From 5597f6eb3674c084ae5a089194d84c8604696a1f Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 13 May 2016 09:03:29 -0400 Subject: GPO: Add "polkit-1" to ad_gpo_map_allow Polkit is an authorization mechanism of its own (similar to sudo). SSSD doesn't need to apply additional authorization decisions atop it, so we'll just accept it as "allow". Resolves: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415 Reviewed-by: Jakub Hrozek --- src/man/sssd-ad.5.xml | 5 +++++ src/providers/ad/ad_gpo.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 265409e58..ef27976dd 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -640,6 +640,11 @@ ad_gpo_map_permit = +my_pam_service, -sudo Default: the default set of PAM service names includes: + + + polkit-1 + + sudo diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index c22d32c5e..208770297 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -194,6 +194,7 @@ int ad_gpo_process_cse_recv(struct tevent_req *req); #define GPO_FTP "ftp" #define GPO_SAMBA "samba" #define GPO_CROND "crond" +#define GPO_POLKIT "polkit-1" #define GPO_SUDO "sudo" #define GPO_SUDO_I "sudo-i" #define GPO_SYSTEMD_USER "systemd-user" @@ -216,7 +217,8 @@ const char *gpo_map_remote_interactive_defaults[] = {GPO_SSHD, GPO_COCKPIT, const char *gpo_map_network_defaults[] = {GPO_FTP, GPO_SAMBA, NULL}; const char *gpo_map_batch_defaults[] = {GPO_CROND, NULL}; const char *gpo_map_service_defaults[] = {NULL}; -const char *gpo_map_permit_defaults[] = {GPO_SUDO, GPO_SUDO_I, +const char *gpo_map_permit_defaults[] = {GPO_POLKIT, + GPO_SUDO, GPO_SUDO_I, GPO_SYSTEMD_USER, NULL}; const char *gpo_map_deny_defaults[] = {NULL}; -- cgit