection: Connection,
+    path: String,
+    _marker: PhantomData<P>,
+}
+impl<P: Prompter + Send + Sync + 'static> TemporaryPrompterInterface<P> {
+    async fn new(connection: Connection, prompter: P) -> Self {
+        let path = format!(
+            "/remowt/prompters/{}",
+            uuid::Uuid::new_v4().to_string().replace("-", "_")
+        );
+        let _ = connection
+            .object_server()
+            .at(path.clone(), DbusPrompterInterface(prompter))
+            .await;
+        Self {
+            connection,
+            path,
+            _marker: PhantomData,
+        }
+    }
+}
+impl<P: Prompter + Send + Sync + 'static> Drop for TemporaryPrompterInterface<P> {
+    fn drop(&mut self) {
+        // FIXME: block_in_place prevents to moving to current_thread runtime
+        // There should be a blocking way to remove ObjectServer listener.
+        // As far as I can see, it is only async because of async RwLock, shouldn't it be
+        // just a sync lock?
+        tokio::task::block_in_place(move || {
+            Handle::current().block_on(async {
+                let _ = self
+                    .connection
+                    .object_server()
+                    .remove::<DbusPrompterInterface<P>, String>(self.path.clone())
+                    .await;
+            });
+        });
+    }
+}
+
+struct Agent {
+    helper: PolkitHelperProxy<'static>,
+    tasks: Mutex<HashMap<String, AbortHandle>>,
+    connection: Connection,
+}
+impl Agent {
+    async fn new(connection: Connection) -> anyhow::Result<Self> {
+        Ok(Self {
+            helper: PolkitHelperProxy::new(&connection).await?,
+            tasks: Mutex::new(HashMap::new()),
+            connection,
+        })
+    }
+}
+
+#[interface(name = "org.freedesktop.PolicyKit1.AuthenticationAgent")]
+impl Agent {
+    /// BeginAuthentication method
+    #[allow(clippy::too_many_arguments)]
+    async fn begin_authentication(
+        &mut self,
+        action_id: String,
+        message: String,
+        icon_name: String,
+        details: HashMap<String, String>,
+        cookie: String,
+        identities: Vec<Identity>,
+    ) -> zbus::fdo::Result<()> {
+        trace!("begin auth");
+        let task = {
+            let connection = self.connection.clone();
+            let helper = self.helper.clone();
+            let cookie = cookie.clone();
+            tokio::task::spawn(async move {
+                trace!("conversation task");
+                let prompter = TemporaryPrompterInterface::new(connection, RofiPrompter).await;
+                helper
+                    .init_conversation(
+                        BackendRequest {
+                            cookie: cookie.to_owned(),
+                            environment: HashMap::new(),
+                            prompter_path: prompter.path.clone(),
+                            // TODO: Let user choose
+                            identity: identities.get(0).expect("first always exists").clone(),
+                        }, // cookie.to_owned(), HashMap::new(), prompter.path.clone()
+                    )
+                    .await?;
+                println!("ASKED");
+                dbg!(action_id, message, icon_name, details, cookie, identities);
+
+                Ok(())
+            })
+        };
+
+        self.tasks
+            .lock()
+            .unwrap()
+            .insert(cookie.clone(), task.abort_handle());
+        let result = task.await.expect("join error");
+        // The only way to no reach this line, is to either panic in previous line, or if authorization cancelled,
+        // while cancellation will remove task by itself.
+        // TODO: But still it would be better to have abort guard, which will remove it from HashMap
+        self.tasks.lock().unwrap().remove(&cookie);
+
+        result
+    }
+
+    /// CancelAuthentication method
+    async fn cancel_authentication(&self, cookie: &str) -> zbus::fdo::Result<()> {
+        trace!("cancel auth");
+        if let Some(abort) = self.tasks.lock().unwrap().remove(cookie) {
+            abort.abort();
+        }
+        // debug!("Authentication cancled ! {cookie}");
+        Ok(())
+    }
+}
+
+const OBJ_PATH: &str = "/0lach/polkitAgent";
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    tracing_subscriber::fmt::init();
+
+    trace!("started");
+    let conn = Connection::system().await?;
+
+    let proxy = zbus_polkit::policykit1::AuthorityProxy::new(&conn).await?;
+    conn.object_server()
+        .at(OBJ_PATH, Agent::new(conn.clone()).await?)
+        .await?;
+
+    let session_id = std::env::var("XDG_SESSION_ID")?;
+    let mut details = HashMap::new();
+    let val: OwnedValue = {
+        let wrapped: Str<'_> = session_id.into();
+        wrapped.into()
+    };
+    details.insert("session-id".to_string(), val);
+    proxy
+        .register_authentication_agent(
+            &Subject {
+                subject_kind: "unix-session".to_string(),
+                subject_details: details,
+            },
+            "C",
+            OBJ_PATH,
+        )
+        .await?;
+
+    future::pending().await
+}
+
+#[proxy(
+    interface = "lach.PolkitHelper",
+    default_service = "lach.polkit.helper1",
+    default_path = "/lach/PolkitHelper"
+)]
+trait PolkitHelper {
+    fn init_conversation(&self, request: BackendRequest) -> zbus::Result<()>;
+}

