diff --git a/man/org.freedesktop.login1.xml b/man/org.freedesktop.login1.xml
index dffd16e325639..20936a693611e 100644
--- a/man/org.freedesktop.login1.xml
+++ b/man/org.freedesktop.login1.xml
@@ -104,7 +104,6 @@ node /org/freedesktop/login1 {
                              out s seat_id,
                              out u vtnr,
                              out b existing);
-      @org.freedesktop.systemd1.Privileged("true")
       ReleaseSession(in  s session_id);
       ActivateSession(in  s session_id);
       ActivateSessionOnSeat(in  s session_id,
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 70fc9aeebf3a5..5fdf28ced07a4 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -1172,7 +1172,7 @@ static int method_create_session_pidfd(sd_bus_message *message, void *userdata,
 
 static int method_release_session(sd_bus_message *message, void *userdata, sd_bus_error *error) {
         Manager *m = ASSERT_PTR(userdata);
-        Session *session;
+        Session *session, *sender_session;
         const char *name;
         int r;
 
@@ -1186,6 +1186,13 @@ static int method_release_session(sd_bus_message *message, void *userdata, sd_bu
         if (r < 0)
                 return r;
 
+        r = get_sender_session(m, message, /* consult_display= */ false, error, &sender_session);
+        if (r < 0)
+                return r;
+
+        if (session != sender_session)
+                return sd_bus_error_set(error, BUS_ERROR_NOT_IN_CONTROL, "You are not in control of this session");
+
         r = session_release(session);
         if (r < 0)
                 return r;
@@ -3767,7 +3774,7 @@ static const sd_bus_vtable manager_vtable[] = {
                                 SD_BUS_ARGS("s", session_id),
                                 SD_BUS_NO_RESULT,
                                 method_release_session,
-                                0),
+                                SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_ARGS("ActivateSession",
                                 SD_BUS_ARGS("s", session_id),
                                 SD_BUS_NO_RESULT,
diff --git a/src/login/org.freedesktop.login1.conf b/src/login/org.freedesktop.login1.conf
index 9b59e9ce556c8..dff944f172d8b 100644
--- a/src/login/org.freedesktop.login1.conf
+++ b/src/login/org.freedesktop.login1.conf
@@ -274,6 +274,10 @@
                        send_interface="org.freedesktop.login1.Manager"
                        send_member="FlushDevices"/>
 
+                <allow send_destination="org.freedesktop.login1"
+                       send_interface="org.freedesktop.login1.Manager"
+                       send_member="ReleaseSession"/>
+
                 <allow send_destination="org.freedesktop.login1"
                        send_interface="org.freedesktop.login1.Seat"
                        send_member="Terminate"/>
@@ -354,14 +358,6 @@
                        send_interface="org.freedesktop.login1.Session"
                        send_member="SetBrightness"/>
 
-                <allow send_destination="org.freedesktop.login1"
-                       send_interface="org.freedesktop.login1.User"
-                       send_member="Terminate"/>
-
-                <allow send_destination="org.freedesktop.login1"
-                       send_interface="org.freedesktop.login1.User"
-                       send_member="Kill"/>
-
                 <allow send_destination="org.freedesktop.login1"
                        send_interface="org.freedesktop.login1.Session"
                        send_member="SetDisplay"/>
@@ -370,6 +366,14 @@
                        send_interface="org.freedesktop.login1.Session"
                        send_member="SetTTY"/>
 
+                <allow send_destination="org.freedesktop.login1"
+                       send_interface="org.freedesktop.login1.User"
+                       send_member="Terminate"/>
+
+                <allow send_destination="org.freedesktop.login1"
+                       send_interface="org.freedesktop.login1.User"
+                       send_member="Kill"/>
+
                 <allow receive_sender="org.freedesktop.login1"/>
         </policy>