Blame SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch

5068ac
From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
5068ac
From: Ondrej Holy <oholy@redhat.com>
5068ac
Date: Wed, 2 Jan 2019 17:13:27 +0100
5068ac
Subject: [PATCH] admin: Prevent access if any authentication agent isn't
5068ac
 available
5068ac
5068ac
The backend currently allows to access and modify files without prompting
5068ac
for password if any polkit authentication agent isn't available. This seems
5068ac
isn't usually problem, because polkit agents are integral parts of
5068ac
graphical environments / linux distributions. The agents can't be simply
5068ac
disabled without root permissions and are automatically respawned. However,
5068ac
this might be a problem in some non-standard cases.
5068ac
5068ac
This affects only users which belong to wheel group (i.e. those who are
5068ac
already allowed to use sudo). It doesn't allow privilege escalation for
5068ac
users, who don't belong to that group.
5068ac
5068ac
Let's return permission denied error also when the subject can't be
5068ac
authorized by any polkit agent to prevent this behavior.
5068ac
5068ac
Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
5068ac
---
5068ac
 daemon/gvfsbackendadmin.c | 3 +--
5068ac
 1 file changed, 1 insertion(+), 2 deletions(-)
5068ac
5068ac
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
5068ac
index ec0f2392..0f849008 100644
5068ac
--- a/daemon/gvfsbackendadmin.c
5068ac
+++ b/daemon/gvfsbackendadmin.c
5068ac
@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
5068ac
       return FALSE;
5068ac
     }
5068ac
 
5068ac
-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
5068ac
-    polkit_authorization_result_get_is_challenge (result);
5068ac
+  is_authorized = polkit_authorization_result_get_is_authorized (result);
5068ac
 
5068ac
   g_object_unref (result);
5068ac
 
5068ac
-- 
5068ac
2.20.1
5068ac