--- /dev/null
+++ b/cmds/polkit-backend/Cargo.toml
@@ -0,0 +1,17 @@
+[package]
+name = "polkit-backend"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = "1.0.86"
+clap = { version = "4.5.11", features = ["derive"] }
+nix = "0.29.0"
+pam-client = "0.5.0"
+polkit-shared = { version = "0.1.0", path = "../../crates/polkit-shared" }
+tokio = { version = "1.39.2", features = ["macros", "rt", "rt-multi-thread"] }
+tracing = "0.1.40"
+tracing-subscriber = "0.3.18"
+ui-prompt = { version = "0.1.0", path = "../../crates/ui-prompt" }
+zbus = { version = "4.4.0", features = ["tokio"] }
+zbus_polkit = { version = "4.0.0", features = ["tokio"] }

--- /dev/null
+++ b/cmds/polkit-backend/etc/systemd/system/remowt-polkit-helper.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Remowt polkit helper service
+
+[Service]
+Type=dbus
+BusName=lach.polkit.helper1
+ExecStart=@libexecdir@/polkit-helper
+# TODO: Hardening
+
+[Install]
+WantedBy=multi-user.target
+Alias=dbus-lach.polkit.helper1.service

--- /dev/null
+++ b/cmds/polkit-backend/share/dbus-1/system-services/lach.polkit.helper1.conf
@@ -0,0 +1,5 @@
+[D-BUS Service]
+Name=lach.polkit.helper1
+Exec=/bin/false
+User=root
+SystemdService=dbus-lach.polkit.helper1.service

--- /dev/null
+++ b/cmds/polkit-backend/share/dbus-1/system.d/lach.polkit.helper1.conf
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "https://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+	<policy user="root">
+		<allow own = "lach.polkit.helper1"/>
+		<allow send_interface="lach.PolkitInputHandler"/>
+	</policy>
+	<policy context="default">
+		<allow send_destination="lach.polkit.helper1"/>
+		<deny send_interface="lach.PolkitInputHandler"/>
+	</policy>
+</busconfig>

