diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index 7e55173e27..b9b2524822 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -30,6 +30,7 @@ #include "format-util.h" #include "fs-util.h" #include "logind-dbus.h" +#include "logind-polkit.h" #include "logind-seat-dbus.h" #include "logind-session-dbus.h" #include "logind-user-dbus.h" @@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", session_name, seat_name); - r = bus_verify_polkit_async( - message, - CAP_SYS_ADMIN, - "org.freedesktop.login1.chvt", - NULL, - false, - UID_INVALID, - &m->polkit_registry, - error); + r = check_polkit_chvt(message, m, error); if (r < 0) return r; if (r == 0) diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c new file mode 100644 index 0000000000..d221bee8cd --- /dev/null +++ b/src/login/logind-polkit.c @@ -0,0 +1,24 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ + +#include "bus-polkit.h" +#include "logind-polkit.h" +#include "missing_capability.h" +#include "user-util.h" + +int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) { +#if ENABLE_POLKIT + return bus_verify_polkit_async( + message, + CAP_SYS_ADMIN, + "org.freedesktop.login1.chvt", + NULL, + false, + UID_INVALID, + &manager->polkit_registry, + error); +#else + /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a + * non-root user when polkit is not compiled in, more closely matching the default polkit policy */ + return 1; +#endif +} diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h new file mode 100644 index 0000000000..8c124f834d --- /dev/null +++ b/src/login/logind-polkit.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +#pragma once + +#include "sd-bus.h" + +#include "bus-object.h" +#include "logind.h" + +int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error); diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c index a60ed2d3c2..9c2625cdcc 100644 --- a/src/login/logind-seat-dbus.c +++ b/src/login/logind-seat-dbus.c @@ -9,6 +9,7 @@ #include "bus-polkit.h" #include "bus-util.h" #include "logind-dbus.h" +#include "logind-polkit.h" #include "logind-seat-dbus.h" #include "logind-seat.h" #include "logind-session-dbus.h" @@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b if (session->seat != s) return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id); - r = bus_verify_polkit_async( - message, - CAP_SYS_ADMIN, - "org.freedesktop.login1.chvt", - NULL, - false, - UID_INVALID, - &s->manager->polkit_registry, - error); + r = check_polkit_chvt(message, s->manager, error); if (r < 0) return r; if (r == 0) @@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro if (to <= 0) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal"); - r = bus_verify_polkit_async( - message, - CAP_SYS_ADMIN, - "org.freedesktop.login1.chvt", - NULL, - false, - UID_INVALID, - &s->manager->polkit_registry, - error); + r = check_polkit_chvt(message, s->manager, error); if (r < 0) return r; if (r == 0) @@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus assert(message); assert(s); - r = bus_verify_polkit_async( - message, - CAP_SYS_ADMIN, - "org.freedesktop.login1.chvt", - NULL, - false, - UID_INVALID, - &s->manager->polkit_registry, - error); + r = check_polkit_chvt(message, s->manager, error); if (r < 0) return r; if (r == 0) @@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd assert(message); assert(s); - r = bus_verify_polkit_async( - message, - CAP_SYS_ADMIN, - "org.freedesktop.login1.chvt", - NULL, - false, - UID_INVALID, - &s->manager->polkit_registry, - error); + r = check_polkit_chvt(message, s->manager, error); if (r < 0) return r; if (r == 0) diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c index b5d240be6a..d342dc4193 100644 --- a/src/login/logind-session-dbus.c +++ b/src/login/logind-session-dbus.c @@ -11,6 +11,7 @@ #include "fd-util.h" #include "logind-brightness.h" #include "logind-dbus.h" +#include "logind-polkit.h" #include "logind-seat-dbus.h" #include "logind-session-dbus.h" #include "logind-session-device.h" @@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_ assert(message); assert(s); - r = bus_verify_polkit_async( - message, - CAP_SYS_ADMIN, - "org.freedesktop.login1.chvt", - NULL, - false, - UID_INVALID, - &s->manager->polkit_registry, - error); + r = check_polkit_chvt(message, s->manager, error); if (r < 0) return r; if (r == 0) diff --git a/src/login/meson.build b/src/login/meson.build index ca64492383..156c391d8a 100644 --- a/src/login/meson.build +++ b/src/login/meson.build @@ -25,6 +25,8 @@ liblogind_core_sources = files(''' logind-device.h logind-inhibit.c logind-inhibit.h + logind-polkit.c + logind-polkit.h logind-seat-dbus.c logind-seat-dbus.h logind-seat.c