Bug 78279 - Make accountsservice polkit policy work for non-local admin users
Summary: Make accountsservice polkit policy work for non-local admin users
Alias: None
Product: accountsservice
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Matthias Clasen
QA Contact:
Depends on:
Reported: 2014-05-05 06:52 UTC by Stef Walter
Modified: 2014-05-07 09:15 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

data: Fix desktop-centric polkit policy (2.08 KB, patch)
2014-05-05 06:52 UTC, Stef Walter
Details | Splinter Review

Description Stef Walter 2014-05-05 06:52:41 UTC
Cockpit currently uses accountsservice to modify user accounts. This doesn't work for when logged in as an admin-non-root user, even though accountsservice uses  polkit for privilege escalation.

The polkit policy is desktop centric and requires that the caller is logged in via an active monitor+keyboard seat.
Comment 1 Stef Walter 2014-05-05 06:52:53 UTC
Created attachment 98449 [details] [review]
data: Fix desktop-centric polkit policy

Change the polkit policy so accountsservice allows use of the
DBus API by admin users that are not logged in via a monitor+keyboard.
This includes users logged in via ssh or Cockpit.
Comment 2 Matthias Clasen 2014-05-05 17:43:23 UTC
Looks scary at first. But makes sense, I think.
Comment 3 Stef Walter 2014-05-07 09:15:24 UTC
Attachment 98449 [details] pushed as 74aa92e - data: Fix desktop-centric polkit policy

Updated the patch to use 'auth_self' for changing own info, when not logged in on an active local session.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.