machine: restrict register-machine action again (#38835)

Follow-up for adaff8eb35
2025-09-10 22:52:49 +02:00 · 2025-09-06 11:04:49 +01:00
parent 9709deba91 2b3c02380c
commit 55aa41a430
2 changed files with 2 additions and 4 deletions
--- a/4
+++ b/4
@@ -934,9 +934,7 @@ CHANGES WITH 258 in spe:
        * A new "org.freedesktop.machine1.register-machine" polkit action is
          used when checking for privileges to register a machine. Previously,
          "org.freedesktop.machine1.create-machine" was used for creation and
-          registration operations. The policy for the new action is more
-          permissive: active users are allowed to perform the action without
-          authentication.
+          registration operations.

        * systemd-machined now also tracks the "supervisor" process of a
          machine, i.e. the host process that manages the payload. This
--- a/src/machine/org.freedesktop.machine1.policy
+++ b/src/machine/org.freedesktop.machine1.policy
@@ -108,7 +108,7 @@
                <defaults>
                        <allow_any>auth_admin</allow_any>
                        <allow_inactive>auth_admin</allow_inactive>
-                        <allow_active>yes</allow_active>
+                        <allow_active>auth_admin_keep</allow_active>
                </defaults>
        </action>