[systemd-devel] Starting transient services securely from other service without root

Mantas Mikulėnas grawity at gmail.com
Thu Apr 28 16:53:15 UTC 2022


On Thu, Apr 28, 2022 at 6:56 PM Vašek Šraier <vaclav.sraier at nic.cz> wrote:

> To update the current list of options:
>
> - PolicyKit
>   could technically help, but I've discovered that the documentation
>   explicitly prohibits our potential use-case:
>   "In particular, applications, [...] must never include any
>    authorization rules."
>

That didn't stop many of them (including, apparently, systemd itself) from
doing so anyway.

$ pkgfile -vg '/usr/share/polkit-1/rules.d/*'
core/systemd 250.4-2
 /usr/share/polkit-1/rules.d/systemd-networkd.rules
extra/brltty 6.4-10
/usr/share/polkit-1/rules.d/org.a11y.brlapi.rules
extra/flatpak 1:1.12.7-1
 /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules
extra/geoclue 2.6.0-2
/usr/share/polkit-1/rules.d/org.freedesktop.GeoClue2.rules
extra/gnome-control-center 42.1-1
/usr/share/polkit-1/rules.d/gnome-control-center.rules
extra/gvfs 1.50.1-1
/usr/share/polkit-1/rules.d/org.gtk.vfs.file-operations.rules
extra/lightdm 1:1.30.0-4
 /usr/share/polkit-1/rules.d/lightdm.rules
extra/malcontent 0.10.3-2
/usr/share/polkit-1/rules.d/com.endlessm.ParentalControls.rules
extra/polkit 0.120-5
 /usr/share/polkit-1/rules.d/50-default.rules
community/bolt 0.9.2-1
 /usr/share/polkit-1/rules.d/org.freedesktop.bolt.rules
community/fwupd 1.7.7-1
/usr/share/polkit-1/rules.d/org.freedesktop.fwupd.rules
community/gnome-initial-setup 41.4-1
 /usr/share/polkit-1/rules.d/20-gnome-initial-setup.rules
community/libvirt 1:8.2.0-4
/usr/share/polkit-1/rules.d/50-libvirt.rules
community/libvirt-dbus 1.4.1-2
 /usr/share/polkit-1/rules.d/libvirt-dbus.rules
community/packagekit 1.2.5-1
 /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules

I found a bugzilla about this:
https://bugs.freedesktop.org/show_bug.cgi?id=80921

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220428/1f55be99/attachment-0001.htm>


More information about the systemd-devel mailing list