Admin permissions

memolus at googlemail.com memolus at googlemail.com
Sat Nov 14 04:53:09 PST 2009


Thanks for your answer and the stuff to read, David Zeuthen.

2009/11/13 David Zeuthen <david at fubar.dk>:
> The thing is (to use the same terms you are using) - non-evil software
> can easily turn evil if it gets infected. Especially with things like
> Adobe's flash player. And multimedia codecs. And filesystem drivers.
> And, in general, lots of other code reading untrusted content usually
> downloaded from the Internet.
I doubt, if non-evil software, which asks for a password, can easily
turn evil if it gets infected, too. It's only a smaller time frame. At
all this is like a user-level application getting root authorizations,
because of a linux kernel bug.

> (And no, the fact that you are running Linux, not Windows, does not
> inherently make you safer here.)
For sure.

> As such it's not really a good idea to just allow any piece of software
> running in your session to be able to run any command it wants through
> e.g. pkexec(1). So please stop pimping your proposal about allowing
> Action=* - it's just not very advice. Thanks.
I just not found quickly a way to limit the authorization to certain
trusted applications, like it was possible with the old policykit.

> Now, it's true that on most single-user home systems anything outside
> $HOME is not really an interesting target (in fact, anything outside
> $HOME/.mozilla is probably not interesting).
Yeah, $HOME needs protection, too. This is why I would like to have a
way, to allow only certain applications to access "~/.mozilla" or
"~/Documents".

> But allowing full system
> access allows for more than just stealing, say, the password to your
> bank - it allows the attacker to use your system, basically, whenever he
> feels like it. It allows him to spy on you using that nice webcam. And
> the microphone. Or track your location.
Er, i thought, webcam and microphone access is already available for
user-level software. Couldn't malware do the same thing as Cheese?

> That's why we only (should) allow "safe" things without asking for a
> password. Note that this includes basically everything with notable
> exceptions such as
> [..]
>  - Gaining root (e.g. 'pkexec bash')
I really would like to see _this feature_ without asking for a
password in future. It needs to be protected very well and will be
complicated, because pkexec can't catch the user input directly and
because it needs to protected against infections. But in the end you
would have a more secure operating system.

David Zeuthen at https://bugzilla.gnome.org/show_bug.cgi?id=596260#c6 :
> a properly configured OS would never need to
> pop up authentication dialogs.
That's it.


More information about the polkit-devel mailing list