diff --git a/policy/org.freedesktop.fwupd.policy.in b/policy/org.freedesktop.fwupd.policy.in
index 1cfc9cb6f..0fb1fa754 100644
--- a/policy/org.freedesktop.fwupd.policy.in
+++ b/policy/org.freedesktop.fwupd.policy.in
@@ -13,7 +13,7 @@
https://github.com/hughsie/fwupd
application-vnd.iccprofile
-
+
+ <_description>Install device firmware update
+ <_message>Authentication is required to update the firmware on a device
+ application-vnd.iccprofile
+
+ auth_admin
+ no
+ yes
+
+
+
diff --git a/src/fu-common.h b/src/fu-common.h
index 201babfc3..4ea05b659 100644
--- a/src/fu-common.h
+++ b/src/fu-common.h
@@ -40,6 +40,7 @@
#define FU_DEVICE_KEY_VERSION_LOWEST "VersionLowest"
#define FU_DEVICE_KEY_VENDOR "Vendor"
#define FU_DEVICE_KEY_SUMMARY "Summary"
+#define FU_DEVICE_KEY_KIND "Kind" /* 'internal' or 'hotplug' */
/* if adding values here, remember to register them in fu_error_quark() */
typedef enum {
diff --git a/src/fu-main.c b/src/fu-main.c
index dfdcd2a88..fc994ae55 100644
--- a/src/fu-main.c
+++ b/src/fu-main.c
@@ -397,7 +397,9 @@ fu_main_daemon_method_call (GDBusConnection *connection, const gchar *sender,
GDBusMessage *message;
GUnixFDList *fd_list;
GVariant *prop_value;
+ const gchar *action_id;
const gchar *id = NULL;
+ const gchar *kind;
gchar *prop_key;
gint32 fd_handle = 0;
gint fd;
@@ -481,10 +483,18 @@ fu_main_daemon_method_call (GDBusConnection *connection, const gchar *sender,
return;
}
+ /* relax authentication checks for removable devices */
+ kind = fu_device_get_metadata (helper->device, FU_DEVICE_KEY_KIND);
+ if (g_strcmp0 (kind, "hotplug") == 0) {
+ action_id = "org.freedesktop.fwupd.update-hotplug";
+ } else {
+ action_id = "org.freedesktop.fwupd.update-internal";
+ }
+
/* authenticate */
subject = polkit_system_bus_name_new (sender);
polkit_authority_check_authorization (helper->priv->authority, subject,
- "org.freedesktop.fwupd.update",
+ action_id,
NULL,
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION,
NULL,
diff --git a/src/fu-provider-chug.c b/src/fu-provider-chug.c
index 4249c53f8..7ce7b32f8 100644
--- a/src/fu-provider-chug.c
+++ b/src/fu-provider-chug.c
@@ -399,6 +399,8 @@ fu_provider_chug_device_added_cb (GUsbContext *ctx,
"ColorHug");
fu_device_set_metadata (item->device, FU_DEVICE_KEY_GUID,
ch_device_get_guid (device));
+ fu_device_set_metadata (item->device, FU_DEVICE_KEY_KIND,
+ "hotplug");
/* try to get the serial number -- if opening failed then
* poll until the device is not busy */
diff --git a/src/fu-provider-uefi.c b/src/fu-provider-uefi.c
index 8446ecf11..2d24e7d22 100644
--- a/src/fu-provider-uefi.c
+++ b/src/fu-provider-uefi.c
@@ -128,6 +128,7 @@ fu_provider_uefi_coldplug (FuProvider *provider, GError **error)
fu_device_set_metadata (dev, FU_DEVICE_KEY_PROVIDER, "UEFI");
fu_device_set_metadata (dev, FU_DEVICE_KEY_GUID, guid);
fu_device_set_metadata (dev, FU_DEVICE_KEY_VERSION, version);
+ fu_device_set_metadata (dev, FU_DEVICE_KEY_KIND, "internal");
if (re.lowest_supported_fw_version != 0) {
version_lowest = g_strdup_printf ("%" G_GUINT32_FORMAT,
re.lowest_supported_fw_version);
diff --git a/src/fu-util.c b/src/fu-util.c
index c22fb3a23..86e57bdb8 100644
--- a/src/fu-util.c
+++ b/src/fu-util.c
@@ -248,6 +248,7 @@ fu_util_get_devices (FuUtilPrivate *priv, gchar **values, GError **error)
const gchar *value;
const gchar *keys[] = {
FU_DEVICE_KEY_DISPLAY_NAME,
+ FU_DEVICE_KEY_KIND,
FU_DEVICE_KEY_PROVIDER,
FU_DEVICE_KEY_GUID,
FU_DEVICE_KEY_VERSION,