--- /dev/null
+++ b/cmds/polkit-backend/src/main.rs
@@ -0,0 +1,238 @@
+use std::collections::{HashMap, HashSet};
+use std::ffi::{CStr, CString};
+use std::future::pending;
+use std::sync::LazyLock;
+
+use anyhow::Context as _;
+use clap::Parser;
+use nix::unistd::{setuid, Uid, User};
+use pam_client::{Context, ConversationHandler, ErrorCode, Flag};
+use polkit_shared::BackendRequest;
+use tokio::runtime::Handle;
+use tokio::task::{block_in_place, spawn_blocking};
+use tracing::trace;
+use ui_prompt::dbus::DbusPrompterProxyBlocking;
+use ui_prompt::{BlockingPrompter, Prompter};
+use zbus::fdo;
+use zbus::message::Header;
+use zbus::zvariant::OwnedValue;
+use zbus::{blocking, interface, proxy, Connection};
+
+struct Helper {
+    connection: Connection,
+    blocking_connection: blocking::Connection,
+}
+
+static ALLOWED_ENVIRONMENT: LazyLock<HashSet<&str>> = LazyLock::new(|| {
+    [
+        // pam ssh agent auth
+        "SSH_AUTH_SOCK",
+        // ssh itself provides this when running PAM
+        "SSH_AUTH_INFO_0",
+        // contains user which ran sudo
+        "SUDO_USER",
+    ]
+    .into_iter()
+    .collect()
+});
+
+struct Conversation<P>(P);
+impl<P: BlockingPrompter> Conversation<P> {
+    fn prompt_inner(&self, echo: bool, prompt: &CStr) -> Result<CString, ErrorCode> {
+        trace!("do prompt");
+        let out = self
+            .0
+            .prompt_text(
+                echo,
+                &prompt.to_string_lossy(),
+                "Polkit prompt request",
+                &[],
+            )
+            .map_err(|e| {
+                trace!("prompt error: {e}");
+                ErrorCode::CONV_ERR
+            })?;
+        CString::new(out).map_err(|_| ErrorCode::CONV_AGAIN)
+    }
+    fn text_inner(&self, error: bool, msg: &CStr) {
+        trace!("do text");
+        let msg = msg.to_string_lossy();
+        let _ = self.0.display_text(error, &msg, &[]);
+    }
+}
+impl<P: BlockingPrompter> ConversationHandler for Conversation<P> {
+    fn prompt_echo_on(&mut self, prompt: &CStr) -> Result<CString, ErrorCode> {
+        self.prompt_inner(true, prompt)
+    }
+
+    fn prompt_echo_off(&mut self, prompt: &CStr) -> Result<CString, ErrorCode> {
+        self.prompt_inner(false, prompt)
+    }
+
+    fn text_info(&mut self, msg: &CStr) {
+        self.text_inner(false, msg)
+    }
+
+    fn error_msg(&mut self, msg: &CStr) {
+        self.text_inner(true, msg)
+    }
+
+    fn radio_prompt(&mut self, prompt: &CStr) -> Result<bool, ErrorCode> {
+        let prompt = prompt.to_string_lossy();
+        let result = self
+            .0
+            .prompt_radio(&prompt, "Polkit prompt request", &[])
+            .map_err(|_| ErrorCode::CONV_ERR)?;
+        Ok(result)
+    }
+}
+
+#[proxy(
+    default_service = "org.freedesktop.DBus",
+    default_path = "/org/freedesktop/DBus"
+)]
+trait DBus {
+    fn get_connection_credentials(&self, body: &str) -> zbus::Result<HashMap<String, OwnedValue>>;
+}
+
+#[interface(name = "lach.PolkitHelper")]
+impl Helper {
+    async fn init_conversation(
+        &self,
+        request: BackendRequest,
+        #[zbus(header)] hdr: Header<'_>,
+    ) -> fdo::Result<()> {
+        let Some(sender) = hdr.sender().map(|v| v.to_owned()) else {
+            trace!("missing sender");
+            return Err(fdo::Error::AuthFailed("missing sender".to_owned()));
+        };
+
+        let dbus = DBusProxy::new(&self.connection).await?;
+
+        // TOCTOU: sender might be already disconnected, and there might be another
+        // user with different user id here, but does it matters?
+        let reply = dbus.get_connection_credentials(&sender).await?;
+        let uid: u32 = (&reply["UnixUserID"]).try_into().unwrap();
+
+        let blocking_connection = self.blocking_connection.clone();
+        let thread_result: fdo::Result<()> = block_in_place(move || {
+            trace!("find user");
+            let user = User::from_uid(Uid::from_raw(uid))
+                .map_err(|_| fdo::Error::AuthFailed("error querying user".to_owned()))?
+                .ok_or_else(|| fdo::Error::AuthFailed("uid not found".to_owned()))?;
+
+            let responder = DbusPrompterProxyBlocking::new(
+                &blocking_connection,
+                sender,
+                request.prompter_path,
+            )?;
+            let conversation = Conversation(responder);
+            trace!("run context for {}", &user.name);
+            let mut ctx = Context::new(
+                // TODO: Should another scope be used?
+                "login",
+                Some(&user.name),
+                conversation,
+            )
+            .map_err(|_| fdo::Error::Failed("pam context init failed".to_owned()))?;
+
+            trace!("fill env");
+            for (k, v) in request.environment {
+                if k.contains('=') || !ALLOWED_ENVIRONMENT.contains(k.as_str()) {
+                    continue;
+                }
+                let _ = ctx.putenv(format!("{k}={v}"));
+            }
+
+            trace!("authenticate");
+            ctx.authenticate(Flag::NONE)
+                .map_err(|_| fdo::Error::AuthFailed("pam authentication failed".to_owned()))?;
+
+            trace!("acct mgmt");
+            ctx.acct_mgmt(Flag::NONE)
+                .map_err(|_| fdo::Error::AuthFailed("pam acct mgmt failed".to_owned()))?;
+
+            Ok(())
+        });
+
+        thread_result?;
+
+        trace!("respond");
+        let proxy = zbus_polkit::policykit1::AuthorityProxy::new(&self.connection).await?;
+
+        let identity_details = request
+            .identity
+            .details
+            .iter()
+            .map(|(k, v)| (k.as_str(), (**v).try_clone().expect("success")))
+            .collect::<HashMap<_, _>>();
+        proxy
+            .authentication_agent_response2(
+                uid,
+                &request.cookie,
+                &zbus_polkit::policykit1::Identity {
+                    identity_kind: &request.identity.kind,
+                    identity_details: &identity_details,
+                },
+            )
+            .await?;
+        Ok(())
+    }
+}
+
+const OBJ_PATH: &str = "/lach/PolkitHelper";
+
+#[derive(Parser)]
+struct Opts {
+    /// Not recommended: start as a session connection, then use escalation
+    /// to respond to polkit requests.
+    #[arg(long)]
+    session: bool,
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    tracing_subscriber::fmt::init();
+    let opts = Opts::parse();
+    let connection = if opts.session {
+        Connection::session().await
+    } else {
+        Connection::system().await
+    }
+    .context("failed to open connection")?;
+
+    let session = opts.session;
+    let blocking_connection: anyhow::Result<blocking::Connection> = spawn_blocking(move || {
+        Ok(if session {
+            blocking::Connection::session()?
+        } else {
+            blocking::Connection::system()?
+        })
+    })
+    .await?;
+    let blocking_connection = blocking_connection.context("failed to open blocking connection")?;
+
+    if opts.session {
+        setuid(Uid::from_raw(0))
+            .context("polkit-backend needs to be suid if run in session mode")?;
+    }
+
+    connection
+        .object_server()
+        .at(
+            OBJ_PATH,
+            Helper {
+                connection: connection.clone(),
+                blocking_connection,
+            },
+        )
+        .await
+        .context("failed listen path")?;
+
+    connection
+        .request_name("lach.polkit.helper1")
+        .await
+        .context("failed to request name")?;
+
+    pending().await
+}

