pkexec in a chroot - bypassing dbus?
Colin Walters
walters at verbum.org
Fri Nov 15 09:36:53 PST 2013
On Mon, 2013-10-28 at 17:05 +0000, Colin Guthrie wrote:
> Leaving aside all comments regarding nspawn and such, is there a way for
> pkexec to automatically detect if the user is already root and avoid the
> dbus round trip and just assume things are authorised? This might be
> dangerous in some other ways hence why I'm asking.
The only way I can think of for this to be dangerous is for systems
attempting to use Linux capabilities (specifically to drop the "is
really root" ones like CAP_SYS_ADMIN).
If pkexec did a shortcut authorization, then this would allow a
compromised daemon that ran as uid 0 but without CAP_SYS_ADMIN to
trivially regain it with:
pkexec /tmp/mycode.sh
Now personally, I think people attempting to use Linux capabilities this
way are barking up the wrong tree to an extent - I think SELinux is a
much stronger and more comprehensive solution.
Potentially we could attempt to look at the capabilities of our parent
process, but that involves scraping /proc and...eww.
Why are you running pkexec during a build anyways? For rpm %check?
Personally I think https://live.gnome.org/GnomeGoals/InstalledTests
is a much better testing model than can be provided by rpm %check type
things which have "it's a chroot that has slowly mutated over time to
attempt to emulate a real system".
So I guess bottom line is, indeed I'd just carry the code to do if
(getuid () == 0) /* don't run pkexec */ inside all of the consumers.
More information about the polkit-devel
mailing list