diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-08-24 21:27:37 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-08-24 22:46:45 +0200 |
commit | 4289c3a725062e2750da0baaf67fc53ba90e4739 (patch) | |
tree | 8117b60373f01ac8883eb6b74c0f94ec3f9db177 | |
parent | b04c25f9ef6359ed0ae403bdbfe4df840aba0f58 (diff) |
machined: beef up PolicyKit actions
Introduce separate actions for creating login or shell sessions for
the local host or a local container. By default allow local unprivileged
clients to create new login sessions (which is safe, since getty will
ask for username and authentication).
Also, imply login privs from shell privs, as well as shell and login
privs from manage privs.
-rw-r--r-- | src/machine/machine-dbus.c | 6 | ||||
-rw-r--r-- | src/machine/org.freedesktop.machine1.policy.in | 39 |
2 files changed, 39 insertions, 6 deletions
diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index b89bb2cba1..af2b8eff06 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -486,7 +486,7 @@ int bus_machine_method_open_pty(sd_bus_message *message, void *userdata, sd_bus_ r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, - "org.freedesktop.machine1.open-pty", + m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-open-pty" : "org.freedesktop.machine1.open-pty", false, UID_INVALID, &m->manager->polkit_registry, @@ -575,7 +575,7 @@ int bus_machine_method_open_login(sd_bus_message *message, void *userdata, sd_bu r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, - "org.freedesktop.machine1.login", + m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-login" : "org.freedesktop.machine1.login", false, UID_INVALID, &m->manager->polkit_registry, @@ -676,7 +676,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, - "org.freedesktop.machine1.shell", + m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell", false, UID_INVALID, &m->manager->polkit_registry, diff --git a/src/machine/org.freedesktop.machine1.policy.in b/src/machine/org.freedesktop.machine1.policy.in index f1557806d1..6e35c5c045 100644 --- a/src/machine/org.freedesktop.machine1.policy.in +++ b/src/machine/org.freedesktop.machine1.policy.in @@ -26,6 +26,38 @@ </defaults> </action> + <action id="org.freedesktop.machine1.host-login"> + <_description>Log into the local host</_description> + <_message>Authentication is required to log into the local host.</_message> + <defaults> + <allow_any>auth_admin</allow_any> + <allow_inactive>auth_admin</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + </action> + + <action id="org.freedesktop.machine1.shell"> + <_description>Acquire a shell in a local container</_description> + <_message>Authentication is required to acquire a shell in a local container.</_message> + <defaults> + <allow_any>auth_admin</allow_any> + <allow_inactive>auth_admin</allow_inactive> + <allow_active>auth_admin_keep</allow_active> + </defaults> + <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.login</annotate> + </action> + + <action id="org.freedesktop.machine1.host-shell"> + <_description>Acquire a shell on the local host</_description> + <_message>Authentication is required to acquire a shell on the local host.</_message> + <defaults> + <allow_any>auth_admin</allow_any> + <allow_inactive>auth_admin</allow_inactive> + <allow_active>auth_admin_keep</allow_active> + </defaults> + <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.host-login</annotate> + </action> + <action id="org.freedesktop.machine1.open-pty"> <_description>Acquire a pseudo TTY in a local container</_description> <_message>Authentication is acquire a pseudo TTY in a local container.</_message> @@ -36,9 +68,9 @@ </defaults> </action> - <action id="org.freedesktop.machine1.shell"> - <_description>Acquire a shell in a local container</_description> - <_message>Authentication is required to acquire a shell in a local container.</_message> + <action id="org.freedesktop.machine1.host-open-pty"> + <_description>Acquire a pseudo TTY on the local host</_description> + <_message>Authentication is acquire a pseudo TTY on the local host.</_message> <defaults> <allow_any>auth_admin</allow_any> <allow_inactive>auth_admin</allow_inactive> @@ -54,6 +86,7 @@ <allow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </defaults> + <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login</annotate> </action> <action id="org.freedesktop.machine1.manage-images"> |