--- /dev/null
+++ b/crates/polkit-shared/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "polkit-shared"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+serde = { version = "1.0.204", features = ["derive"] }
+zbus = "4.4.0"

--- /dev/null
+++ b/crates/polkit-shared/src/lib.rs
@@ -0,0 +1,31 @@
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+use zbus::zvariant::{OwnedValue, Type};
+
+#[derive(Serialize, Deserialize, Type, PartialEq, Debug)]
+pub struct Identity {
+    pub kind: String,
+    pub details: HashMap<String, OwnedValue>,
+}
+
+impl Clone for Identity {
+    fn clone(&self) -> Self {
+        Self {
+            kind: self.kind.clone(),
+            details: self
+                .details
+                .iter()
+                .map(|(k, v)| (k.clone(), v.try_clone().expect("no fds are expected")))
+                .collect(),
+        }
+    }
+}
+
+#[derive(Serialize, Deserialize, Type, PartialEq, Debug)]
+pub struct BackendRequest {
+    pub cookie: String,
+    pub environment: HashMap<String, String>,
+    pub prompter_path: String,
+    pub identity: Identity,
+}

--- /dev/null
+++ b/crates/ui-prompt/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "ui-prompt"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+serde = "1.0.204"
+thiserror = "1.0.63"
+tokio = { version = "1.39.2", features = ["io-util", "macros", "process", "rt"] }
+tracing = "0.1.40"
+zbus = { version = "4.4.0", optional = true }
+
+[features]
+default = ["dbus"]
+dbus = ["dep:zbus"]

