PolicyKit and malware, was: What I HATE about F11

Nils Philippsen nils at redhat.com
Fri Jun 19 09:51:03 UTC 2009 

On Thu, 2009-06-18 at 11:02 -0400, Matthias Clasen wrote:
> On Thu, 2009-06-18 at 11:58 +0200, Nils Philippsen wrote:
> 
> > 
> > As it is, malware need only sit in the background and wait for e.g. a
> > PolicyKit-enabled user manager to acquire the authorization for user
> > creation to be able to easily install a backdoor account.
> 
> Nils, this is somewhat inaccurate (or to put it more strongly, it is
> misinformation...). 

I'm glad that you say that (and for your explanation below) -- I read
the documentation for the new polkit version but didn't find that
information. I have some questions below where I'd appreciate a bit of
clarification though. 

> First of all, unless the policy specifies _keep, you can only do things
> once after getting the authorization. 

With the hypothetical user manager app, would this mean I'd have to
authenticate once in the program so that I could add a number of users
and re-authenticate if I ran the program for a second time, or would
this be only valid for one user added?

> And even with _keep, it is not true that PolicyKit "automatically
> authorizes all other applications running on the same desktop".
> 
> The retained authorization is only valid for the subject that obtained
> it, which will typically be a process (identified by process id and
> start time) or a canonical bus name. And your malware does not have
> either.

So authorizations wouldn't carry over if I ran an app for the second
time if I specify _keep?

> Here is a little demo to show how this works:
> 
> The org.freedesktop.policykit.example.pkexec.run-frobnicate action has 
> auth_self_keep in its policy.
> 
> Now if you try running pkexec pk-example-frobnicate in a terminal,
> PolicyKit retains the authorization that you obtain by entering your
> password, and the subject it associates it with is the parent process of
> pkexec, ie the shell you are running this in. Repeating the pkexec call
> in the same shell will not ask you for your password again. But if you
> open a new terminal or tab and repeat it there, you will get asked
> again.

So for my example above, an authorization isn't "attached to" the user
manager app process, but its parent (the panel)?

Thanks,
Nils
-- 
Nils Philippsen      "Those who would give up Essential Liberty to purchase 
Red Hat               a little Temporary Safety, deserve neither Liberty
nils at redhat.com       nor Safety."  --  Benjamin Franklin, 1759
PGP fingerprint:      C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011

More information about the fedora-devel-list mailing list