Execute as Root GUI Admin Interfaces

Thu Aug 10 21:27:23 UTC 2006

On Thu, 2006-08-10 at 16:48 -0400, Dan Williams wrote:
> > PolicyKit looks interesting based on the discussions Rahul included.
> > Correct me if I got it wrong, but would PolicyKit allow an
> > administrator to set people up so they can do certain things as
> > administrators (like mounting a disk) ?  

Yes.

> It looked like the user gets
> > no challenge for authorization if they are set up to be able to do
> > that.  I actually think that is a problem.  I think that when someone
> > is executing with root privileges, they should be aware of it and
> > consider whether they meant to do that.  

First off, "executing with root privileges" may be the answer today, but
it's not really what we want a desktop app to do. We want an app to be
able to do very specific and confined tasks such as "mount a removable
disk", "format a fixed disk", "configure a modem", "set the timezone",
"upgrade OS with trusted packages", "install new trusted package",
"install new untrusted package", whatever.

If we can engineer our applications in such that it's this fine grained
the chances of them doing bad things when compromised are slimmer than
if they run with root privileges.

So, the whole idea of PolicyKit is to split privileged apps into two
parts - the UI shell (that runs unprivileged) and a privileged part that
allows the unprivileged bit to call very specific methods if the caller
has the right ''PolicyKit privilege''.

If the caller haven't got the required privilege (for, say, changing the
timezone), he may be able to prompt for it and this requires
authentication, either as the super user or as the regular user.

> That is why I suggested a
> > [SUDO]consolehelper.  I am assuming that Rahul was referring to that
> > as being a bad model.   I agree that giving everyone this ability like
> > UBUNTU does it is a problem.  However, I do not agree that setting
> > policies for a user and not reminding him/her what their action
> > implies is any better.

I will state that consolehelper, and for that matter the scheme Ubuntu
and the rest of the distros are using, is just badly broken since it
makes an X11 application run as root. Yet, we still see new crap being
added to the distro that does this. Hopefully (I'm an optimist by
nature) that will change when we add PolicyKit to Fedora early in the
FC7 timeframe (I think it's already in SUSE btw), but I'm not holding my
breath so to speak - there's a lot of work left...

Also, see this presentation

 http://people.freedesktop.org/~david/talks/system-integration-and-gnome-guadec2006-davidz.pdf

for the bigger picture. See

 http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-spec.html?revision=1.7
 http://webcvs.freedesktop.org/hal/PolicyKit/doc/spec/polkit-arch.png?revision=1.1

for more details on PolicyKt.

    David