Compass D-Bus interface Offers Unauthenticated Access to all Users

All "Claim" D-Bus method calls require Polkit authentication of Polkit action "net.hadess.SensorProxy.claim-sensor". Except for the Compass claim method net.hadess.SensorProxy.Compass.ClaimCompass.

In commit 0b1574d0 it was stated that this is not necessary, because ClaimCompass can only be invoked by the "geoclue" user as per D-Bus configuration.

This has been changed in version 3.6 via commit 0cf3454f, though. Now any user in the system can invoke the compass D-Bus methods. This means that also users with low privileges like nobody can claim a compass sensor.

I don't think this is a major issue; a local information leak in some circumstances. I believe it should be addressed, however, by making it symmetrical to the rest of the claim D-Bus methods and require authorization of the claim-sensor Polkit action.

I'm keeping this issue confidential to give you the option to deal with this in private. If you don't deem this necessary, feel free to make the issue public.