|
|
c2dfb7 |
From af20a66874296f71618819ebce9d4335b195728c Mon Sep 17 00:00:00 2001
|
|
|
c2dfb7 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
c2dfb7 |
Date: Wed, 22 Jan 2020 12:04:38 +0100
|
|
|
c2dfb7 |
Subject: [PATCH] logind: check PolicyKit before allowing VT switch
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
Let's lock this down a bit. Effectively nothing much changes, since the
|
|
|
c2dfb7 |
default PK policy will allow users on the VT to change VT. Only users
|
|
|
c2dfb7 |
with no local VT session won't be able to switch VTs.
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
(cherry picked from commit 4acf0cfd2f92edb94ad48d04f1ce6c9ab4e19d55)
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
Resolves: #1797679
|
|
|
c2dfb7 |
---
|
|
|
c2dfb7 |
src/login/logind-dbus.c | 16 +++++++
|
|
|
c2dfb7 |
src/login/logind-seat-dbus.c | 58 ++++++++++++++++++++++++-
|
|
|
c2dfb7 |
src/login/logind-session-dbus.c | 15 +++++++
|
|
|
c2dfb7 |
src/login/org.freedesktop.login1.policy | 10 +++++
|
|
|
c2dfb7 |
4 files changed, 98 insertions(+), 1 deletion(-)
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
|
|
|
c2dfb7 |
index dca7f4a30f..3f122fcbd9 100644
|
|
|
c2dfb7 |
--- a/src/login/logind-dbus.c
|
|
|
c2dfb7 |
+++ b/src/login/logind-dbus.c
|
|
|
c2dfb7 |
@@ -913,6 +913,8 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
|
|
|
c2dfb7 |
if (r < 0)
|
|
|
c2dfb7 |
return r;
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
+ /* PolicyKit is done by bus_session_method_activate() */
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
return bus_session_method_activate(message, session, error);
|
|
|
c2dfb7 |
}
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
@@ -944,6 +946,20 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
|
|
|
c2dfb7 |
if (session->seat != seat)
|
|
|
c2dfb7 |
return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", session_name, seat_name);
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
+ r = bus_verify_polkit_async(
|
|
|
c2dfb7 |
+ message,
|
|
|
c2dfb7 |
+ CAP_SYS_ADMIN,
|
|
|
c2dfb7 |
+ "org.freedesktop.login1.chvt",
|
|
|
c2dfb7 |
+ NULL,
|
|
|
c2dfb7 |
+ false,
|
|
|
c2dfb7 |
+ UID_INVALID,
|
|
|
c2dfb7 |
+ &m->polkit_registry,
|
|
|
c2dfb7 |
+ error);
|
|
|
c2dfb7 |
+ if (r < 0)
|
|
|
c2dfb7 |
+ return r;
|
|
|
c2dfb7 |
+ if (r == 0)
|
|
|
c2dfb7 |
+ return 1; /* Will call us back */
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
r = session_activate(session);
|
|
|
c2dfb7 |
if (r < 0)
|
|
|
c2dfb7 |
return r;
|
|
|
c2dfb7 |
diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
|
|
|
c2dfb7 |
index c4d9b067c6..2e590a8f21 100644
|
|
|
c2dfb7 |
--- a/src/login/logind-seat-dbus.c
|
|
|
c2dfb7 |
+++ b/src/login/logind-seat-dbus.c
|
|
|
c2dfb7 |
@@ -174,6 +174,20 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
|
|
|
c2dfb7 |
if (session->seat != s)
|
|
|
c2dfb7 |
return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
+ r = bus_verify_polkit_async(
|
|
|
c2dfb7 |
+ message,
|
|
|
c2dfb7 |
+ CAP_SYS_ADMIN,
|
|
|
c2dfb7 |
+ "org.freedesktop.login1.chvt",
|
|
|
c2dfb7 |
+ NULL,
|
|
|
c2dfb7 |
+ false,
|
|
|
c2dfb7 |
+ UID_INVALID,
|
|
|
c2dfb7 |
+ &s->manager->polkit_registry,
|
|
|
c2dfb7 |
+ error);
|
|
|
c2dfb7 |
+ if (r < 0)
|
|
|
c2dfb7 |
+ return r;
|
|
|
c2dfb7 |
+ if (r == 0)
|
|
|
c2dfb7 |
+ return 1; /* Will call us back */
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
r = session_activate(session);
|
|
|
c2dfb7 |
if (r < 0)
|
|
|
c2dfb7 |
return r;
|
|
|
c2dfb7 |
@@ -194,7 +208,21 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
|
|
|
c2dfb7 |
return r;
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
if (to <= 0)
|
|
|
c2dfb7 |
- return -EINVAL;
|
|
|
c2dfb7 |
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
+ r = bus_verify_polkit_async(
|
|
|
c2dfb7 |
+ message,
|
|
|
c2dfb7 |
+ CAP_SYS_ADMIN,
|
|
|
c2dfb7 |
+ "org.freedesktop.login1.chvt",
|
|
|
c2dfb7 |
+ NULL,
|
|
|
c2dfb7 |
+ false,
|
|
|
c2dfb7 |
+ UID_INVALID,
