[PolicyKit] Authorizations of Interpreted Languages

S.Çağlar Onur caglar at pardus.org.tr
Wed May 14 06:12:11 PDT 2008 

Hi;

While playing with PolicyKit and PolicyKit-KDE/GNOME, we realized if we obtain an authorization with "keep session" option selected using an interpreted language, "interpreter" gains that authorization for that session.

caglar at zangetsu ~ $ python auth.py
0

caglar at zangetsu ~ $ polkit-auth --explicit-detail
org.gnome.policykit.examples.punch
  Authorized:  No
  Scope:       Confined to session /org/freedesktop/ConsoleKit/Session1
  Obtained:    Wed May 14 15:48:18 2008 by auth as caglar (uid 1000)
  Constraint:  Session must be on a local console
  Constraint:  Session must be active
  Constraint:  Only allowed for program /usr/bin/python2.4

caglar at zangetsu ~ $ cat auth.py
#!/usr/bin/python
# -*- coding: utf-8 -*-

import os
import dbus

bus = dbus.SessionBus()
obj = bus.get_object("org.freedesktop.PolicyKit.AuthenticationAgent", "/")

try:
    print obj.ObtainAuthorization("org.gnome.policykit.examples.punch", 0, os.getpid(), dbus_interface="org.freedesktop.PolicyKit.AuthenticationAgent")
except Exception, e:
    print e


This caused some trouble for us, as you may know, we (Pardus) have a system-wide configuration manager daemon (COMAR) which provides its methods to its users over D-Bus. 


For example "tr.org.pardus.comar.boot.modules.load" action is called when a user starts a VirtualBox, VirtualBox wrapper checks "vboxdrv" module and if it's not loaded asks COMAR to load it, if client is authorized, COMAR loads that module, if not, PolicyKit-* tries to grant that privilege. If user gains "module loading" privilege from PolicyKit, COMAR loads needed module and VirtualBox starts as desired.

caglar at bankai ~ $ polkit-auth --explicit-detail
tr.org.pardus.comar.boot.modules.load
  Authorized:  No
  Scope:       Indefinitely
  Obtained:    Wed May 14 15:14:25 2008 by auth as root (uid 0)
  Constraint:  Session must be on a local console
  Constraint:  Session must be active
  Constraint:  Only allowed for program /usr/bin/python2.5

But this also means ___any python script___ used by that user while session is active can use "tr.org.pardus.comar.boot.modules.load" actions to load arbitrary kernel modules :(.

How can we solve this issue? Any tips really appreciated...

Cheers
-- 
S.Çağlar Onur <caglar at pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/hal/attachments/20080514/9cb318e3/attachment.pgp

More information about the hal mailing list