On Sun, Apr 13, 2025, at 9:19 AM, SET wrote: > Hello, > > > If a user password is changed in systemsettings, root authorisation is > requested willfully, with a UI text confirming that it’s mandatory even if > it’s the user password being updated.
This is a result of the polkit policy which says that users should not be allowed to change their own passwords: /usr/share/polkit-1/actions/org.freedesktop.accounts.policy > No such request is made when doing that in a terminal and that's well within > reach of any Arch user. That's because passwd doesn't check whether your user has polkit permissions. GUI tools are generally expected to, because more granular permissions are a barrier to escalating privileges in the event of an exploitable bug. Also, these tools can be accessible in cases that the terminal is not - e.g. in locked down kiosks. > It has been discussed at: > > > > https://discuss.kde.org/t/change-user-password-in-settings-root-authorisation-requested/32524 A lot of /r/confidentlyincorrect material in that thread. It doesn't appear to be distribution specific. I checked the Ubuntu and Debian accountsservice packages, and both set the same polkit policy as Arch, and probably both will show the same behavior. It has nothing to do with sudo, unless you have passwordless sudo turned on. Given that the KDE bug is confirmed, there seems to be agreement that this behavior is undesirable, but nobody knows the right way to fix it yet. https://bugs.kde.org/show_bug.cgi?id=378984 One of the KDE developers seems to have tried to get it fixed in polkit: https://bugs.freedesktop.org/show_bug.cgi?id=97518 But polkit declined to take the patch since *as submitted* it would allow the user to bypass admin-set password sanity rules (e.g. must have a certain level of complexity). It looked like they would accept a followup patch to enforce these rules, but nobody submitted one. You can change the policy yourself with a polkit rule: polkit.addRule(function(action, subject) { if ((action.id == "org.freedesktop.accounts.change-own-password")) { return polkit.Result.AUTH_SELF; } }); I tested this and can confirm it works in KDE + Arch. > Thanks and regards. Cheers, Liliane
