polkit: restrict access

[crpb]

As i was fiddling around with polkit I took a peek into my Testsystem and saw this rule. Maybe it would be a good idea to make the proposed or similar changes?

I just thought if someday some vulnerability opens up it wouldn't be such a big target with only allowing stuff like "stopping postfix" instead of complete shutdown or even worse?

My local Notes not worthwhile the Commit.. head -n4 pkit-10-gromox.rules

// Use a constant List of unit-names instead of allowing just *everything* on the System.
// The Array can be created with the following command:
// systemctl list-units --output json-pretty |jq -s  '[ .[]|sort_by(.unit)[]|select(.unit | test("^grom*|redis@|postfix|nginx|php"))|.unit ]'
// Just for show - Pipe "|" the result to the following command: jq '.[]|test("^grom")'

These rules could even be way more granular. It's a bit of work but this shouldn't happen that often. ... oo00 ( There are more typo's to fix than maintaining these Policy's 🤣 ..)

PS: the sudo-calls for postfix reload/restart could also be removed if i'm not mistaken?!

[juliaschroeder]

Thanks for your contribution.

When testing I noticed that the new policy would not allow enabling and disabling of services as the org.freedesktop.systemd1.manage-unit-files action did not have a unit property.

There are no sudo calls for postfix reload/restart that I am (or rather grep is) aware of (there are sudo postconf and sudo postsuper commands but neither rely on systemd).

I am planning to merge these changes by end of the week.

[crpb]

Hey,

org.freedesktop.systemd1.manage-unit-files action did not have a unit property

Oh, it was late and it was the last thing i did before the holidays but still wanted to get that out of my "system" :-). I'm still a newbie on that whole topic.

There are no sudo calls for postfix reload/restart

Yeah, mixed them up as i didn't double-check.

Thank you for the Info so far.
~crpb