[systemd-devel] hostname can be changed without permission checks
Michael Chapman
mike at very.puzzling.org
Fri Sep 11 20:31:43 PDT 2015
On Sat, 12 Sep 2015, MichaĆ Zegan wrote:
> Hello.
>
> It seems that I am able to change a hostname with hostnamectl set-hostname
> name without any problems, even logged in as unprivileged user, and I did not
> get any authentication requests.
> I did not modify polkit rules to allow this, not sure about the default ones,
> but they probably shouldn't allow that, just checked that implicit rules are
> auth_admin_keep, arch does not have vendor rules and I also do not have my
> own..
Did you check both /etc/polkit-1/rules.d/ and /usr/share/polkit-1/rules.d/?
On my system (Fedora), gnome-control-center has added a rule to the latter
directory to allow a local user set the hostname, locale, etc., if they
are in the "wheel" group. Perhaps you have something similar?
You can test whether PolicyKit is allowing the action with:
pkcheck --action-id org.freedesktop.hostname1.set-hostname \
--process $$ --allow-user-interaction
If this exits successfully, then it's something in your PolicyKit
configuration allowing the action, not systemd.
- Michael
More information about the systemd-devel
mailing list