Fabre

#1140739 accountsservice: polkit change-own-user-data allows unauthenticated modification #1140739

Package:: accountsservice

Source:: accountsservice

Description:: query and manipulate user account information

Submitter:: Lunix

Date:: 2026-06-25 12:13:02 UTC

Severity:: normal

Tags:

#1140739#5

Date:: 2026-06-25 12:10:28 UTC

From:

To:

Dear Maintainer,

The org.freedesktop.accounts.change-own-user-data polkit action is
configured with allow_any=yes in the upstream policy file, permitting
unauthenticated user data modification (SetRealName, SetEmail,
SetIconFile) from any session context including remote/SSH sessions.

Reproduction:
  busctl call org.freedesktop.Accounts \
    /org/freedesktop/Accounts/User1000 \
    org.freedesktop.Accounts.User SetRealName s "MODIFIED"

This succeeds without any authentication prompt on an SSH session.

This was intentionally set to yes in Ubuntu (LP: #1512002) for LTSP
remote session UX, but poses an unnecessary risk on systems where
authenticated sessions are expected.

Suggested fix:
  allow_any=yes  ->  allow_any=auth_self_keep

This would still allow active local session users to change their own
data without a prompt, while requiring authentication from remote or
inactive sessions.

#1140739 accountsservice: polkit change-own-user-data allows unauthenticated modification #1140739

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)