Make the agent optional
By itself, the geoclue agent doesn't seem to really add any security in its current form.
When a client connects to geoclue and requests a location, geoclue expects an agent to connect and authorise this request. The mechanism via which the client and the agent connect are exactly the same. In fact, the client requesting a location can open a second connection to geoclue, present itself as an agent, and authorise its own request (this is even what I did with my initial client implementation in golang).
It is definitely possible to tailor an environment where the agent can help secure geoclue. For example, instead of allowing a client to connect to the system bus, one might put the client behind xdg-dbus-proxy
. In this case, an agent can be used to enhance security, but this setup requires special configuration on behalf of the system administrator, and if far from the default setup.
In practice, many users just turn to using /usr/libexec/geoclue-2.0/demos/agent
, which allows any location request on their behalf. This is the recommendation given by the Arch wiki and several downstream tools that rely on geoclue (eg: redshift, gammastep, darkman). Basically, this is a workaround for not being able to disable the requirement for an agent entirely.
This issue is a proposal to add a --no-agent
flag for the geoclue server itself, a mode it which it requires no agent and authorised all requests implicitly. This is very similar to just using /usr/libexec/geoclue-2.0/demos/agent
, but it is somewhat less involved, less confusing for end-users who keep asking "why do I need this agent and what does it do?" and requires one less service which honestly doesn't add anything to the equation.