PolicyKit and malware, was: What I HATE about F11

Matthias Clasen mclasen at redhat.com
Thu Jun 18 15:02:22 UTC 2009


On Thu, 2009-06-18 at 11:58 +0200, Nils Philippsen wrote:

> 
> As it is, malware need only sit in the background and wait for e.g. a
> PolicyKit-enabled user manager to acquire the authorization for user
> creation to be able to easily install a backdoor account.

Nils, this is somewhat inaccurate (or to put it more strongly, it is
misinformation...). 

First of all, unless the policy specifies _keep, you can only do things
once after getting the authorization. 

And even with _keep, it is not true that PolicyKit "automatically
authorizes all other applications running on the same desktop".

The retained authorization is only valid for the subject that obtained
it, which will typically be a process (identified by process id and
start time) or a canonical bus name. And your malware does not have
either.

Here is a little demo to show how this works:

The org.freedesktop.policykit.example.pkexec.run-frobnicate action has 
auth_self_keep in its policy.

Now if you try running pkexec pk-example-frobnicate in a terminal,
PolicyKit retains the authorization that you obtain by entering your
password, and the subject it associates it with is the parent process of
pkexec, ie the shell you are running this in. Repeating the pkexec call
in the same shell will not ask you for your password again. But if you
open a new terminal or tab and repeat it there, you will get asked
again.


Matthias




More information about the fedora-devel-list mailing list