Paranoia for helpers - best practices
David Zeuthen
david at fubar.dk
Fri Mar 26 09:56:20 PDT 2010
Hey,
On Tue, 2010-03-23 at 14:07 -0600, Federico Mena Quintero wrote:
> So... my question is:
>
> * Do we need a list of best practices for PK helpers?
>
> * Do we need some helper APIs so that people can do operations like
> those with pre-tested code?
>
> * Do we need, in general, a drop_file_in_scary_place() function with
> some generic checks?
All the stuff you mention is really important - I tried conveying some
of this with this paragraph
However, if an action is used for which the user can retain
authorization (or if the user is implicitly authorized), such as
with pk-example-frobnicate above, this could be a security hole.
Therefore, as a rule of thumb, programs for which the default
required authorization is changed, should never implicitly trust
user input (e.g. like any other well-written suid program).
from the pkexec(1) man page. I'm not sure we want to provide a library
function for this - maybe a pkdropfile(1) helper? I don't know if that's
workable though...
Also, it would probably be nice with some links to various guides about
how to write secure programs - for example, documents such as
http://www.dwheeler.com/secure-programs/ comes to mind.
David
More information about the polkit-devel
mailing list