Admin permissions

David Zeuthen david at fubar.dk
Fri Nov 13 12:54:43 PST 2009


Hi,

On Sat, 2009-10-31 at 14:31 +0100, memolus at googlemail.com wrote:
> I propose to allow admins to change settings without to enter their
> password. Think about the reason the user is asked for a password.
> It's not really to protect the system from evil local users, because
> you always lock your desktop before you go away. The real reason is
> that applications want to verify that the user wants to modify a
> setting, and not a possible evil user-space software. There should be
> a way to verify this without the need for the user to enter a
> password.

The thing is (to use the same terms you are using) - non-evil software
can easily turn evil if it gets infected. Especially with things like
Adobe's flash player. And multimedia codecs. And filesystem drivers.
And, in general, lots of other code reading untrusted content usually
downloaded from the Internet.

(And no, the fact that you are running Linux, not Windows, does not
inherently make you safer here.)

As such it's not really a good idea to just allow any piece of software
running in your session to be able to run any command it wants through
e.g. pkexec(1). So please stop pimping your proposal about allowing
Action=* - it's just not very advice. Thanks.

Now, it's true that on most single-user home systems anything outside
$HOME is not really an interesting target (in fact, anything outside
$HOME/.mozilla is probably not interesting). But allowing full system
access allows for more than just stealing, say, the password to your
bank - it allows the attacker to use your system, basically, whenever he
feels like it. It allows him to spy on you using that nice webcam. And
the microphone. Or track your location.

That's why we only (should) allow "safe" things without asking for a
password. Note that this includes basically everything with notable
exceptions such as

 - Installing untrusted software (e.g. not signed by your distro)

 - Gaining root (e.g. 'pkexec bash')

 - Setting up a modem connection (needs trusted path because if anyone
   could do this they could set it up to call a 1-900 number and make
   $50 / minute from you)

Note that all these things are actually things normal users should never
need to do very often.

Also, there is actually some work going on here, see

https://www.redhat.com/archives/fedora-desktop-list/2009-August/msg00103.html

for some discussion of introducing roles to deal with this problem. The
long term plan is that users in the desktop_admin_r group will be able
to do pretty much anything without being slowed down by password dialogs
(except for the trusted path things as mentioned above).

For some more thinking about this problem, also see

https://bugzilla.gnome.org/show_bug.cgi?id=596260#c6

     David




More information about the polkit-devel mailing list