From 5a0a3cfee90205ac56569b87d0c2c7d8869ab3e7 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Tue, 25 Jun 2024 17:21:20 +0200 Subject: [PATCH] Add new flag to check root user too in ChcekAuthorization (#452) Currently if the subject has uid 0 a shortcut is taken and authorization is immediately granted, without checking against policies and rules. Add a flag that allows skipping this shortcut. uid 0 can of course alter polkit's behaviour directly, so this is not so much a security feature, but more useful as a safety feature, so that when an action is disabled it cannot be accidentally performed by root, unless they really mean it and bypass polkit. --- data/org.freedesktop.PolicyKit1.Authority.xml | 3 +++ ...interface-org.freedesktop.PolicyKit1.Authority.xml | 11 ++++++++++- src/polkit/polkitcheckauthorizationflags.h | 2 ++ src/polkitbackend/polkitbackendinteractiveauthority.c | 2 +- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/data/org.freedesktop.PolicyKit1.Authority.xml b/data/org.freedesktop.PolicyKit1.Authority.xml index 214b8c28..0b3c5ba2 100644 --- a/data/org.freedesktop.PolicyKit1.Authority.xml +++ b/data/org.freedesktop.PolicyKit1.Authority.xml @@ -111,6 +111,9 @@ + + + diff --git a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml index 2dd01a0c..91fc6441 100644 --- a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml +++ b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml @@ -78,7 +78,8 @@ This D-Bus interface is implemented by the /org/freedesktop/PolicyKit1/ { None = 0x00000000, - AllowUserInteraction = 0x00000001 + AllowUserInteraction = 0x00000001, + AlwaysCheck = 0x00000002 } @@ -100,6 +101,14 @@ No flags set. If the Subject can obtain the authorization through authentication, and an authentication agent is available, then attempt to do so. Note, this means that the CheckAuthorization() method will block while the user is being asked to authenticate. + + + AlwaysCheck + + +Check access against policy even if the Subject is the root user. + + diff --git a/src/polkit/polkitcheckauthorizationflags.h b/src/polkit/polkitcheckauthorizationflags.h index 4baa0d19..34111f8c 100644 --- a/src/polkit/polkitcheckauthorizationflags.h +++ b/src/polkit/polkitcheckauthorizationflags.h @@ -36,6 +36,7 @@ G_BEGIN_DECLS * @POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION: If the subject can obtain the authorization * through authentication, and an authentication agent is available, then attempt to do so. Note, this * means that the method used for checking authorization is likely to block for a long time. + * @POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK: Check access against policy even for root user. * * Possible flags when checking authorizations. */ @@ -43,6 +44,7 @@ typedef enum { POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE = 0, POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION = (1<<0), + POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK = (1<<1), } PolkitCheckAuthorizationFlags; G_END_DECLS diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c index 517e715d..6290014e 100644 --- a/src/polkitbackend/polkitbackendinteractiveauthority.c +++ b/src/polkitbackend/polkitbackendinteractiveauthority.c @@ -1130,7 +1130,7 @@ check_authorization_sync (PolkitBackendAuthority *authority, goto out; /* special case: uid 0, root, is _always_ authorized for anything */ - if (identity_is_root_user (user_of_subject)) + if (!(flags & POLKIT_CHECK_AUTHORIZATION_FLAGS_ALWAYS_CHECK) && identity_is_root_user (user_of_subject)) { result = polkit_authorization_result_new (TRUE, FALSE, NULL); goto out;