run0: Never ask --empower sessions for polkit auth

A --empower session is effectively root without being UID 0, so it
doesn't make sense to enforce polkit authentication in those. Let's
add the empower group, add --empower sessions to that group and ship
a polkit rule to skip authentication for all users in the empower
group.

(As a side-effect this will also allow users to add themselves to this
group outside of 'run0 --empower' to mimick NOPASSWD from sudo)

diff --git a/man/run0.xml b/man/run0.xml
index ee2074b4ab4585c0f66dc154e326285a67a90255..d44743620e2c72331fec36df1c5b47ce6f2bef7e 100644 (file)
--- a/man/run0.xml
+++ b/man/run0.xml
@@ -295,8 +295,9 @@
 
         <listitem><para>If specified, run0 will elevate the privileges of the selected user (using
         <option>--user=</option>) or the current user if no user is explicitly selected. Currently this means
-        we give the user all available capabilities, but other privileges may be granted in the future as
-        well when using this option.</para>
+        we give the invoked process all available capabilities and add the the <literal>empower</literal>
+        group as a supplemental group (for which all polkit actions are allowed by default), but other
+        privileges may be granted in the future as well when using this option.</para>
 
         <xi:include href="version-info.xml" xpointer="v259"/></listitem>
       </varlistentry>

diff --git a/meson.build b/meson.build
index c289d7f53a6a4c23390bc56a86fdfcf2bea21a00..f0b921879b2cd87f6656c7ceb015b8290a16942d 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -886,6 +886,7 @@ foreach option : ['adm-gid',
                   'clock-gid',
                   'dialout-gid',
                   'disk-gid',
+                  'empower-gid',
                   'input-gid',
                   'kmem-gid',
                   'kvm-gid',

diff --git a/meson_options.txt b/meson_options.txt
index d44030ef8bedfd3fff2b284685feb175d838cb96..3cc314eacdbe69e4dc8ae36f601e71416cdd1bdf 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -295,6 +295,8 @@ option('dialout-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "dialout" group')
 option('disk-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "disk" group')
+option('empower-gid', type : 'integer', value : 0,
+       description : 'soft-static allocation for the "empower" group')
 option('input-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "input" group')
 option('kmem-gid', type : 'integer', value : 0,

diff --git a/src/run/empower.rules b/src/run/empower.rules
new file mode 100644 (file)
index 0000000..5966625
--- /dev/null
+++ b/src/run/empower.rules
@@ -0,0 +1,8 @@
+// Allow all actions for users who are in the "empower" group. Users are added to the
+// "empower" group by running run0 --empower.
+
+polkit.addRule(function(action, subject) {
+    if (subject.isInGroup("empower")) {
+        return polkit.Result.YES;
+    }
+});

diff --git a/src/run/meson.build b/src/run/meson.build
index af9d7a04e19ca92d3a33b7a972993be3bee255f2..832edcdbc41e1e36d4a76ffaf0da168d5a249f4b 100644 (file)
--- a/src/run/meson.build
+++ b/src/run/meson.build
@@ -18,3 +18,8 @@ custom_target(
         command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
         install : pamconfdir != 'no',
         install_dir : pamconfdir)
+
+if install_polkit
+        install_data('empower.rules',
+                     install_dir : polkitrulesdir)
+endif

diff --git a/src/run/run.c b/src/run/run.c
index 96fa46bd3a5ba2d906cdb24a4937e40f1c990d02..9c79f99d1171c4b353bb33f4e2b32d1f388eca9b 100644 (file)
--- a/src/run/run.c
+++ b/src/run/run.c
@@ -1420,6 +1420,15 @@ static int transient_service_set_properties(sd_bus_message *m, const char *pty_p
                 r = sd_bus_message_append(m, "(sv)", "AmbientCapabilities", "t", CAP_MASK_ALL);
                 if (r < 0)
                         return bus_log_create_error(r);
+
+                r = getgrnam_malloc("empower", /* ret= */ NULL);
+                if (r < 0 && r != -ESRCH)
+                        return log_error_errno(r, "Failed to look up group 'empower' via NSS: %m");
+                if (r >= 0) {
+                        r = sd_bus_message_append(m, "(sv)", "SupplementaryGroups", "as", 1, "empower");
+                        if (r < 0)
+                                return bus_log_create_error(r);
+                }
         }
 
         if (arg_nice_set) {

diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 503a4c4dac0fcfd647aa6f15b72d28be3bbfb0af..cf200fb14faa09b9879383ecbab8b8ff25e23d41 100644 (file)
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -16,8 +16,9 @@ u! {{NOBODY_USER_NAME}} 65534:65534 "Kernel Overflow User"     -
 # Administrator group: can *see* more than normal users
 g adm     {{ADM_GID    }}     -            -
 
-# Administrator group: can *do* more than normal users
+# Administrator groups: can *do* more than normal users
 g wheel   {{WHEEL_GID  }}     -            -
+g empower {{EMPOWER_GID}}     -            -
 
 # Access to shared database of users on the system
 g utmp    {{UTMP_GID   }}     -            -