[systemd-devel] hostname can be changed without permission checks
Michał Zegan
webczat_200 at poczta.onet.pl
Sat Sep 12 02:56:35 PDT 2015
Okay, You seem to be right. Didn't notice that.
W dniu 12.09.2015 o 05:31, Michael Chapman pisze:
> On Sat, 12 Sep 2015, Michał Zegan wrote:
>> Hello.
>>
>> It seems that I am able to change a hostname with hostnamectl
>> set-hostname name without any problems, even logged in as
>> unprivileged user, and I did not get any authentication requests.
>> I did not modify polkit rules to allow this, not sure about the
>> default ones, but they probably shouldn't allow that, just checked
>> that implicit rules are auth_admin_keep, arch does not have vendor
>> rules and I also do not have my own..
>
> Did you check both /etc/polkit-1/rules.d/ and
> /usr/share/polkit-1/rules.d/?
>
> On my system (Fedora), gnome-control-center has added a rule to the
> latter directory to allow a local user set the hostname, locale, etc.,
> if they are in the "wheel" group. Perhaps you have something similar?
>
> You can test whether PolicyKit is allowing the action with:
>
> pkcheck --action-id org.freedesktop.hostname1.set-hostname \
> --process $$ --allow-user-interaction
>
> If this exits successfully, then it's something in your PolicyKit
> configuration allowing the action, not systemd.
>
> - Michael
More information about the systemd-devel
mailing list