Package: accountsservice
Version: 23.13.9-7
Severity: normal
Tags: upstream patch
Dear Maintainer,
The org.freedesktop.accounts.change-own-user-data polkit action is
configured with allow_any=yes in the upstream policy file, permitting
unauthenticated user data modification (SetRealName, SetEmail,
SetIconFile) from any session context including remote/SSH sessions.
Reproduction:
busctl call org.freedesktop.Accounts \
/org/freedesktop/Accounts/User1000 \
org.freedesktop.Accounts.User SetRealName s "MODIFIED"
This succeeds without any authentication prompt on an SSH session.
This was intentionally set to yes in Ubuntu (LP: #1512002) for LTSP
remote session UX, but poses an unnecessary risk on systems where
authenticated sessions are expected.
Suggested fix:
allow_any=yes -> allow_any=auth_self_keep
This would still allow active local session users to change their own
data without a prompt, while requiring authentication from remote or
inactive sessions.
-- System Information:
Debian Release: 13.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.94+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=tr_TR.UTF-8, LC_CTYPE=tr_TR.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages accountsservice depends on:
ii dbus [default-dbus-system-bus] 1.16.2-2
ii libaccountsservice0 23.13.9-7
ii libc6 2.41-12+deb13u3
ii libglib2.0-0t64 2.84.4-3~deb13u3
ii libpolkit-gobject-1-0 126-2
Versions of packages accountsservice recommends:
ii libpam-systemd [logind] 257.13-1~deb13u1
ii polkitd 126-2
Versions of packages accountsservice suggests:
pn gnome-control-center <none>
-- no debconf information