• Dan Williams's avatar
    dbus: kill at_console usage in permissions (bgo #707983) (rh #979416) · 7e0f94f0
    Dan Williams authored
    at_console permissions as implemented by D-Bus have some problems:
    
    1) it is now fully redundant with PolicyKit and session tracking via
    systemd/ConsoleKit
    
    2) it uses a different mechanism than PolicyKit or systemd to determine
    sessions and whether the user is on local or not (pam_console)
    
    3) it was never widely implemented across so removing it
    harmonizes D-Bus permissions on all supported distros
    
    To that end, remove the at_console section of the D-Bus permissions,
    and rely on session-tracking and PolicyKit to ensure operations are
    locked down.
    
    No changes are being made to PolicyKit or session-tracking, so any
    operations denied by those mechanisms are still denied, and no
    permissions are being relaxed.  Instead, this should allow remote
    users who log in via remote desktop or SSH to inspect network state,
    change connection parameters, and start/stop interfaces.  Obviously
    if you are remote, you should not touch the interface which your
    connection is using, but that concern shouldn't prevent all the other
    nice stuff that you can do with NM.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=707983
    https://bugzilla.redhat.com/show_bug.cgi?id=979416
    7e0f94f0
org.freedesktop.NetworkManager.conf 7.87 KB