Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update polkit rules to allow sudo users to change wifi config #196

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update polkit rules to allow sudo users to change wifi config #196

wants to merge 1 commit into from

Conversation

zytegalaxy
Copy link
Collaborator

@zytegalaxy zytegalaxy commented Dec 2, 2024
edited
Loading

This PR offers a fix for #183.

For a complete solution, we need to implement #184.

Context: The following system polkit rules is interfering with our custom design polkit rule:

ubo@ubo-ie:~ $ sudo ls -l /usr/share/polkit-1/rules.d/
total 16
-rw-r--r-- 1 root root 976 Jan 31  2023 49-polkit-pkla-compat.rules
-rw-r--r-- 1 root root 325 Jan 31  2023 50-default.rules
-rw-r--r-- 1 root root 282 Mar  9  2023 org.freedesktop.NetworkManager.rules
-rw-r--r-- 1 root root 527 Aug 19 21:25 systemd-networkd.rules


ubo@ubo-ie:~ $ sudo cat /usr/share/polkit-1/rules.d/org.freedesktop.NetworkManager.ru
les
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.local && subject.active &&
        (subject.isInGroup ("sudo") || subject.isInGroup ("netdev"))) {
        return polkit.Result.YES;
    }
});

This rule specifically requires users in the sudo group to only modify system settings when they are both local and active, and it only covers the settings.modify.system action.

Based on the polkit documentation, local and active are attributes of the Subject type that indicate the session status:

  • local (boolean):
    Set to true only if the seat is local
    A "local" seat means the user is physically present at the machine (like sitting at a desktop/laptop)
    As opposed to a remote connection (like SSH or VNC)

  • active (boolean):
    Set to true only if the session is active
    An "active" session means it's currently being used
    For example, in a multi-user system with multiple logged-in users, only the currently focused/active user session would be marked as active
    If you're logged in but switched to another user's session, your session would be inactive

We need a special rule handling as below:

if (subject.user == "ubo") {
    // This section ensures ubo always gets permission for settings.modify.system
    // regardless of sudo membership or session status
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("sudo")) {
        return polkit.Result.YES;
    }
    // ... rest of rules
}

@zytegalaxy zytegalaxy self-assigned this Dec 2, 2024
@zytegalaxy zytegalaxy added the bug Something isn't working label Dec 2, 2024
@zytegalaxy zytegalaxy added this to the Version 2 milestone Dec 2, 2024
@zytegalaxy zytegalaxy requested a review from sassanh December 2, 2024 06:14
sassanh
sassanh reviewed Dec 2, 2024
View reviewed changes
ubo_app/system/system_manager/scripts/set_account.sh
# exposed via the UI.

# Add the user to the sudo group
usermod -aG sudo $USERNAME
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script runs for all users, not necessarily the ubo user, when they are created or when their password is being reset in the users menu.
Is this intended?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sassanh sassanh sassanh left review comments

Assignees

@zytegalaxy zytegalaxy

Labels
bug Something isn't working
Projects
Ubo App
Status: No status
Milestone
Version 2
Development

Successfully merging this pull request may close these issues.
2 participants
@zytegalaxy @sassanh