Local users get to play root?
Dan Williams
dcbw at redhat.com
Wed Nov 18 19:42:21 UTC 2009
On Wed, 2009-11-18 at 13:31 -0600, Chris Adams wrote:
> Once upon a time, Colin Walters <walters at verbum.org> said:
> > On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams <cmadams at hiwaay.net> wrote:
> > > It seems the latest way of doing this is via PolicyKit. Â IMHO all
> > > PolicyKit configuration should be "secure by default",
> >
> > "secure" is an meaningless term without reference to a deployment
> > model and threat model, but let's assume here for reference that what
> > you mean is that the shipped RPMs should be configured to not grant
> > any additional privileges over that afforded to the traditional Unix
> > timesharing model, and then the desktop kickstart modifies them.
>
> Yes, that was what I meant.
>
> > I would agree with that, but it's not trivial. Are we just scoping in
> > PackageKit here, or also consolehelper @console actions? Does it
> > imply removing the setuid bit from /bin/ping?
>
> In an ideal world, everything that could grant elevated privilege would
> come without it, and the admin (or spin config files) could easily
> configure it back.
>
> That obviously fails for things like /bin/ping, since that uses file
> permissions, and that's part of the RPM (and not configurable).
> However, ping has traditionally been run-able as a non-root user, and it
> is easily spotted with find. The number of setuid programs is small
> these days, but several of them are now "helpers" that allow a
> wide-range of other programs access, again with minimal documentation
> (what is pulse/proximity-helper? why is nspluginwrapper/plugin-config
> setuid root?)
>
> I think anything that uses PolicyKit should ship with no elevated
> privileges by default, since it is configurable.
>
> It would be nice to also get consolehelper, but that is more
> complicated. I thought that was on the way out (to be replaced by
> PolicyKit), but I see there are still a number of things that use it
> (looking at the F11 desktop I'm on right now).
>
> NetworkManager is another thing that probably could use some admin
> control in some places, especially as it is being pushed to replace the
> old network scripts. Does NM use PolicyKit or consolehelper, or does it
> just do things itself?
It uses PolicyKit. We have a bit of work to do before we have
fine-grained lockdown, but it's not that far off. F13 perhaps? It's
basically a case of defining the permissions (there are already a few
for things like disallowing modification of system connections,
disabling the "create new network" functionality, etc) and then making
sure NM checks them, and *also* making sure the UI provides appropriate
feedback when something is not allowed at all, as opposed to "allowed if
you authenticate first".
Dan
> > > Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
> > > this kind of thing comes from. Â How do I override the settings in one of
> > > these files? Â None of them are marked "config", so I guess I don't edit
> > > them. Â Are there other places such policy can be set?
> >
> > See "man PolicyKit.conf"
>
> The bigger issue is that much of the policy is not well documented,
> except in the XML files (which are pretty terse).
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
>
More information about the fedora-devel-list
mailing list