Bug 78279

Summary:	Make accountsservice polkit policy work for non-local admin users
Product:	accountsservice	Reporter:	Stef Walter <stefw>
Component:	general	Assignee:	Matthias Clasen <mclasen>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	medium	CC:	marius.vollmer, rstrode, stefw
Version:	unspecified
Hardware:	Other
OS:	All
Whiteboard:
i915 platform:		i915 features:
Attachments:	data: Fix desktop-centric polkit policy

Description Stef Walter 2014-05-05 06:52:41 UTC

Cockpit currently uses accountsservice to modify user accounts. This doesn't work for when logged in as an admin-non-root user, even though accountsservice uses  polkit for privilege escalation.

The polkit policy is desktop centric and requires that the caller is logged in via an active monitor+keyboard seat.

Comment 1 Stef Walter 2014-05-05 06:52:53 UTC

Created attachment 98449 [details] [review]
data: Fix desktop-centric polkit policy

Change the polkit policy so accountsservice allows use of the
DBus API by admin users that are not logged in via a monitor+keyboard.
This includes users logged in via ssh or Cockpit.

Comment 2 Matthias Clasen 2014-05-05 17:43:23 UTC

Looks scary at first. But makes sense, I think.

Comment 3 Stef Walter 2014-05-07 09:15:24 UTC

Attachment 98449 [details] pushed as 74aa92e - data: Fix desktop-centric polkit policy

Updated the patch to use 'auth_self' for changing own info, when not logged in on an active local session.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.