| From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001 |
| From: Joshua Watt <JPEWhacker@gmail.com> |
| Date: Fri, 30 Oct 2020 08:15:43 -0500 |
| Subject: [PATCH] logind: Restore chvt as non-root user without polkit |
| |
| 4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke |
| the ability to write user sessions that run graphical sessions (e.g. |
| weston/X11). This was partially amended in 19bb87fbfa ("login: allow |
| non-console sessions to change vt") by changing the default PolicyKit |
| policy so that non-root users are again allowed to switch the VT. This |
| makes the policy when PolKit is not enabled (as on many embedded |
| systems) match the default PolKit policy and allows launching graphical |
| sessions as a non-root user. |
| |
| Closes #17473 |
| --- |
| src/login/logind-dbus.c | 11 ++------- |
| src/login/logind-polkit.c | 26 +++++++++++++++++++++ |
| src/login/logind-polkit.h | 10 ++++++++ |
| src/login/logind-seat-dbus.c | 41 ++++----------------------------- |
| src/login/logind-session-dbus.c | 11 ++------- |
| src/login/meson.build | 1 + |
| 6 files changed, 46 insertions(+), 54 deletions(-) |
| create mode 100644 src/login/logind-polkit.c |
| create mode 100644 src/login/logind-polkit.h |
| |
| diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c |
| index 0f83ed99bc..a3765d88ba 100644 |
| --- a/src/login/logind-dbus.c |
| +++ b/src/login/logind-dbus.c |
| @@ -30,6 +30,7 @@ |
| #include "format-util.h" |
| #include "fs-util.h" |
| #include "logind-dbus.h" |
| +#include "logind-polkit.h" |
| #include "logind-seat-dbus.h" |
| #include "logind-session-dbus.h" |
| #include "logind-user-dbus.h" |
| @@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda |
| return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, |
| "Session %s not on seat %s", session_name, seat_name); |
| |
| - r = bus_verify_polkit_async( |
| - message, |
| - CAP_SYS_ADMIN, |
| - "org.freedesktop.login1.chvt", |
| - NULL, |
| - false, |
| - UID_INVALID, |
| - &m->polkit_registry, |
| - error); |
| + r = check_polkit_chvt(message, m, error); |
| if (r < 0) |
| return r; |
| if (r == 0) |
| diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c |
| new file mode 100644 |
| index 0000000000..9072570cc6 |
| --- /dev/null |
| +++ b/src/login/logind-polkit.c |
| @@ -0,0 +1,26 @@ |
| +/* SPDX-License-Identifier: LGPL-2.1+ */ |
| + |
| +#include "bus-polkit.h" |
| +#include "logind-polkit.h" |
| +#include "missing_capability.h" |
| +#include "user-util.h" |
| + |
| +int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) { |
| +#if ENABLE_POLKIT |
| + return bus_verify_polkit_async( |
| + message, |
| + CAP_SYS_ADMIN, |
| + "org.freedesktop.login1.chvt", |
| + NULL, |
| + false, |
| + UID_INVALID, |
| + &manager->polkit_registry, |
| + error); |
| +#else |
| + /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a |
| + * non-root user when polkit is not compiled in, matching the default polkit policy */ |
| + return 1; |
| +#endif |
| +} |
| + |
| + |
| diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h |
| new file mode 100644 |
| index 0000000000..476c077a8a |
| --- /dev/null |
| +++ b/src/login/logind-polkit.h |
| @@ -0,0 +1,10 @@ |
| +/* SPDX-License-Identifier: LGPL-2.1+ */ |
| +#pragma once |
| + |
| +#include "sd-bus.h" |
| + |
| +#include "bus-object.h" |
| +#include "logind.h" |
| + |
| +int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error); |
| + |
| diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c |
| index a945132284..f22e9e2734 100644 |
| --- a/src/login/logind-seat-dbus.c |
| +++ b/src/login/logind-seat-dbus.c |
| @@ -9,6 +9,7 @@ |
| #include "bus-polkit.h" |
| #include "bus-util.h" |
| #include "logind-dbus.h" |
| +#include "logind-polkit.h" |
| #include "logind-seat-dbus.h" |
| #include "logind-seat.h" |
| #include "logind-session-dbus.h" |
| @@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b |
| if (session->seat != s) |
| return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id); |
| |
| - r = bus_verify_polkit_async( |
| - message, |
| - CAP_SYS_ADMIN, |
| - "org.freedesktop.login1.chvt", |
| - NULL, |
| - false, |
| - UID_INVALID, |
| - &s->manager->polkit_registry, |
| - error); |
| + r = check_polkit_chvt(message, s->manager, error); |
| if (r < 0) |
| return r; |
| if (r == 0) |
| @@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro |
| if (to <= 0) |
| return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal"); |
| |
| - r = bus_verify_polkit_async( |
| - message, |
| - CAP_SYS_ADMIN, |
| - "org.freedesktop.login1.chvt", |
| - NULL, |
| - false, |
| - UID_INVALID, |
| - &s->manager->polkit_registry, |
| - error); |
| + r = check_polkit_chvt(message, s->manager, error); |
| if (r < 0) |
| return r; |
| if (r == 0) |
| @@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus |
| assert(message); |
| assert(s); |
| |
| - r = bus_verify_polkit_async( |
| - message, |
| - CAP_SYS_ADMIN, |
| - "org.freedesktop.login1.chvt", |
| - NULL, |
| - false, |
| - UID_INVALID, |
| - &s->manager->polkit_registry, |
| - error); |
| + r = check_polkit_chvt(message, s->manager, error); |
| if (r < 0) |
| return r; |
| if (r == 0) |
| @@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd |
| assert(message); |
| assert(s); |
| |
| - r = bus_verify_polkit_async( |
| - message, |
| - CAP_SYS_ADMIN, |
| - "org.freedesktop.login1.chvt", |
| - NULL, |
| - false, |
| - UID_INVALID, |
| - &s->manager->polkit_registry, |
| - error); |
| + r = check_polkit_chvt(message, s->manager, error); |
| if (r < 0) |
| return r; |
| if (r == 0) |
| diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c |
| index ccc5ac8df2..57c8a4e900 100644 |
| --- a/src/login/logind-session-dbus.c |
| +++ b/src/login/logind-session-dbus.c |
| @@ -11,6 +11,7 @@ |
| #include "fd-util.h" |
| #include "logind-brightness.h" |
| #include "logind-dbus.h" |
| +#include "logind-polkit.h" |
| #include "logind-seat-dbus.h" |
| #include "logind-session-dbus.h" |
| #include "logind-session-device.h" |
| @@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_ |
| assert(message); |
| assert(s); |
| |
| - r = bus_verify_polkit_async( |
| - message, |
| - CAP_SYS_ADMIN, |
| - "org.freedesktop.login1.chvt", |
| - NULL, |
| - false, |
| - UID_INVALID, |
| - &s->manager->polkit_registry, |
| - error); |
| + r = check_polkit_chvt(message, s->manager, error); |
| if (r < 0) |
| return r; |
| if (r == 0) |
| diff --git a/src/login/meson.build b/src/login/meson.build |
| index 0a7d3d5440..7e46be2add 100644 |
| --- a/src/login/meson.build |
| +++ b/src/login/meson.build |
| @@ -26,6 +26,7 @@ liblogind_core_sources = files(''' |
| logind-device.h |
| logind-inhibit.c |
| logind-inhibit.h |
| + logind-polkit.c |
| logind-seat-dbus.c |
| logind-seat-dbus.h |
| logind-seat.c |
| -- |
| 2.28.0 |
| |