78279 – Make accountsservice polkit policy work for non-local admin users

Bug 78279 - Make accountsservice polkit policy work for non-local admin users

Summary: Make accountsservice polkit policy work for non-local admin users

Status:	RESOLVED FIXED

Alias:	None

Product:	accountsservice
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	Matthias Clasen
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-05-05 06:52 UTC by Stef Walter
Modified:	2014-05-07 09:15 UTC (History)
CC List:	3 users (show)

See Also:
i915 platform:
i915 features:

Attachments
data: Fix desktop-centric polkit policy (2.08 KB, patch) 2014-05-05 06:52 UTC, Stef Walter	Details \| Splinter Review
View All

Description Stef Walter 2014-05-05 06:52:41 UTC

Cockpit currently uses accountsservice to modify user accounts. This doesn't work for when logged in as an admin-non-root user, even though accountsservice uses  polkit for privilege escalation.

The polkit policy is desktop centric and requires that the caller is logged in via an active monitor+keyboard seat.

Comment 1 Stef Walter 2014-05-05 06:52:53 UTC

Created attachment 98449 [details] [review]
data: Fix desktop-centric polkit policy

Change the polkit policy so accountsservice allows use of the
DBus API by admin users that are not logged in via a monitor+keyboard.
This includes users logged in via ssh or Cockpit.

Comment 2 Matthias Clasen 2014-05-05 17:43:23 UTC

Looks scary at first. But makes sense, I think.

Comment 3 Stef Walter 2014-05-07 09:15:24 UTC

Attachment 98449 [details] pushed as 74aa92e - data: Fix desktop-centric polkit policy

Updated the patch to use 'auth_self' for changing own info, when not logged in on an active local session.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.