[gvfs/gnome-3-26] admin: Prevent access if any authentication agent isn't available



commit a3edc980e488a5e7b6957ff0e7bee9706bcfe728
Author: Ondrej Holy <oholy redhat com>
Date:   Wed Jan 2 17:13:27 2019 +0100

    admin: Prevent access if any authentication agent isn't available
    
    The backend currently allows to access and modify files without prompting
    for password if any polkit authentication agent isn't available. This seems
    isn't usually problem, because polkit agents are integral parts of
    graphical environments / linux distributions. The agents can't be simply
    disabled without root permissions and are automatically respawned. However,
    this might be a problem in some non-standard cases.
    
    This affects only users which belong to wheel group (i.e. those who are
    already allowed to use sudo). It doesn't allow privilege escalation for
    users, who don't belong to that group.
    
    Let's return permission denied error also when the subject can't be
    authorized by any polkit agent to prevent this behavior.
    
    Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355

 daemon/gvfsbackendadmin.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
---
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index d67353da..9583da45 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
       return FALSE;
     }
 
-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
-    polkit_authorization_result_get_is_challenge (result);
+  is_authorized = polkit_authorization_result_get_is_authorized (result);
 
   g_object_unref (result);
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]