passwordless-root: policykit: restrict access to group qubes

Without this restriction system users can start processes with
root privileges:

  $ sudo -u mail systemd-run --pipe -q id
  uid=0(root) gid=0(root) groups=0(root)
This commit is contained in:
Peter Gerber 2020-09-13 14:11:49 +00:00
parent a695902d68
commit a8b29c3fa6

View File

@ -1,5 +1,5 @@
[Qubes allow all]
Identity=*
Identity=unix-group:qubes
Action=*
ResultAny=yes
ResultInactive=yes