[PolicyKit] Authorizations of Interpreted Languages

S.Çağlar Onur caglar at pardus.org.tr
Wed May 14 08:46:58 PDT 2008


Hi Oliver;

14 May 2008 Çar tarihinde, Olivier Galibert şunları yazmıştı: 
> [sorry for the encoding-damage to your name]

No problem at all :)
 
> On Wed, May 14, 2008 at 04:12:11PM +0300, S.Ça??lar Onur wrote:
> > For example "tr.org.pardus.comar.boot.modules.load" action is called
> > when a user starts a VirtualBox, VirtualBox wrapper checks "vboxdrv"
> > module and if it's not loaded asks COMAR to load it, if client is
> > authorized, COMAR loads that module, if not, PolicyKit-* tries to
> > grant that privilege. If user gains "module loading" privilege from
> > PolicyKit, COMAR loads needed module and VirtualBox starts as
> > desired.
> 
> [...]
> > But this also means ___any python script___ used by that user while
> > session is active can use "tr.org.pardus.comar.boot.modules.load"
> > actions to load arbitrary kernel modules :(.
> 
> Ok, some details are unclear there.
> 
> Who is COMAR running as?  The requesting user or a different
> priviledged user?  If it's the user, what prevents any other process
> of that user to say "Hi, I'm COMAR, trust me, load this module
> please"?

COMAR runs as root, and it started via D-Bus service activation. Currently it serves lots of interfaces over D-Bus for our configuration tools usage, module loading was just an example, package-manager, network-manager, boot-manager GUI's etc. and also our package manager (PiSi) uses COMAR's postInstall/preInstall methods to perform these operations.
 
> If PolicyKit grants the user the "module loading" priviledge, doesn't
> that mean that the user is allowed to load arbitrary kernel modules in
> the first place, hence your issue isn't an issue in the first place?

Maybe i understand wrong, but following tells me;

caglar at zangetsu ~ $ polkit-auth --explicit-detail
org.gnome.policykit.examples.punch
  Authorized:  No
  Scope:       Confined to session /org/freedesktop/ConsoleKit/Session1
  Obtained:    Wed May 14 15:48:18 2008 by auth as caglar (uid 1000)
  Constraint:  Session must be on a local console
  Constraint:  Session must be active
  Constraint:  Only allowed for program YOUR_APPLICATION

User must be on a local console with an active state and only YOUR_APPLICATION granted for "punch" action, if any other application, say amarok, wants to "punch" the system it must also provide needed credentials.

But in our case (our configuration tools also written with Python), gaining any priviledge with one of the GUI's gaves very same privilege to "python interpreter", which means every python application runs in that session gains these privileges, instead of application itself.

> Maybe you do not want a general "module loading" priviledge in the
> first place, but a module loading priviledge for a specific set of
> modules you know you'll need to play with in the course of normal
> sessions, giving two categories of modules (known to be useful to play
> with as a user vs. the others).  The "list of useful modules" could
> start with vboxdrv, kqemu, loop... and granting access to them as a
> whole could be considered acceptable.  You don't always want _too_
> fine-grained anyway.

You are right, "module loading" priviledge is not fine-grained but seems like granularity is not the case here :)

Cheers
-- 
S.Çağlar Onur <caglar at pardus.org.tr>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/hal/attachments/20080514/d6471e12/attachment.pgp 


More information about the hal mailing list