--- /dev/null
+++ b/crates/ui-prompt/src/dbus.rs
@@ -0,0 +1,123 @@
+use zbus::interface;
+use zbus::{fdo, proxy};
+
+use crate::Source;
+use crate::{BlockingPrompter, Result};
+use crate::{Error, Prompter};
+
+pub struct DbusPrompterInterface<P>(pub P);
+#[interface(name = "lach.PolkitInputHandler")]
+impl<P: Prompter + Send + Sync + 'static> DbusPrompterInterface<P> {
+    async fn prompt_radio(
+        &self,
+        prompt: &str,
+        description: &str,
+        source: Vec<Source>,
+    ) -> fdo::Result<bool> {
+        Ok(self.0.prompt_radio(prompt, description, &source).await?)
+    }
+    async fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: Vec<Source>,
+    ) -> fdo::Result<String> {
+        Ok(self
+            .0
+            .prompt_text(echo, prompt, description, &source)
+            .await?)
+    }
+    async fn display_text(
+        &self,
+        error: bool,
+        description: &str,
+        source: Vec<Source>,
+    ) -> fdo::Result<()> {
+        Ok(self.0.display_text(error, description, &source).await?)
+    }
+}
+
+#[proxy(interface = "lach.PolkitInputHandler")]
+trait DbusPrompter {
+    async fn prompt_radio(
+        &self,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> fdo::Result<bool>;
+    async fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> fdo::Result<String>;
+    async fn display_text(
+        &self,
+        error: bool,
+        description: &str,
+        source: &[Source],
+    ) -> fdo::Result<()>;
+}
+
+impl Prompter for DbusPrompterProxy<'_> {
+    async fn prompt_radio(
+        &self,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<bool> {
+        Ok(self.prompt_radio(prompt, description, source).await?)
+    }
+
+    async fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<String> {
+        Ok(self.prompt_text(echo, prompt, description, source).await?)
+    }
+
+    async fn display_text(&self, error: bool, description: &str, source: &[Source]) -> Result<()> {
+        Ok(self.display_text(error, description, source).await?)
+    }
+}
+impl BlockingPrompter for DbusPrompterProxyBlocking<'_> {
+    fn prompt_radio(&self, prompt: &str, description: &str, source: &[Source]) -> Result<bool> {
+        Ok(self.prompt_radio(prompt, description, source)?)
+    }
+
+    fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<String> {
+        Ok(self.prompt_text(echo, prompt, description, source)?)
+    }
+
+    fn display_text(&self, error: bool, description: &str, source: &[Source]) -> Result<()> {
+        Ok(self.display_text(error, description, source)?)
+    }
+}
+
+impl From<fdo::Error> for Error {
+    fn from(value: fdo::Error) -> Self {
+        if matches!(value, fdo::Error::NoReply(_)) {
+            return Self::Cancel;
+        }
+        Self::InputError(format!("{value}"))
+    }
+}
+impl From<Error> for fdo::Error {
+    fn from(value: Error) -> Self {
+        match value {
+            Error::Cancel => fdo::Error::NoReply("input was cancelled".to_owned()),
+            Error::InputError(e) => fdo::Error::Failed(e),
+        }
+    }
+}

--- /dev/null
+++ b/crates/ui-prompt/src/lib.rs
@@ -0,0 +1,104 @@
+use core::fmt;
+use std::borrow::Cow;
+use std::future::Future;
+use std::result;
+
+pub mod dbus;
+pub mod rofi;
+
+#[derive(thiserror::Error, Debug)]
+pub enum Error {
+    #[error("user has cancelled input")]
+    Cancel,
+    #[error("input error: {0}")]
+    InputError(String),
+}
+
+pub type Result<T, E = Error> = result::Result<T, E>;
+
+#[cfg_attr(feature = "dbus", derive(zbus::zvariant::Type))]
+#[derive(serde::Serialize, serde::Deserialize, Clone)]
+pub struct Source(Cow<'static, str>);
+impl fmt::Display for Source {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "<u>{}</u>", self.0)
+    }
+}
+
+pub trait Prompter {
+    fn prompt_radio(
+        &self,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> impl Future<Output = Result<bool>> + Send;
+    fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> impl Future<Output = Result<String>> + Send;
+    fn display_text(
+        &self,
+        error: bool,
+        description: &str,
+        source: &[Source],
+    ) -> impl Future<Output = Result<()>> + Send;
+}
+pub trait BlockingPrompter {
+    fn prompt_radio(&self, prompt: &str, description: &str, source: &[Source]) -> Result<bool>;
+    fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<String>;
+    fn display_text(&self, error: bool, description: &str, source: &[Source]) -> Result<()>;
+}
+
+pub struct PrependSourcePrompter<P> {
+    prompter: P,
+    source: Vec<Source>,
+}
+impl<P> PrependSourcePrompter<P> {
+    fn source(&self, input: &[Source]) -> Vec<Source> {
+        let mut out = self.source.clone();
+        out.extend(input.iter().cloned());
+        out
+    }
+}
+impl<P> Prompter for PrependSourcePrompter<P>
+where
+    P: Prompter + Sync,
+{
+    async fn prompt_radio(
+        &self,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<bool> {
+        self.prompter
+            .prompt_radio(prompt, description, &self.source(source))
+            .await
+    }
+
+    async fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<String> {
+        self.prompter
+            .prompt_text(echo, prompt, description, &self.source(source))
+            .await
+    }
+
+    async fn display_text(&self, error: bool, description: &str, source: &[Source]) -> Result<()> {
+        self.prompter
+            .display_text(error, description, &self.source(source))
+            .await
+    }
+}

