Skip to content

admin: Prevent access if any authentication agent isn't available

Ondrej Holy requested to merge wip/oholy/admin-authorization-fix into master

The backend currently allows to access and modify files without prompting for password if any polkit authentication agent isn't available. This seems isn't usually problem, because polkit agents are integral parts of graphical environments / linux distributions. The agents can't be simply disabled without root permissions and are automatically respawned. However, this might be a problem in some non-standard cases.

This affects only users which belong to wheel group (i.e. those who are already allowed to use sudo). It doesn't allow privilege escalation for users, who don't belong to that group.

Let's return permission denied error also when the subject can't be authorized by any polkit agent to prevent this behavior.

Closes: #355

Edited by Ondrej Holy

Merge request reports