Browse Source

Only give the “qubes” group full Polkit access

This is consistent with the rest of qubes-core-agent-passwordless-root,
and helps prevent sandbox escapes by daemons with dbus access.
Demi Marie Obenour 3 years ago
parent
commit
16f48b6298
1 changed files with 1 additions and 1 deletions
  1. 1 1
      passwordless-root/polkit-1-qubes-allow-all.rules

+ 1 - 1
passwordless-root/polkit-1-qubes-allow-all.rules

@@ -1,2 +1,2 @@
 //allow any action, detailed reasoning in sudoers.d/qubes
-polkit.addRule(function(action,subject) { return polkit.Result.YES; });
+polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; });