Comment 15 for bug 690323

maybe policykit can be of use here for a non-intrusive change.
Define two actions "device-open" and "device-change". The former could be granted to local, active sessions by default. The latter should be auth_admin. By starting with no device defined the daemon would require admin auth once to set the initial device. The daemon stores the device name in a config file. As long as the user requests to open only that device the "device-open" action would be granted. If the user changes the device the "device-change" action requires admin auth again. That way overly paranoid checks at device open time are not needed.