diff --git a/loglevel_property_root_only.patch b/loglevel_property_root_only.patch new file mode 100644 index 0000000..194d23b --- /dev/null +++ b/loglevel_property_root_only.patch @@ -0,0 +1,72 @@ +commit 5a4ba7dfdcc3f71e28b5921e71b1685886b46343 +Author: Luca Boccassi +Date: Tue Oct 29 13:34:39 2024 +0000 + + polkit: explicitly restrict setting D-Bus property to root + + Unlike sd-bus in libsystemd, gdbus in glib does not automatically + restrict changing properties to the root user. Check the credential + of the caller manually so that changes are restricted as expected. + Also add more user-friendly error messages to other error conditions + for a better user experience. + +diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c +index 223dc4a..86ca632 100644 +--- a/src/polkitbackend/polkitbackendauthority.c ++++ b/src/polkitbackend/polkitbackendauthority.c +@@ -1439,18 +1439,48 @@ server_handle_set_property (GDBusConnection *connection, + GError **error, + gpointer user_data) + { ++ PolkitSubject *caller_subject; ++ PolkitUnixUser *caller_user; ++ const gchar *level; ++ + if (g_strcmp0 (interface_name, "org.freedesktop.LogControl1") != 0) +- return FALSE; ++ { ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, "Only properties of org.freedesktop.LogControl1 can be modified"); ++ return FALSE; ++ } + +- if (g_strcmp0 (property_name, "LogLevel") == 0) ++ if (g_strcmp0 (property_name, "LogLevel") != 0) + { +- const gchar *level; ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, "Only LogLevel can be modified"); ++ return FALSE; ++ } + +- g_variant_get (value, "&s", &level); +- polkit_backend_authority_set_log_level (level); ++ caller_subject = polkit_system_bus_name_new (sender); ++ if (!caller_subject) ++ { ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Could not obtain caller's credentials"); ++ return FALSE; + } +- else +- return FALSE; ++ caller_user = polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (caller_subject), NULL, error); ++ if (!caller_user) ++ { ++ g_object_unref (caller_subject); ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, "Could not obtain caller's credentials"); ++ return FALSE; ++ } ++ if ((uid_t)polkit_unix_user_get_uid (caller_user) != 0) ++ { ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, "Only root can change the log level"); ++ g_object_unref (caller_user); ++ g_object_unref (caller_subject); ++ return FALSE; ++ } ++ ++ g_variant_get (value, "&s", &level); ++ polkit_backend_authority_set_log_level (level); ++ ++ g_object_unref (caller_user); ++ g_object_unref (caller_subject); + + return TRUE; + } diff --git a/polkit.spec b/polkit.spec index ba40ca0..11b65a1 100644 --- a/polkit.spec +++ b/polkit.spec @@ -4,13 +4,14 @@ Summary: An authorization framework Name: polkit Version: 125 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPL-2.0-or-later URL: https://github.com/polkit-org/polkit Source0: https://github.com/polkit-org/polkit/archive/refs/tags/%{version}.tar.gz Source1: polkit.sysusers Patch1: pthread_condattr_loglevel.patch +Patch2: loglevel_property_root_only.patch BuildRequires: gcc-c++ BuildRequires: glib2-devel >= 2.30.0 @@ -163,6 +164,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/girepository-1.0/*.typelib %changelog +* Tue Aug 12 2025 Jan Rybar - 125-4 +- changing log level via dbus is now restricted to root +- backport of https://github.com/polkit-org/polkit/commit/5a4ba7dfdcc3f +- Resolves: RHEL-90807 + * Tue Oct 29 2024 Troy Dawson - 125-3 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018