logind: allow access to SetIdleHint() to owner of the session

src/logind-session-dbus.c

@@ -302,6 +302,7 @@ static DBusHandlerResult session_message_dispatch(
 
         } else if (dbus_message_is_method_call(message, "org.freedesktop.login1.Session", "SetIdleHint")) {
                 dbus_bool_t b;
+                unsigned long ul;
 
                 if (!dbus_message_get_args(
                                     message,
@@ -310,6 +311,13 @@ static DBusHandlerResult session_message_dispatch(
                                     DBUS_TYPE_INVALID))
                         return bus_send_error_reply(connection, message, &error, -EINVAL);
 
+                ul = dbus_bus_get_unix_user(connection, dbus_message_get_sender(message), &error);
+                if (ul == (unsigned long) -1)
+                        return bus_send_error_reply(connection, message, &error, -EIO);
+
+                if (ul != 0 && ul != s->user->uid)
+                        return bus_send_error_reply(connection, message, NULL, -EPERM);
+
                 session_set_idle_hint(s, b);
 
                 reply = dbus_message_new_method_return(message);

src/logind.h

@@ -36,7 +36,6 @@
  *
  * spawn user systemd
  * direct client API
- * verify access to SetIdleHint
  *
  * udev:
  * drop redundant udev_device_get_is_initialized() use as soon as libudev is fixed

src/org.freedesktop.login1.conf

@@ -76,6 +76,10 @@
                        send_interface="org.freedesktop.login1.Session"
                        send_member="Activate"/>
 
+                <allow send_destination="org.freedesktop.login1"
+                       send_interface="org.freedesktop.login1.Session"
+                       send_member="SetIdleHint"/>
+
                 <allow receive_sender="org.freedesktop.login1"/>
         </policy>