Bug 78279

Summary: Make accountsservice polkit policy work for non-local admin users
Product: accountsservice Reporter: Stef Walter <stefw>
Component: generalAssignee: Matthias Clasen <mclasen>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: marius.vollmer, rstrode, stefw
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: data: Fix desktop-centric polkit policy

Description Stef Walter 2014-05-05 06:52:41 UTC
Cockpit currently uses accountsservice to modify user accounts. This doesn't work for when logged in as an admin-non-root user, even though accountsservice uses  polkit for privilege escalation.

The polkit policy is desktop centric and requires that the caller is logged in via an active monitor+keyboard seat.
Comment 1 Stef Walter 2014-05-05 06:52:53 UTC
Created attachment 98449 [details] [review]
data: Fix desktop-centric polkit policy

Change the polkit policy so accountsservice allows use of the
DBus API by admin users that are not logged in via a monitor+keyboard.
This includes users logged in via ssh or Cockpit.
Comment 2 Matthias Clasen 2014-05-05 17:43:23 UTC
Looks scary at first. But makes sense, I think.
Comment 3 Stef Walter 2014-05-07 09:15:24 UTC
Attachment 98449 [details] pushed as 74aa92e - data: Fix desktop-centric polkit policy

Updated the patch to use 'auth_self' for changing own info, when not logged in on an active local session.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.