Browse Source

passwordless-root: policykit: restrict access to group qubes

Without this restriction system users can start processes with
root privileges:

  $ sudo -u mail systemd-run --pipe -q id
  uid=0(root) gid=0(root) groups=0(root)
Peter Gerber 3 years ago
parent
commit
a8b29c3fa6
1 changed files with 1 additions and 1 deletions
  1. 1 1
      passwordless-root/polkit-1-qubes-allow-all.pkla

+ 1 - 1
passwordless-root/polkit-1-qubes-allow-all.pkla

@@ -1,5 +1,5 @@
 [Qubes allow all]
-Identity=*
+Identity=unix-group:qubes
 Action=*
 ResultAny=yes
 ResultInactive=yes