Local users get to play root?

Chris Adams cmadams at hiwaay.net
Wed Nov 18 19:31:49 UTC 2009 

Once upon a time, Colin Walters <walters at verbum.org> said:
> On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams <cmadams at hiwaay.net> wrote:
> > It seems the latest way of doing this is via PolicyKit.  IMHO all
> > PolicyKit configuration should be "secure by default",
> 
> "secure" is an meaningless term without reference to a deployment
> model and threat model, but let's assume here for reference that what
> you mean is that the shipped RPMs should be configured to not grant
> any additional privileges over that afforded to the traditional Unix
> timesharing model, and then the desktop kickstart modifies them.

Yes, that was what I meant.

> I would agree with that, but it's not trivial.  Are we just scoping in
> PackageKit here, or also consolehelper @console actions?  Does it
> imply removing the setuid bit from /bin/ping?

In an ideal world, everything that could grant elevated privilege would
come without it, and the admin (or spin config files) could easily
configure it back.

That obviously fails for things like /bin/ping, since that uses file
permissions, and that's part of the RPM (and not configurable).
However, ping has traditionally been run-able as a non-root user, and it
is easily spotted with find.  The number of setuid programs is small
these days, but several of them are now "helpers" that allow a
wide-range of other programs access, again with minimal documentation
(what is pulse/proximity-helper? why is nspluginwrapper/plugin-config
setuid root?)

I think anything that uses PolicyKit should ship with no elevated
privileges by default, since it is configurable.

It would be nice to also get consolehelper, but that is more
complicated.  I thought that was on the way out (to be replaced by
PolicyKit), but I see there are still a number of things that use it
(looking at the F11 desktop I'm on right now).

NetworkManager is another thing that probably could use some admin
control in some places, especially as it is being pushed to replace the
old network scripts.  Does NM use PolicyKit or consolehelper, or does it
just do things itself?

> > Right now, I see files /usr/share/PolicyKit/policy; I guess that's where
> > this kind of thing comes from.  How do I override the settings in one of
> > these files?  None of them are marked "config", so I guess I don't edit
> > them.  Are there other places such policy can be set?
> 
> See "man PolicyKit.conf"

The bigger issue is that much of the policy is not well documented,
except in the XML files (which are pretty terse).
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the fedora-devel-list mailing list