ctl: Restrict which services can be enabled
Right now authenticating for grdctl brings in the ability to enable and disable arbitrary systemd services.
grdctl only uses this ability to change one service, but to protect against bugs becoming security holes it's not a bad idea to farm out the service configuration to a dedicated mechanism.
This commit does just that: introduces a new, minimal grd-enable-service program that is hardwired to enable/disable gnome-remote-desktop.
This program only works for the gnome-remote-desktop user and only when called on behalf of callers that have the org.gnome.remotedesktop.configure-system-daemon polkit action.
grdctl now farms out to grd-enable-service instead of taking on the systemd unit actions itself.
Closes: #197
Edited by Ray Strode