Package: accountsservice
Version: 23.13.9-7
Severity: normal
Tags: upstream patch

Dear Maintainer,

The org.freedesktop.accounts.change-own-user-data polkit action is
configured with allow_any=yes in the upstream policy file, permitting
unauthenticated user data modification (SetRealName, SetEmail,
SetIconFile) from any session context including remote/SSH sessions.

Reproduction:
  busctl call org.freedesktop.Accounts \
    /org/freedesktop/Accounts/User1000 \
    org.freedesktop.Accounts.User SetRealName s "MODIFIED"

This succeeds without any authentication prompt on an SSH session.

This was intentionally set to yes in Ubuntu (LP: #1512002) for LTSP
remote session UX, but poses an unnecessary risk on systems where
authenticated sessions are expected.

Suggested fix:
  allow_any=yes  ->  allow_any=auth_self_keep

This would still allow active local session users to change their own
data without a prompt, while requiring authentication from remote or
inactive sessions.

-- System Information:
Debian Release: 13.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.94+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=tr_TR.UTF-8, LC_CTYPE=tr_TR.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages accountsservice depends on:
ii  dbus [default-dbus-system-bus]  1.16.2-2
ii  libaccountsservice0             23.13.9-7
ii  libc6                           2.41-12+deb13u3
ii  libglib2.0-0t64                 2.84.4-3~deb13u3
ii  libpolkit-gobject-1-0           126-2

Versions of packages accountsservice recommends:
ii  libpam-systemd [logind]  257.13-1~deb13u1
ii  polkitd                  126-2

Versions of packages accountsservice suggests:
pn  gnome-control-center  <none>

-- no debconf information

Reply via email to