1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001
From: Joshua Watt <JPEWhacker@gmail.com>
Date: Fri, 30 Oct 2020 08:15:43 -0500
Subject: [PATCH] logind: Restore chvt as non-root user without polkit
4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
the ability to write user sessions that run graphical sessions (e.g.
weston/X11). This was partially amended in 19bb87fbfa ("login: allow
non-console sessions to change vt") by changing the default PolicyKit
policy so that non-root users are again allowed to switch the VT. This
makes the policy when PolKit is not enabled (as on many embedded
systems) match the default PolKit policy and allows launching graphical
sessions as a non-root user.
Closes #17473
---
src/login/logind-dbus.c | 11 ++-------
src/login/logind-polkit.c | 26 +++++++++++++++++++++
src/login/logind-polkit.h | 10 ++++++++
src/login/logind-seat-dbus.c | 41 ++++-----------------------------
src/login/logind-session-dbus.c | 11 ++-------
src/login/meson.build | 1 +
6 files changed, 46 insertions(+), 54 deletions(-)
create mode 100644 src/login/logind-polkit.c
create mode 100644 src/login/logind-polkit.h
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 0f83ed99bc..a3765d88ba 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -30,6 +30,7 @@
#include "format-util.h"
#include "fs-util.h"
#include "logind-dbus.h"
+#include "logind-polkit.h"
#include "logind-seat-dbus.h"
#include "logind-session-dbus.h"
#include "logind-user-dbus.h"
@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
"Session %s not on seat %s", session_name, seat_name);
- r = bus_verify_polkit_async(
- message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.chvt",
- NULL,
- false,
- UID_INVALID,
- &m->polkit_registry,
- error);
+ r = check_polkit_chvt(message, m, error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c
new file mode 100644
index 0000000000..9072570cc6
--- /dev/null
+++ b/src/login/logind-polkit.c
@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "bus-polkit.h"
+#include "logind-polkit.h"
+#include "missing_capability.h"
+#include "user-util.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
+#if ENABLE_POLKIT
+ return bus_verify_polkit_async(
+ message,
+ CAP_SYS_ADMIN,
+ "org.freedesktop.login1.chvt",
+ NULL,
+ false,
+ UID_INVALID,
+ &manager->polkit_registry,
+ error);
+#else
+ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
+ * non-root user when polkit is not compiled in, matching the default polkit policy */
+ return 1;
+#endif
+}
+
+
diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h
new file mode 100644
index 0000000000..476c077a8a
--- /dev/null
+++ b/src/login/logind-polkit.h
@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+#include "sd-bus.h"
+
+#include "bus-object.h"
+#include "logind.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
+
diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
index a945132284..f22e9e2734 100644
--- a/src/login/logind-seat-dbus.c
+++ b/src/login/logind-seat-dbus.c
@@ -9,6 +9,7 @@
#include "bus-polkit.h"
#include "bus-util.h"
#include "logind-dbus.h"
+#include "logind-polkit.h"
#include "logind-seat-dbus.h"
#include "logind-seat.h"
#include "logind-session-dbus.h"
@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
if (session->seat != s)
return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
- r = bus_verify_polkit_async(
- message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.chvt",
- NULL,
- false,
- UID_INVALID,
- &s->manager->polkit_registry,
- error);
+ r = check_polkit_chvt(message, s->manager, error);
if (r < 0)
return r;
if (r == 0)
@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
if (to <= 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
- r = bus_verify_polkit_async(
- message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.chvt",
- NULL,
- false,
- UID_INVALID,
- &s->manager->polkit_registry,
- error);
+ r = check_polkit_chvt(message, s->manager, error);
if (r < 0)
return r;
if (r == 0)
@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
assert(message);
assert(s);
- r = bus_verify_polkit_async(
- message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.chvt",
- NULL,
- false,
- UID_INVALID,
- &s->manager->polkit_registry,
- error);
+ r = check_polkit_chvt(message, s->manager, error);
if (r < 0)
return r;
if (r == 0)
@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
assert(message);
assert(s);
- r = bus_verify_polkit_async(
- message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.chvt",
- NULL,
- false,
- UID_INVALID,
- &s->manager->polkit_registry,
- error);
+ r = check_polkit_chvt(message, s->manager, error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
index ccc5ac8df2..57c8a4e900 100644
--- a/src/login/logind-session-dbus.c
+++ b/src/login/logind-session-dbus.c
@@ -11,6 +11,7 @@
#include "fd-util.h"
#include "logind-brightness.h"
#include "logind-dbus.h"
+#include "logind-polkit.h"
#include "logind-seat-dbus.h"
#include "logind-session-dbus.h"
#include "logind-session-device.h"
@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
assert(message);
assert(s);
- r = bus_verify_polkit_async(
- message,
- CAP_SYS_ADMIN,
- "org.freedesktop.login1.chvt",
- NULL,
- false,
- UID_INVALID,
- &s->manager->polkit_registry,
- error);
+ r = check_polkit_chvt(message, s->manager, error);
if (r < 0)
return r;
if (r == 0)
diff --git a/src/login/meson.build b/src/login/meson.build
index 0a7d3d5440..7e46be2add 100644
--- a/src/login/meson.build
+++ b/src/login/meson.build
@@ -26,6 +26,7 @@ liblogind_core_sources = files('''
logind-device.h
logind-inhibit.c
logind-inhibit.h
+ logind-polkit.c
logind-seat-dbus.c
logind-seat-dbus.h
logind-seat.c
--
2.28.0
|
