FS#48458 - [polkit] The default rule is too weak for multi-user systems
Attached to Project:
Arch Linux
Opened by Christian Rebischke (Shibumi) - Friday, 04 March 2016, 19:57 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 06 March 2016, 16:04 GMT
Opened by Christian Rebischke (Shibumi) - Friday, 04 March 2016, 19:57 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 06 March 2016, 16:04 GMT
|
Details
Hello,
following issue: I have a fresh installed Arch Linux with sudo. I have configured sudo that sudo will ask for the root password. Today I have tested $ machinectl shell root@.host and I got root access via my normal password instead of my root password. This behaviour exists because of a too weak polkit-rule: /etc/polkit-1/rules.d/50-default.rules I strongly recommend to change this rule to the following: ----------------[ snippet ]------------------ /* Always authenticate Admins by prompting for the root * password, similar to the rootpw option in sudo */ polkit.addAdminRule(function(action, subject) { return ["unix-user:root"]; }); ----------------[ snippet ]------------------ The current default rule is just checking for the group wheel. This is maybe enough for a user on a single-user-system but on a server with different users this is maybe a problem. Imagine the case that the user is in group wheel but he is only allowed to do some special tasks. With this default rule he could get root access over the whole system although the administrator maybe just wanted to give permissions on stuff like reboot. best regards chris |
This task depends upon
Closed by Doug Newgard (Scimmia)
Sunday, 06 March 2016, 16:04 GMT
Reason for closing: Not a bug
Additional comments about closing: User error, this is what the wheel group is for.
Sunday, 06 March 2016, 16:04 GMT
Reason for closing: Not a bug
Additional comments about closing: User error, this is what the wheel group is for.
https://github.com/systemd/systemd/issues/2799
And yes, this is exactly what wheel is for. If you don't want your users to control the machine, don't put them into the wheel group.
Furthermore I think there was a misunderstanding in the systemd bug ticket. Polkit should request a password, but users in the wheel group are asked for their own password as they have admin role. If this is the case, there is no bug.