Change user password in KDE settings: root authorisation requested
Hello, If a user password is changed in systemsettings, root authorisation is requested willfully, with a UI text confirming that it’s mandatory even if it’s the user password being updated. No such request is made when doing that in a terminal and that's well within reach of any Arch user. It has been discussed at: https://discuss.kde.org/t/change-user-password-in-settings-root-authorisatio... It seems that it might be distribution related. I am not asking for any change in Arch itself, and would like to read opinions of Arch maintainers about that. Thanks and regards.
On Sun, Apr 13, 2025, at 9:19 AM, SET wrote:
Hello,
If a user password is changed in systemsettings, root authorisation is requested willfully, with a UI text confirming that it’s mandatory even if it’s the user password being updated.
This is a result of the polkit policy which says that users should not be allowed to change their own passwords: /usr/share/polkit-1/actions/org.freedesktop.accounts.policy
No such request is made when doing that in a terminal and that's well within reach of any Arch user.
That's because passwd doesn't check whether your user has polkit permissions. GUI tools are generally expected to, because more granular permissions are a barrier to escalating privileges in the event of an exploitable bug. Also, these tools can be accessible in cases that the terminal is not - e.g. in locked down kiosks.
It has been discussed at:
https://discuss.kde.org/t/change-user-password-in-settings-root-authorisatio...
A lot of /r/confidentlyincorrect material in that thread. It doesn't appear to be distribution specific. I checked the Ubuntu and Debian accountsservice packages, and both set the same polkit policy as Arch, and probably both will show the same behavior. It has nothing to do with sudo, unless you have passwordless sudo turned on. Given that the KDE bug is confirmed, there seems to be agreement that this behavior is undesirable, but nobody knows the right way to fix it yet. https://bugs.kde.org/show_bug.cgi?id=378984 One of the KDE developers seems to have tried to get it fixed in polkit: https://bugs.freedesktop.org/show_bug.cgi?id=97518 But polkit declined to take the patch since *as submitted* it would allow the user to bypass admin-set password sanity rules (e.g. must have a certain level of complexity). It looked like they would accept a followup patch to enforce these rules, but nobody submitted one. You can change the policy yourself with a polkit rule: polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.accounts.change-own-password")) { return polkit.Result.AUTH_SELF; } }); I tested this and can confirm it works in KDE + Arch.
Thanks and regards.
Cheers, Liliane
Thank you Liliane for the in-depth explanation and for the rule. I had to use polkit.Result.YES however for a successful password change. Regards
On Thu, Apr 17, 2025, at 11:23 AM, SET wrote:
Thank you Liliane for the in-depth explanation and for the rule. I had to use polkit.Result.YES however for a successful password change.
The result I used will still request a password for confirmation. However, that password should be the *user's* password, and not the root password, after you add this rule. At least, that's the behavior I see here.
Regards
Best
Le jeudi 17 avril 2025 18:10:58 heure d’été d’Europe centrale Liliane Fontenot a écrit :
that password should be the *user's* password, and not the root password,
You are right, the current user password is asked in the confirmation dialog with a correct message when using AUTH_SELF. Thanks again.
participants (2)
-
Liliane Fontenot
-
SET