From 4a69b9b0713e14faf22de33091ad953a1ef7765e Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 16 May 2024 00:15:22 +0100 Subject: [PATCH] Add new flag to check root user too in ChcekAuthorization Currently if the subject has uid 0 a shortcut is taken and authorization is immediately granted, without checking against policies and rules. Add a flag that allows skipping this shortcut. uid 0 can of course alter polkit's behaviour directly, so this is not so much a security feature, but more useful as a safety feature, so that when an action is disabled it cannot be accidentally performed by root, unless they really mean it and bypass polkit. --- data/org.freedesktop.PolicyKit1.Authority.xml | 3 +++ ...interface-org.freedesktop.PolicyKit1.Authority.xml | 11 ++++++++++- src/polkit/polkitcheckauthorizationflags.h | 2 ++ src/polkitbackend/polkitbackendinteractiveauthority.c | 2 +- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/data/org.freedesktop.PolicyKit1.Authority.xml b/data/org.freedesktop.PolicyKit1.Authority.xml index 453ffc8d..aca0de69 100644 --- a/data/org.freedesktop.PolicyKit1.Authority.xml +++ b/data/org.freedesktop.PolicyKit1.Authority.xml @@ -111,6 +111,9 @@ + + + diff --git a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml index 2dd01a0c..91fc6441 100644 --- a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml +++ b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml @@ -78,7 +78,8 @@ This D-Bus interface is implemented by the /org/freedesktop/PolicyKit1/ { None = 0x00000000, - AllowUserInteraction = 0x00000001 + AllowUserInteraction = 0x00000001, + AlwaysCheck = 0x00000002 } @@ -100,6 +101,14 @@ No flags set. If the Subject can obtain the authorization through authentication, and an authentication agent is available, then attempt to do so. Note, this means that the CheckAuthorization() method will block while the user is being asked to authenticate. + + + AlwaysCheck + + +Check access against policy even if the Subject is the root user. + + diff --git a/src/polkit/polkitcheckauthorizationflags.h b/src/polkit/polkitcheckauthorizationflags.h index 4baa0d19..34111f8c 100644 --- a/src/polkit/polkitcheckauthorizationflags.h +++ b/src/polkit/polkitcheckauthorizationflags.h @@ -36,6 +36,7 @@ G_BEGIN_DECLS * @POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION: If the subject can obtain the authorization * through authentication, and an authentication agent is available, then attempt to do so. Note, this * means that the method used for checking authorization is likely to block for a long time. + * @POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK: Check access against policy even for root user. * * Possible flags when checking authorizations. */ @@ -43,6 +44,7 @@ typedef enum { POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE = 0, POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION = (1<<0), + POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK = (1<<1), } PolkitCheckAuthorizationFlags; G_END_DECLS diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c index 9dab476e..579a6748 100644 --- a/src/polkitbackend/polkitbackendinteractiveauthority.c +++ b/src/polkitbackend/polkitbackendinteractiveauthority.c @@ -1130,7 +1130,7 @@ check_authorization_sync (PolkitBackendAuthority *authority, goto out; /* special case: uid 0, root, is _always_ authorized for anything */ - if (identity_is_root_user (user_of_subject)) + if (!(flags & POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK) && identity_is_root_user (user_of_subject)) { result = polkit_authorization_result_new (TRUE, FALSE, NULL); goto out;