logind: Restore chvt as non-root user without polkit

4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke the ability to write user sessions that run graphical sessions (e.g. weston/X11). This was partially amended in 19bb87fbfa ("login: allow non-console sessions to change vt") by changing the default PolicyKit policy so that non-root users with a session are again allowed to switch the VT. This makes the policy when PolKit is not enabled (as on many embedded systems) closer the default PolKit policy and allows launching graphical sessions as a non-root user. Closes #17473 Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
2025-02-12 21:57:27 +03:00 · 2020-10-30 08:15:43 -05:00 · 2020-10-30 08:15:43 -05:00 · 7820a56ccb
commit 7820a56ccb
parent b8f762f2fe
6 changed files with 44 additions and 54 deletions
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@ -30,6 +30,7 @@
 #include "format-util.h"
 #include "fs-util.h"
 #include "logind-dbus.h"
+#include "logind-polkit.h"
 #include "logind-seat-dbus.h"
 #include "logind-session-dbus.h"
 #include "logind-user-dbus.h"
@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda
                return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT,
                                         "Session %s not on seat %s", session_name, seat_name);

-        r = bus_verify_polkit_async(
-                        message,
-                        CAP_SYS_ADMIN,
-                        "org.freedesktop.login1.chvt",
-                        NULL,
-                        false,
-                        UID_INVALID,
-                        &m->polkit_registry,
-                        error);
+        r = check_polkit_chvt(message, m, error);
        if (r < 0)
                return r;
        if (r == 0)
--- a/src/login/logind-polkit.c
+++ b/src/login/logind-polkit.c
@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "bus-polkit.h"
+#include "logind-polkit.h"
+#include "missing_capability.h"
+#include "user-util.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) {
+#if ENABLE_POLKIT
+        return bus_verify_polkit_async(
+                        message,
+                        CAP_SYS_ADMIN,
+                        "org.freedesktop.login1.chvt",
+                        NULL,
+                        false,
+                        UID_INVALID,
+                        &manager->polkit_registry,
+                        error);
+#else
+        /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a
+         * non-root user when polkit is not compiled in, more closely matching the default polkit policy */
+        return 1;
+#endif
+}
--- a/src/login/logind-polkit.h
+++ b/src/login/logind-polkit.h
@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+#include "sd-bus.h"
+
+#include "bus-object.h"
+#include "logind.h"
+
+int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error);
--- a/src/login/logind-seat-dbus.c
+++ b/src/login/logind-seat-dbus.c
@ -9,6 +9,7 @@
 #include "bus-polkit.h"
 #include "bus-util.h"
 #include "logind-dbus.h"
+#include "logind-polkit.h"
 #include "logind-seat-dbus.h"
 #include "logind-seat.h"
 #include "logind-session-dbus.h"
@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b
        if (session->seat != s)
                return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id);

-        r = bus_verify_polkit_async(
-                        message,
-                        CAP_SYS_ADMIN,
-                        "org.freedesktop.login1.chvt",
-                        NULL,
-                        false,
-                        UID_INVALID,
-                        &s->manager->polkit_registry,
-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
        if (r < 0)
                return r;
        if (r == 0)
@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro
        if (to <= 0)
                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal");

-        r = bus_verify_polkit_async(
-                        message,
-                        CAP_SYS_ADMIN,
-                        "org.freedesktop.login1.chvt",
-                        NULL,
-                        false,
-                        UID_INVALID,
-                        &s->manager->polkit_registry,
-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
        if (r < 0)
                return r;
        if (r == 0)
@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus
        assert(message);
        assert(s);

-        r = bus_verify_polkit_async(
-                        message,
-                        CAP_SYS_ADMIN,
-                        "org.freedesktop.login1.chvt",
-                        NULL,
-                        false,
-                        UID_INVALID,
-                        &s->manager->polkit_registry,
-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
        if (r < 0)
                return r;
        if (r == 0)
@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd
        assert(message);
        assert(s);

-        r = bus_verify_polkit_async(
-                        message,
-                        CAP_SYS_ADMIN,
-                        "org.freedesktop.login1.chvt",
-                        NULL,
-                        false,
-                        UID_INVALID,
-                        &s->manager->polkit_registry,
-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
        if (r < 0)
                return r;
        if (r == 0)
--- a/src/login/logind-session-dbus.c
+++ b/src/login/logind-session-dbus.c
@ -11,6 +11,7 @@
 #include "fd-util.h"
 #include "logind-brightness.h"
 #include "logind-dbus.h"
+#include "logind-polkit.h"
 #include "logind-seat-dbus.h"
 #include "logind-session-dbus.h"
 #include "logind-session-device.h"
@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_
        assert(message);
        assert(s);

-        r = bus_verify_polkit_async(
-                        message,
-                        CAP_SYS_ADMIN,
-                        "org.freedesktop.login1.chvt",
-                        NULL,
-                        false,
-                        UID_INVALID,
-                        &s->manager->polkit_registry,
-                        error);
+        r = check_polkit_chvt(message, s->manager, error);
        if (r < 0)
                return r;
        if (r == 0)
--- a/src/login/meson.build
+++ b/src/login/meson.build
@ -25,6 +25,8 @@ liblogind_core_sources = files('''
        logind-device.h
        logind-inhibit.c
        logind-inhibit.h
+        logind-polkit.c
+        logind-polkit.h
        logind-seat-dbus.c
        logind-seat-dbus.h
        logind-seat.c