Hi,
Setting aside the question of how anaconda, gnome-initial-setup, and
the liveuser sessions would work, I have a question about the complaint
regarding accountsservice.
On Mon, Nov 25, 2019 at 4:25 pm, Ben Cotton <bcotton(a)redhat.com> wrote:
* '''AccountService''' - D-Bus methods
''SetPassword'' and
''SetPasswordMode'' on ''org.freedesktop.Accounts.User''
interface can
remove user’s password and lock the user out of the system if empty
password is disallowed. These calls must be denied in this case.
OK, makes sense. But:
Additionally, these methods can be run by normal users as opposed to
''passwd -d'' and ''chage -d 0'' which can be run only by
root.
Therefore only root should be able to call these methods.
So... then users can't change their own passwords?
We don't enable root account in Workstation anyway, it would become
impossible to ever change any password via accountsservice.
Let's assume you meant "only admin users should be able to call these
methods" instead of "only root". Even then, I still don't understand
the problem. I just tested using D-Feet to manually change my password
using org.freedesktop.Accounts SetPassword, and it required that I
authenticate via polkit. polkit is good; let it do its thing. It's
checking the org.freedesktop.accounts.change-own-password action, which
requires auth_admin authentication. So what is the problem here?
Michael