Created attachment 138527 [details]
STEPS TO REPRODUCE
1. Go to System Settings > Users;
2. Change the picture.
Changing the user picture should not require admin rights.
Jan, is this something that AccountService can do for us?
This is PolKit's job; distros should probably ship polkit rules permitting the "org.freedesktop.accounts.change-own-user-data" action to be performed without password
If they did, would this bug be automatically fixed, or would we need to make any code changes to support it?
Indeed it would. Please bug your distro about this. I have done so for Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1988509
*** Bug 430508 has been marked as a duplicate of this bug. ***
Reported for OpenSUSE here: https://bugzilla.opensuse.org/show_bug.cgi?id=1188948
SUSE security auditors have found that it is not accurate that we only require org.freedesktop.accounts.change-own-user-data; apparently it is org.freedesktop.accounts.user-administration, which does require a password upstream. See https://bugzilla.suse.com/show_bug.cgi?id=1188948
Perhaps the bug is that we should only be requiring org.freedesktop.accounts.change-own-user-data when changing your own data.
So I think this is actually even more complicated than what we original thought.
AccountsService actually does use org.freedesktop.accounts.change-own-user-data to change face icon and logically should work.
What's making this appear to happen is that we're writing every field from the UI to the DBus interface every time we apply changes, and blocking on getting authorization to do so. See https://invent.kde.org/plasma/plasma-workspace/-/blob/master/kcms/users/src/user.cpp#L280 for details.
So basically changing the icon doesn't require an admin password, but changing the account type does, and we don't even try to write the face icon until we can successfully write the account type by getting admin authorization.
So probably the real answer here is to track whether or not a field in the KCM UI actually changed before trying to write it to the DBus interface. Then we can only commit the actual changes to the transaction, and therefore only get auth_admin when we actually need it.
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/1248
Git commit 0cf0de17bde4f08899a90ac891317b30bc171eb7 by Janet Blackquill, on behalf of Jan Blackquill.
Committed on 24/07/2022 at 03:27.
Pushed by ngraham into branch 'master'.
kcms/users: only set changed values via dbus api
Setting unchanged values may falsely trigger an authentication
prompt in the case that the changed value doesn't need authentication
to change, but the unchanged ones do, leading to an authentication prompt
to show up.
Adding a little bit of original vs new comparison lets us only send over
DBus what got changed.
M +43 -14 kcms/users/src/user.cpp
M +21 -7 kcms/users/src/user.h