Application authorisations
David Zeuthen
zeuthen at gmail.com
Thu Apr 29 08:01:01 PDT 2010
Hey,
On Thu, Apr 29, 2010 at 9:13 AM, Bastien Nocera <hadess at hadess.net> wrote:
> Polkit is *nearly* what I want, and I thought about using it, but I
> don't want authentication, I just want authorisation.
>
> Compare and contrast:
> "Please enter the administrator password to allow this app to access
> your location"
> vs.
> "This app wants to access your location. [allow] [deny]"
>
> Can PolicyKit do the latter? Can it be extended to do the latter?
Sure, polkit could definitely introduce auth_ack{,_keep} in addition
to the existing auth_self and auth_admin. It would just show [allow]
and [deny] buttons instead of challenging the user. Btw, there is
already a fine mechanism (the PolkitBackendActionLookup extension
point) in place for you to customize the message so it the dialog
would be
The application XYZ wants to access your location.
where XYZ could be Firefox or Epiphany or Empathy or whatever.
>> Btw, I hope you realize that on Linux, the binary name don't work
>> great for interpreted languages and isn't really secure at all. See
>>
>> http://cgit.freedesktop.org/PolicyKit/tree/src/polkit/polkit-sysdeps.c?id=POLICY_KIT_0_9#n190
>
> Right. It's probably even worse in this case given that geoclue and the
> backends would run in the user session.
>
>> I like the "whitelist of known applications" authorization style.. but
>> I don't think it's straightforward to do in a secure way. Then again,
>> maybe you don't need it to be secure. Then again, you are dealing with
>> sensitive information and private information like location here. I
>> don't know.
>
> You would already "leak" a lot of things wrt. your location when using
> the internet. An application could run in the background, and get all
> the information necessary to get your location from Internet sources
> without your knowledge. What we're trying to avoid is making it too easy
> for applications.
>
> Should geoclue run as a non-privileged user outside the session instead?
> That would make it easier to lock down, and avoid data leaking out.
Yes - I think it makes sense to actually ensure no-one can get at the
data before putting roadblocks in place to the usual way to get to the
data. But even after doing that it is still sketcy to authorize based
on application identify because we no concept application identity on
the normal Linux Desktop - not anything that's good enough to be used
in the way you want to, anyway.
FWIW, I don't think it's really worth the effort to do all this for
the normal Linux Desktop. Everything in your desktop session pretty
much runs in the same security context and conventional wisdom says
something to the effect that you are screwed if you have hostile code
in your session _anyway_. I mean, if I was a hostile program running
in your session I wouldn't worry too much about your location - I'd be
much more interested in the contents of ~/.mozilla instead :-)
Hope this helps.
Cheers,
David
More information about the dbus
mailing list