Local users get to play root?

[Dan Williams]

On Wed, 2009-11-18 at 13:31 -0600, Chris Adams wrote:
> Once upon a time, Colin Walters <walters at verbum.org> said:
> > On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams <cmadams at hiwaay.net> wrote:
> > > It seems the latest way of doing this is via PolicyKit. Â IMHO all
> > > PolicyKit configuration should be "secure by default",
> > 
> > "secure" is an meaningless term without reference to a deployment
> > model and threat model, but let's assume here for reference that what
> > you mean is that the shipped RPMs should be configured to not grant
> > any additional privileges over that afforded to the traditional Unix
> > timesharing model, and then the desktop kickstart modifies them.
> 
> Yes, that was what I meant.
> 
> > I would agree with that, but it's not trivial.  Are we just scoping in
> > PackageKit here, or also consolehelper @console actions?  Does it
> > imply removing the setuid bit from /bin/ping?
> 
> In an ideal world, everything that could grant elevated privilege would
> come without it, and the admin (or spin config files) could easily
> configure it back.
> 
> That obviously fails for things like /bin/ping, since that uses file
> permissions, and that's part of the RPM (and not configurable).
> However, ping has traditionally been run-able as a non-root user, and it
> is easily spotted with find.  The number of setuid programs is small
> these days, but several of them are now "helpers" that allow a
> wide-range of other programs access, again with minimal documentation
> (what is pulse/proximity-helper? why is nspluginwrapper/plugin-config
> setuid root?)
> 
> I think anything that uses PolicyKit should ship with no elevated
> privileges by default, since it is configurable.
> 
> It would be nice to also get consolehelper, but that is more
> complicated.  I thought that was on the way out (to be replaced by
> PolicyKit), but I see there are still a number of things that use it
> (looking at the F11 desktop I'm on right now).
> 
> NetworkManager is another thing that probably could use some admin
> control in some places, especially as it is being pushed to replace the
> old network scripts.  Does NM use PolicyKit or consolehelper, or does it
> just do things itself?

It uses PolicyKit.  We have a bit of work to do before we have
fine-grained lockdown, but it's not that far off.  F13 perhaps?  It's
basically a case of defining the permissions (there are already a few
for things like disallowing modification of system connections,
disabling the "create new network" functionality, etc) and then making
sure NM checks them, and *also* making sure the UI provides appropriate
feedback when something is not allowed at all, as opposed to "allowed if
you authenticate first".

Dan

> > > Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
> > > this kind of thing comes from. Â How do I override the settings in one of
> > > these files? Â None of them are marked "config", so I guess I don't edit
> > > them. Â Are there other places such policy can be set?
> > 
> > See "man PolicyKit.conf"
> 
> The bigger issue is that much of the policy is not well documented,
> except in the XML files (which are pretty terse).
> -- 
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
>