--- /dev/null
+++ b/crates/ui-prompt/src/rofi.rs
@@ -0,0 +1,176 @@
+use std::process::Stdio;
+
+use tokio::io::AsyncWriteExt;
+use tokio::process::Command;
+use tracing::trace;
+
+use crate::{Error, Prompter, Result, Source};
+
+pub struct RofiPrompter;
+
+impl Prompter for RofiPrompter {
+    async fn prompt_radio(
+        &self,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<bool> {
+        trace!("rofi radio");
+        let mut cmd = Command::new("rofi");
+        let mesg = if source.is_empty() {
+            description.to_owned()
+        } else {
+            let mut out = format!("{description}\n\n<b>Requested on ",);
+            for s in source.iter() {
+                out.push_str(&s.to_string());
+            }
+            out.push_str("</b>");
+            out
+        };
+        cmd.args([
+            "-dmenu",
+            "-mesg",
+            &mesg,
+            "-sync",
+            "-only-match",
+            "-p",
+            prompt,
+        ]);
+        cmd.stdin(Stdio::piped());
+        cmd.stdout(Stdio::piped());
+        cmd.kill_on_drop(true);
+        let mut child = cmd
+            .spawn()
+            .map_err(|e| Error::InputError(format!("failed to spawn rofi: {e}")))?;
+
+        child
+            .stdin
+            .take()
+            .expect("stdin is piped")
+            .write_all(b"Yes\nNo\n")
+            .await
+            .map_err(|e| Error::InputError(format!("failed to write rofi variants: {e}")))?;
+
+        let out = child
+            .wait_with_output()
+            .await
+            .map_err(|e| Error::InputError(format!("failed to wait for rofi: {e}")))?;
+        let stdout = out
+            .stdout
+            .strip_suffix(b"\n")
+            .unwrap_or(&out.stdout)
+            .to_owned();
+
+        if &stdout == b"Yes" {
+            Ok(true)
+        } else if &stdout == b"No" {
+            Ok(false)
+        } else {
+            Err(Error::InputError("bad rofi response".to_owned()))
+        }
+    }
+
+    async fn prompt_text(
+        &self,
+        echo: bool,
+        prompt: &str,
+        description: &str,
+        source: &[Source],
+    ) -> Result<String> {
+        trace!("rofi text");
+        let mut cmd = Command::new("rofi");
+        let mesg = if source.is_empty() {
+            description.to_owned()
+        } else {
+            let mut out = format!("{description}\n\n<b>Requested on ",);
+            for s in source.iter() {
+                out.push_str(&s.to_string());
+            }
+            out.push_str("</b>");
+            out
+        };
+        cmd.args(["-dmenu", "-mesg", &mesg, "-p", prompt]);
+        if !echo {
+            cmd.arg("-password");
+        }
+        cmd.stdin(Stdio::null());
+        cmd.stdout(Stdio::piped());
+        cmd.kill_on_drop(true);
+        let child = cmd
+            .spawn()
+            .map_err(|e| Error::InputError(format!("failed to spawn rofi: {e}")))?;
+
+        let out = child
+            .wait_with_output()
+            .await
+            .map_err(|e| Error::InputError(format!("failed to wait for rofi: {e}")))?;
+        let stdout = out
+            .stdout
+            .strip_suffix(b"\n")
+            .unwrap_or(&out.stdout)
+            .to_owned();
+
+        Ok(String::from_utf8_lossy(&stdout).to_string())
+    }
+
+    async fn display_text(&self, error: bool, description: &str, source: &[Source]) -> Result<()> {
+        trace!("rofi display");
+        let mut cmd = Command::new("rofi");
+        let mut mesg = if source.is_empty() {
+            description.to_owned()
+        } else {
+            let mut out = format!("{description}\n\n<b>Coming from ",);
+            for s in source.iter() {
+                out.push_str(&s.to_string());
+            }
+            out.push_str("</b>");
+            out
+        };
+        if error {
+            mesg.insert_str(0, "<span color=\"red\">");
+            mesg.push_str("</span>");
+        }
+        cmd.args(["-e", &mesg, "-markup"]);
+        cmd.stdin(Stdio::null());
+        cmd.stdout(Stdio::null());
+        cmd.kill_on_drop(true);
+        let mut child = cmd
+            .spawn()
+            .map_err(|e| Error::InputError(format!("failed to spawn rofi: {e}")))?;
+
+        child
+            .wait()
+            .await
+            .map_err(|e| Error::InputError(format!("failed to wait for rofi: {e}")))?;
+
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::borrow::Cow;
+
+    use crate::rofi::RofiPrompter;
+    use crate::{PrependSourcePrompter, Prompter as _, Source};
+
+    #[tokio::test]
+    async fn test() {
+        let prompter = PrependSourcePrompter {
+            prompter: RofiPrompter,
+            source: vec![Source(Cow::Borrowed("ssh"))],
+        };
+        prompter
+            .prompt_radio("Enable", "Polkit needs access", &[])
+            .await
+            .expect("rofi");
+        prompter
+            .prompt_text(false, "Password", "Polkit needs access", &[])
+            .await
+            .expect("rofi");
+        prompter
+            .display_text(true, "Polkit needs access", &[])
+            .await
+            .expect("rofi");
+    }
+}

