From: Lennart Poettering Date: Mon, 24 Aug 2015 19:27:37 +0000 (+0200) Subject: machined: beef up PolicyKit actions X-Git-Tag: v225~26^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4289c3a725062e2750da0baaf67fc53ba90e4739;p=thirdparty%2Fsystemd.git machined: beef up PolicyKit actions Introduce separate actions for creating login or shell sessions for the local host or a local container. By default allow local unprivileged clients to create new login sessions (which is safe, since getty will ask for username and authentication). Also, imply login privs from shell privs, as well as shell and login privs from manage privs. --- diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index b89bb2cba17..af2b8eff063 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -486,7 +486,7 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_ r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, - "org.freedesktop.machine1.open-pty", + m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty", false, UID_INVALID, &m->manager->polkit_registry, @@ -575,7 +575,7 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, - "org.freedesktop.machine1.login", + m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login", false, UID_INVALID, &m->manager->polkit_registry, @@ -676,7 +676,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, - "org.freedesktop.machine1.shell", + m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell", false, UID_INVALID, &m->manager->polkit_registry, diff --git a/src/machine/org.freedesktop.machine1.policy.in b/src/machine/org.freedesktop.machine1.policy.in index f1557806d18..6e35c5c0454 100644 --- a/src/machine/org.freedesktop.machine1.policy.in +++ b/src/machine/org.freedesktop.machine1.policy.in @@ -26,6 +26,38 @@ + + <_description>Log into the local host + <_message>Authentication is required to log into the local host. + + auth_admin + auth_admin + yes + + + + + <_description>Acquire a shell in a local container + <_message>Authentication is required to acquire a shell in a local container. + + auth_admin + auth_admin + auth_admin_keep + + org.freedesktop.login1.login + + + + <_description>Acquire a shell on the local host + <_message>Authentication is required to acquire a shell on the local host. + + auth_admin + auth_admin + auth_admin_keep + + org.freedesktop.login1.host-login + + <_description>Acquire a pseudo TTY in a local container <_message>Authentication is acquire a pseudo TTY in a local container. @@ -36,9 +68,9 @@ - - <_description>Acquire a shell in a local container - <_message>Authentication is required to acquire a shell in a local container. + + <_description>Acquire a pseudo TTY on the local host + <_message>Authentication is acquire a pseudo TTY on the local host. auth_admin auth_admin @@ -54,6 +86,7 @@ auth_admin auth_admin_keep + org.freedesktop.login1.shell org.freedesktop.login1.login