Skip to content

Sentinel 0.14.0

Latest

Choose a tag to compare

@atayoez atayoez released this 05 Jul 10:24

Sentinel 0.14.0

An auth-path hardening release: a batch of fail-closed fixes on both the
polkit and terminal paths, a safer uninstaller, and one opt-in feature —
remember_scope = "program" for multi-command tools.

If you remember one thing: several ways a dialog could show one thing and
the policy/remember machinery match another are closed — the "remember"
checkbox, [policy] allow, and polkit identity selection now all
fail closed.

Fixed — polkit path

  • An auth for another identity can no longer be satisfied by a single
    click.
    When the running user's own uid wasn't among the identities
    polkit offered, the agent silently picked the first offered unix-user —
    so one Allow click could satisfy an auth_admin action as root/another
    admin with no credential. It now fails closed: if your uid isn't
    offered, the agent declines and polkit falls back to its password
    prompt. Non-breaking in practice (install.sh makes the logged-in user
    a polkit administrator, so your uid is offered for actions you can
    perform).
  • The confirmation dialog is killed on cancel and bounded by a
    timeout.
    CancelAuthentication no longer orphans the dialog on
    screen, and a wedged helper can't block every future auth by holding
    the agent's serialization guard forever.
  • A CancelAuthentication racing session startup now aborts it
    reliably
    , and a pre-approval left behind by a failed helper hand-off
    is dropped so a later auth can't claim it.

Fixed — terminal path

  • The "remember" checkbox is no longer offered for requests that can
    never be remembered
    (sudo -v, su, shells and other ineligible
    gateways). Previously the dialog showed the checkbox but the tick was
    silently dropped — e.g. topgrade's leading sudo -v cred-cache prompt
    pretended to be rememberable.
  • [policy] allow can no longer be tricked into passwordlessly
    granting a root shell.
    For a bare-elevation request (sudo -i/-s/
    -v, su) the dialog shows the originating tool (e.g. topgrade),
    but policy now matches on a separate policy_exe that is unset for
    those requests — an allow = ["topgrade"] entry no longer matches the
    root shell that tool spawns. Such requests always go to the dialog.
  • sudo -R/--chroot <dir> is parsed correctly. The chroot
    directory was previously mistaken for the elevated command, so the
    dialog showed the wrong program and a deny entry could be evaded.
  • Remember grants are never keyed on the "no audit session"
    sentinel.
    Two sessions that both lack a loginuid/sessionid could
    otherwise collide on one grant; such requests are now never remembered.

Fixed — uninstaller

  • uninstall.sh can no longer delete a distro PAM stack. In the
    state-file-less fallback, a shared PAM stack (polkit-1, sudo,
    sudo-i, su) with no .pre-sentinel.bak backup was removed
    outright — which can lock you out of that service (e.g. no more sudo
    auth). The fallback now restores the backup if present, else strips
    only Sentinel's pam_sentinel.so line, and never deletes the file.

Added

  • remember_scope = "command" | "program" ([general] or per
    service): opt-in granularity for remember grants. The default
    ("command") keeps 0.12's full-command binding; "program" binds a
    grant to the program token only, so multi-command tools (topgrade's
    zypper refresh + zypper dist-upgrade) prompt once per window
    instead of once per distinct command line. Shell/interpreter exclusions
    and session binding are unchanged.

Changed

  • cxx-qt stack bumped to 0.9. No source changes, but cxx-qt-build 0.9
    no longer auto-discovers Qt: building the helper now requires QMAKE
    to point at the system qmake6. CI, install.sh, and
    scripts/release-local.sh set/detect it automatically; for a manual
    build use QMAKE=$(command -v qmake6) cargo build -p sentinel-helper-kde.

Upgrading

  • Reinstall (or upgrade the package) to pick up the fixed
    uninstaller and helper. No config migration; remember_scope is
    opt-in and defaults to the existing behavior.