--- /dev/null
+++ b/nix/nixos-modules.nix
@@ -0,0 +1,13 @@
+{config, ...}: {
+  flake.nixosModules = rec {
+    default = polkit-backend;
+    polkit-backend = {pkgs, ...}: {
+      services.dbus.packages = [
+        config.flake.packages.${pkgs.stdenv.system}.polkit-backend
+      ];
+      systemd.packages = [
+        config.flake.packages.${pkgs.stdenv.system}.polkit-backend
+      ];
+    };
+  };
+}

--- /dev/null
+++ b/nix/polkit-backend.nix
@@ -0,0 +1,40 @@
+{
+  lib,
+  craneLib,
+  rustPlatform,
+  pam,
+  coreutils,
+}: let
+  crateName = "polkit-backend";
+in
+  craneLib.buildPackage {
+    src = lib.cleanSourceWith {
+      src = ../.;
+      filter = path: type:
+        (lib.hasSuffix "\.conf" path)
+        || (lib.hasSuffix "\.service" path)
+        || (craneLib.filterCargoSources path type);
+    };
+
+    pname = crateName;
+    installPhase = ''
+      mkdir -p $out/libexec
+      cp -ar $src/cmds/${crateName}/share $out/
+      cp -ar $src/cmds/${crateName}/etc $out/
+      # Reference stripper hook wants write access to that.
+      chmod a+w -R $out/share
+      cp target/release/${crateName} $out/libexec/
+
+      substituteInPlace $out/share/dbus-1/system-services/lach.polkit.helper1.conf \
+        --replace-fail /bin/false ${coreutils}/bin/false
+      substituteInPlace $out/etc/systemd/system/remowt-polkit-helper.service \
+        --replace-fail @libexecdir@ ${placeholder "out"}/libexec
+    '';
+
+    cargoExtraArgs = "--locked -p ${crateName}";
+
+    buildInputs = [
+      rustPlatform.bindgenHook
+      pam
+    ];
+  }

--- /dev/null
+++ b/rust-toolchain.toml
@@ -0,0 +1,3 @@
+[toolchain]
+channel = "nightly-2024-07-20"
+components = ["rustfmt", "clippy", "rust-analyzer", "rust-src"]