From a8b29c3fa6577cca50654523eb0efeacfdcf5253 Mon Sep 17 00:00:00 2001
From: Peter Gerber <peter@arbitrary.ch>
Date: Sun, 13 Sep 2020 14:11:49 +0000
Subject: [PATCH] passwordless-root: policykit: restrict access to group qubes

Without this restriction system users can start processes with
root privileges:

  $ sudo -u mail systemd-run --pipe -q id
  uid=0(root) gid=0(root) groups=0(root)
---
 passwordless-root/polkit-1-qubes-allow-all.pkla | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/passwordless-root/polkit-1-qubes-allow-all.pkla b/passwordless-root/polkit-1-qubes-allow-all.pkla
index 1ff7ded..20e9c7f 100644
--- a/passwordless-root/polkit-1-qubes-allow-all.pkla
+++ b/passwordless-root/polkit-1-qubes-allow-all.pkla
@@ -1,5 +1,5 @@
 [Qubes allow all]
-Identity=*
+Identity=unix-group:qubes
 Action=*
 ResultAny=yes
 ResultInactive=yes