[PolicyKit] Authorizations of Interpreted Languages
Harald Hoyer
harald at redhat.com
Wed May 14 06:59:26 PDT 2008
S.Çağlar Onur wrote:
> Hi;
>
> While playing with PolicyKit and PolicyKit-KDE/GNOME, we realized if we obtain an authorization with "keep session" option selected using an interpreted language, "interpreter" gains that authorization for that session.
>
> caglar at zangetsu ~ $ python auth.py
> 0
>
> caglar at zangetsu ~ $ polkit-auth --explicit-detail
> org.gnome.policykit.examples.punch
> Authorized: No
> Scope: Confined to session /org/freedesktop/ConsoleKit/Session1
> Obtained: Wed May 14 15:48:18 2008 by auth as caglar (uid 1000)
> Constraint: Session must be on a local console
> Constraint: Session must be active
> Constraint: Only allowed for program /usr/bin/python2.4
>
> caglar at zangetsu ~ $ cat auth.py
> #!/usr/bin/python
> # -*- coding: utf-8 -*-
>
> import os
> import dbus
>
> bus = dbus.SessionBus()
> obj = bus.get_object("org.freedesktop.PolicyKit.AuthenticationAgent", "/")
>
> try:
> print obj.ObtainAuthorization("org.gnome.policykit.examples.punch", 0, os.getpid(), dbus_interface="org.freedesktop.PolicyKit.AuthenticationAgent")
> except Exception, e:
> print e
>
>
> This caused some trouble for us, as you may know, we (Pardus) have a system-wide configuration manager daemon (COMAR) which provides its methods to its users over D-Bus.
>
>
> For example "tr.org.pardus.comar.boot.modules.load" action is called when a user starts a VirtualBox, VirtualBox wrapper checks "vboxdrv" module and if it's not loaded asks COMAR to load it, if client is authorized, COMAR loads that module, if not, PolicyKit-* tries to grant that privilege. If user gains "module loading" privilege from PolicyKit, COMAR loads needed module and VirtualBox starts as desired.
>
> caglar at bankai ~ $ polkit-auth --explicit-detail
> tr.org.pardus.comar.boot.modules.load
> Authorized: No
> Scope: Indefinitely
> Obtained: Wed May 14 15:14:25 2008 by auth as root (uid 0)
> Constraint: Session must be on a local console
> Constraint: Session must be active
> Constraint: Only allowed for program /usr/bin/python2.5
>
> But this also means ___any python script___ used by that user while session is active can use "tr.org.pardus.comar.boot.modules.load" actions to load arbitrary kernel modules :(.
>
> How can we solve this issue? Any tips really appreciated...
>
> Cheers
>
isn't the authorization checked by the backend by pid?
example:
http://git.fedorahosted.org/git/?p=system-config-boot.git;a=blob;f=src/grub-conf-mechanism.py;h=6d7e098b9e30019e1f8f5e9f6c50d7e908783c1c;hb=experimental
pid = dbus.UInt32(dbus_object.GetConnectionUnixProcessID(sender))
IsProcessAuthorized(action_id, pid, False)
More information about the hal
mailing list