[PolicyKit] Authorizations of Interpreted Languages
David Zeuthen
david at fubar.dk
Sun May 18 07:25:27 PDT 2008
On Wed, 2008-05-14 at 16:12 +0300, S.Çağlar Onur wrote:
> caglar at bankai ~ $ polkit-auth --explicit-detail
> tr.org.pardus.comar.boot.modules.load
> Authorized: No
> Scope: Indefinitely
> Obtained: Wed May 14 15:14:25 2008 by auth as root (uid 0)
> Constraint: Session must be on a local console
> Constraint: Session must be active
> Constraint: Only allowed for program /usr/bin/python2.5
>
> But this also means ___any python script___ used by that user while
> session is active can use "tr.org.pardus.comar.boot.modules.load"
> actions to load arbitrary kernel modules :(.
That is correct. But see the large disclaimer here
http://hal.freedesktop.org/docs/PolicyKit/polkit-polkit-sysdeps.html#polkit-sysdeps-get-exe-for-pid
about why constraining some authorization to a exe name doesn't (in
general) add any security whatsoever. Even if we (somehow) confined this
to /usr/bin/some-python-program I'm pretty sure an malicious program in
the session could find ways to inject code (e.g. LD_PRELOAD and
PYTHONPATH environment variables, AT-SPI / X11 etc.) into the process
that is created when /usr/bin/some-python-program is run. Btw, if
PolicyKit is built with SELinux support we also contrain the process to
the security context.
So the morale here is pretty much if you grant an authorization to
something in the session then pretty much anything in that session can
use it unless the program the authorization is granted to is written in
a secure way (e.g. glibc secure mode kicks in etc.).
Of course to make a graphical program secure you'd need a secure
windowing system (e.g. XACE or a secure desktop feature), you'd need a
secure toolkit (things like GTK_MODULES), and possibly something like
MLS which needs something like SELinux. And all of this is a lot of work
and not something we have today. There are some more details here that
may be useful
http://bugzilla.gnome.org/show_bug.cgi?id=531609#c9
Today many people say that if you have malicious software running in
your desktop session you've already lost. I tend to agree with these
people. And certainly something like being able to load a module
from /lib/modules (a location controlled by uid 0) wouldn't be an
interesting target for me if I was an attacker; I'd rather just collect
all the passwords from your browser; much more valuable ;-)
Hope this clarifies.
David
More information about the hal
mailing list