|
|
|
c2dfb7 |
+ &s->manager->polkit_registry,
|
|
|
c2dfb7 |
+ error);
|
|
|
c2dfb7 |
+ if (r < 0)
|
|
|
c2dfb7 |
+ return r;
|
|
|
c2dfb7 |
+ if (r == 0)
|
|
|
c2dfb7 |
+ return 1; /* Will call us back */
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
r = seat_switch_to(s, to);
|
|
|
c2dfb7 |
if (r < 0)
|
|
|
c2dfb7 |
@@ -210,6 +238,20 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
|
|
|
c2dfb7 |
assert(message);
|
|
|
c2dfb7 |
assert(s);
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
+ r = bus_verify_polkit_async(
|
|
|
c2dfb7 |
+ message,
|
|
|
c2dfb7 |
+ CAP_SYS_ADMIN,
|
|
|
c2dfb7 |
+ "org.freedesktop.login1.chvt",
|
|
|
c2dfb7 |
+ NULL,
|
|
|
c2dfb7 |
+ false,
|
|
|
c2dfb7 |
+ UID_INVALID,
|
|
|
c2dfb7 |
+ &s->manager->polkit_registry,
|
|
|
c2dfb7 |
+ error);
|
|
|
c2dfb7 |
+ if (r < 0)
|
|
|
c2dfb7 |
+ return r;
|
|
|
c2dfb7 |
+ if (r == 0)
|
|
|
c2dfb7 |
+ return 1; /* Will call us back */
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
r = seat_switch_to_next(s);
|
|
|
c2dfb7 |
if (r < 0)
|
|
|
c2dfb7 |
return r;
|
|
|
c2dfb7 |
@@ -224,6 +266,20 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
|
|
|
c2dfb7 |
assert(message);
|
|
|
c2dfb7 |
assert(s);
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
+ r = bus_verify_polkit_async(
|
|
|
c2dfb7 |
+ message,
|
|
|
c2dfb7 |
+ CAP_SYS_ADMIN,
|
|
|
c2dfb7 |
+ "org.freedesktop.login1.chvt",
|
|
|
c2dfb7 |
+ NULL,
|
|
|
c2dfb7 |
+ false,
|
|
|
c2dfb7 |
+ UID_INVALID,
|
|
|
c2dfb7 |
+ &s->manager->polkit_registry,
|
|
|
c2dfb7 |
+ error);
|
|
|
c2dfb7 |
+ if (r < 0)
|
|
|
c2dfb7 |
+ return r;
|
|
|
c2dfb7 |
+ if (r == 0)
|
|
|
c2dfb7 |
+ return 1; /* Will call us back */
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
r = seat_switch_to_previous(s);
|
|
|
c2dfb7 |
if (r < 0)
|
|
|
c2dfb7 |
return r;
|
|
|
c2dfb7 |
diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
|
|
|
c2dfb7 |
index 25c4981dc0..88a2d33dc8 100644
|
|
|
c2dfb7 |
--- a/src/login/logind-session-dbus.c
|
|
|
c2dfb7 |
+++ b/src/login/logind-session-dbus.c
|
|
|
c2dfb7 |
@@ -13,6 +13,7 @@
|
|
|
c2dfb7 |
#include "logind.h"
|
|
|
c2dfb7 |
#include "signal-util.h"
|
|
|
c2dfb7 |
#include "strv.h"
|
|
|
c2dfb7 |
+#include "user-util.h"
|
|
|
c2dfb7 |
#include "util.h"
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
static int property_get_user(
|
|
|
c2dfb7 |
@@ -182,6 +183,20 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
|
|
|
c2dfb7 |
assert(message);
|
|
|
c2dfb7 |
assert(s);
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
+ r = bus_verify_polkit_async(
|
|
|
c2dfb7 |
+ message,
|
|
|
c2dfb7 |
+ CAP_SYS_ADMIN,
|
|
|
c2dfb7 |
+ "org.freedesktop.login1.chvt",
|
|
|
c2dfb7 |
+ NULL,
|
|
|
c2dfb7 |
+ false,
|
|
|
c2dfb7 |
+ UID_INVALID,
|
|
|
c2dfb7 |
+ &s->manager->polkit_registry,
|
|
|
c2dfb7 |
+ error);
|
|
|
c2dfb7 |
+ if (r < 0)
|
|
|
c2dfb7 |
+ return r;
|
|
|
c2dfb7 |
+ if (r == 0)
|
|
|
c2dfb7 |
+ return 1; /* Will call us back */
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
r = session_activate(s);
|
|
|
c2dfb7 |
if (r < 0)
|
|
|
c2dfb7 |
return r;
|
|
|
c2dfb7 |
diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy
|
|
|
c2dfb7 |
index f1d1f956d3..83760e1580 100644
|
|
|
c2dfb7 |
--- a/src/login/org.freedesktop.login1.policy
|
|
|
c2dfb7 |
+++ b/src/login/org.freedesktop.login1.policy
|
|
|
c2dfb7 |
@@ -357,4 +357,14 @@
|
|
|
c2dfb7 |
</defaults>
|
|
|
c2dfb7 |
</action>
|
|
|
c2dfb7 |
|
|
|
c2dfb7 |
+ <action id="org.freedesktop.login1.chvt">
|
|
|
c2dfb7 |
+ <description gettext-domain="systemd">Change Session</description>
|
|
|
c2dfb7 |
+ <message gettext-domain="systemd">Authentication is required for changing the virtual terminal.</message>
|
|
|
c2dfb7 |
+ <defaults>
|
|
|
c2dfb7 |
+ <allow_any>auth_admin_keep</allow_any>
|
|
|
c2dfb7 |
+ <allow_inactive>auth_admin_keep</allow_inactive>
|
|
|
c2dfb7 |
+ <allow_active>yes</allow_active>
|
|
|
c2dfb7 |
+ </defaults>
|
|
|
c2dfb7 |
+ </action>
|
|
|
c2dfb7 |
+
|
|
|
c2dfb7 |
</policyconfig>
|