From: Luca Boccassi Date: Tue, 17 Feb 2026 14:37:43 +0000 (+0000) Subject: dbus/varlink: do not skip privilege check when polkit support is disabled X-Git-Tag: v257.11~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b8ac455f2f1cf56c3b3df254e3aea49efd3c24b;p=thirdparty%2Fsystemd.git dbus/varlink: do not skip privilege check when polkit support is disabled There's not going to be any query if polkit support is disabled at build time, so always check the peer's privileges in that case Follow-up for f5a12ceaedf4d490a9dc82e9460dd6fd97acc942 (cherry picked from commit 74961630807b8b1188016a2313b42cf8546fd70e) (cherry picked from commit e74008848f0a549e859416791ad762609d3c73c8) (cherry picked from commit d2cccc46d3a208be1e9b5ea22ee84f6903d21dd6) --- diff --git a/src/shared/bus-polkit.c b/src/shared/bus-polkit.c index b6eca624eea..4cdb607d12d 100644 --- a/src/shared/bus-polkit.c +++ b/src/shared/bus-polkit.c @@ -557,18 +557,18 @@ int bus_verify_polkit_async_full( return r; } } -#endif if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) { +#endif /* Don't query PK if client is privileged */ r = sd_bus_query_sender_privilege(call, /* capability= */ -1); if (r < 0) return r; if (r > 0) return 1; +#if ENABLE_POLKIT } -#if ENABLE_POLKIT int c = sd_bus_message_get_allow_interactive_authorization(call); if (c < 0) return c; @@ -767,13 +767,15 @@ int varlink_verify_polkit_async_full( if (r != 0) return r; +#if ENABLE_POLKIT if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) { +#endif r = varlink_check_peer_privilege(link); if (r != 0) return r; +#if ENABLE_POLKIT } -#if ENABLE_POLKIT _cleanup_(async_polkit_query_unrefp) AsyncPolkitQuery *q = NULL; q = async_polkit_query_ref(hashmap_get(*registry, link));