Security issue: xfce pol kit allow others to sneak through

[ToddAndMargo]

Hi All,

Security issue

Xfce 4.14
Fedora 32, x64

There is a security issue where in if you are prompted
for a password from the xfce-polkit, the next things
that need the prompt go through automatically for
the next minute or so.  So things can sneak through
if you are fast enough.

I originally reported this over at

     xfce pol kit lets others sneak in
     https://bugzilla.xfce.org/show_bug.cgi?id=15298

and Xfce had me move it to:

     xfce pol kit lets others sneak in
     https://github.com/ncopa/xfce-polkit/issues/5#issuecomment-633489654

Now ncopa has handed it back to me, having determined that
the issue must be my configuration:

      "Looking at the polkit documentation, there seems to
      be a auth_admin_keep option, which gives the behavior
      you are describing.

          Keep in mind that if polkit.Result.AUTH_SELF_KEEP
          or polkit.Result.AUTH_ADMIN_KEEP is returned,
          authorization checks for the same action identifier
          and subject will succeed (that is, return
          polkit.Result.YES) for the next brief period
          (e.g. five minutes) even if the variables passed
          along with the check are different.


Anyway, a search on
     # find / -iname \*.policy\* -exec grep -l  auth_admin_keep {} \;

produces millions of hits in
      /usr/share/polkit-1/actions/

of this kind of stuff;
     <allow_active>auth_admin_keep</allow_active>

So we have a security issue and I have no idea how to
proceed with it.

-T