-
David Zeuthen authored
So it turns out that I hadn't been using shadow passwords on my other development box (don't ask) and that's why auth as root worked fine when just running as an unprivileged user. However, to auth as another user (such as root), the process embedding pam needs to run as root. Therefore, split out the actual authentication bits into a small and easy to audit helper, polkit-grant-helper-pam. The auth now goes like this: polkit-gnome <-links with-> libpolkit-grant ^ | spawns | V /usr/libexec/polkit-grant-helper ^ | spawns | V /usr/libexec/polkit-grant-helper-pam where polkit-grant-helper is setgid polkit; it links with libdbus and libpolkit. polkit-grant-helper-pam is setuid root; it links only with libpam
368397f9