polkit (formerly PolicyKit) is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes.
Other
41
stars
22
forks
source link
Add new flag to check root user too in ChcekAuthorization #452
Currently if the subject has uid 0 a shortcut is taken and authorization is immediately granted, without checking against policies and rules. Add a flag that allows skipping this shortcut.
uid 0 can of course alter polkit's behaviour directly, so this is not so much a security feature, but more useful as a safety feature, so that when an action is disabled it cannot be accidentally performed by root, unless they really mean it and bypass polkit.
I intend to make use of this in logind, in the inhibitor functionality, to ensure even root has to drop an inhibitor lock before taking an action.
Currently if the subject has uid 0 a shortcut is taken and authorization is immediately granted, without checking against policies and rules. Add a flag that allows skipping this shortcut.
uid 0 can of course alter polkit's behaviour directly, so this is not so much a security feature, but more useful as a safety feature, so that when an action is disabled it cannot be accidentally performed by root, unless they really mean it and bypass polkit.
I intend to make use of this in logind, in the inhibitor functionality, to ensure even root has to drop an inhibitor lock before taking an action.