[PolicyKit] Authorizations of Interpreted Languages

Harald Hoyer harald at redhat.com
Wed May 14 06:59:26 PDT 2008 

S.Çağlar Onur wrote:
> Hi;
> 
> While playing with PolicyKit and PolicyKit-KDE/GNOME, we realized if we obtain an authorization with "keep session" option selected using an interpreted language, "interpreter" gains that authorization for that session.
> 
> caglar at zangetsu ~ $ python auth.py
> 0
> 
> caglar at zangetsu ~ $ polkit-auth --explicit-detail
> org.gnome.policykit.examples.punch
>   Authorized:  No
>   Scope:       Confined to session /org/freedesktop/ConsoleKit/Session1
>   Obtained:    Wed May 14 15:48:18 2008 by auth as caglar (uid 1000)
>   Constraint:  Session must be on a local console
>   Constraint:  Session must be active
>   Constraint:  Only allowed for program /usr/bin/python2.4
> 
> caglar at zangetsu ~ $ cat auth.py
> #!/usr/bin/python
> # -*- coding: utf-8 -*-
> 
> import os
> import dbus
> 
> bus = dbus.SessionBus()
> obj = bus.get_object("org.freedesktop.PolicyKit.AuthenticationAgent", "/")
> 
> try:
>     print obj.ObtainAuthorization("org.gnome.policykit.examples.punch", 0, os.getpid(), dbus_interface="org.freedesktop.PolicyKit.AuthenticationAgent")
> except Exception, e:
>     print e
> 
> 
> This caused some trouble for us, as you may know, we (Pardus) have a system-wide configuration manager daemon (COMAR) which provides its methods to its users over D-Bus. 
> 
> 
> For example "tr.org.pardus.comar.boot.modules.load" action is called when a user starts a VirtualBox, VirtualBox wrapper checks "vboxdrv" module and if it's not loaded asks COMAR to load it, if client is authorized, COMAR loads that module, if not, PolicyKit-* tries to grant that privilege. If user gains "module loading" privilege from PolicyKit, COMAR loads needed module and VirtualBox starts as desired.
> 
> caglar at bankai ~ $ polkit-auth --explicit-detail
> tr.org.pardus.comar.boot.modules.load
>   Authorized:  No
>   Scope:       Indefinitely
>   Obtained:    Wed May 14 15:14:25 2008 by auth as root (uid 0)
>   Constraint:  Session must be on a local console
>   Constraint:  Session must be active
>   Constraint:  Only allowed for program /usr/bin/python2.5
> 
> But this also means ___any python script___ used by that user while session is active can use "tr.org.pardus.comar.boot.modules.load" actions to load arbitrary kernel modules :(.
> 
> How can we solve this issue? Any tips really appreciated...
> 
> Cheers
> 

isn't the authorization checked by the backend by pid?
example:
http://git.fedorahosted.org/git/?p=system-config-boot.git;a=blob;f=src/grub-conf-mechanism.py;h=6d7e098b9e30019e1f8f5e9f6c50d7e908783c1c;hb=experimental

pid = dbus.UInt32(dbus_object.GetConnectionUnixProcessID(sender))
IsProcessAuthorized(action_id, pid, False)

More information about the hal mailing list