Sentinel 0.14.0
An auth-path hardening release: a batch of fail-closed fixes on both the
polkit and terminal paths, a safer uninstaller, and one opt-in feature —
remember_scope = "program" for multi-command tools.
If you remember one thing: several ways a dialog could show one thing and
the policy/remember machinery match another are closed — the "remember"
checkbox, [policy] allow, and polkit identity selection now all
fail closed.
Fixed — polkit path
- An auth for another identity can no longer be satisfied by a single
click. When the running user's own uid wasn't among the identities
polkit offered, the agent silently picked the first offered unix-user —
so one Allow click could satisfy anauth_adminaction as root/another
admin with no credential. It now fails closed: if your uid isn't
offered, the agent declines and polkit falls back to its password
prompt. Non-breaking in practice (install.shmakes the logged-in user
a polkit administrator, so your uid is offered for actions you can
perform). - The confirmation dialog is killed on cancel and bounded by a
timeout.CancelAuthenticationno longer orphans the dialog on
screen, and a wedged helper can't block every future auth by holding
the agent's serialization guard forever. - A
CancelAuthenticationracing session startup now aborts it
reliably, and a pre-approval left behind by a failed helper hand-off
is dropped so a later auth can't claim it.
Fixed — terminal path
- The "remember" checkbox is no longer offered for requests that can
never be remembered (sudo -v,su, shells and other ineligible
gateways). Previously the dialog showed the checkbox but the tick was
silently dropped — e.g. topgrade's leadingsudo -vcred-cache prompt
pretended to be rememberable. [policy] allowcan no longer be tricked into passwordlessly
granting a root shell. For a bare-elevation request (sudo -i/-s/
-v,su) the dialog shows the originating tool (e.g.topgrade),
but policy now matches on a separatepolicy_exethat is unset for
those requests — anallow = ["topgrade"]entry no longer matches the
root shell that tool spawns. Such requests always go to the dialog.sudo -R/--chroot <dir>is parsed correctly. The chroot
directory was previously mistaken for the elevated command, so the
dialog showed the wrong program and adenyentry could be evaded.- Remember grants are never keyed on the "no audit session"
sentinel. Two sessions that both lack a loginuid/sessionid could
otherwise collide on one grant; such requests are now never remembered.
Fixed — uninstaller
uninstall.shcan no longer delete a distro PAM stack. In the
state-file-less fallback, a shared PAM stack (polkit-1,sudo,
sudo-i,su) with no.pre-sentinel.bakbackup was removed
outright — which can lock you out of that service (e.g. no more sudo
auth). The fallback now restores the backup if present, else strips
only Sentinel'spam_sentinel.soline, and never deletes the file.
Added
remember_scope = "command" | "program"([general]or per
service): opt-in granularity for remember grants. The default
("command") keeps 0.12's full-command binding;"program"binds a
grant to the program token only, so multi-command tools (topgrade's
zypper refresh+zypper dist-upgrade) prompt once per window
instead of once per distinct command line. Shell/interpreter exclusions
and session binding are unchanged.
Changed
- cxx-qt stack bumped to 0.9. No source changes, but cxx-qt-build 0.9
no longer auto-discovers Qt: building the helper now requiresQMAKE
to point at the systemqmake6. CI,install.sh, and
scripts/release-local.shset/detect it automatically; for a manual
build useQMAKE=$(command -v qmake6) cargo build -p sentinel-helper-kde.
Upgrading
- Reinstall (or upgrade the package) to pick up the fixed
uninstaller and helper. No config migration;remember_scopeis
opt-in and defaults to the existing behavior.