documentation on polkit-agent-helper-1 and suid
Alad Wenter
alad at archlinux.info
Sat Oct 22 19:10:23 UTC 2016
On 10/21/2016 07:10 PM, Simon McVittie wrote:
> On Fri, 2016-10-21 at 13:40 +0200, Alad Wenter wrote:
>> While looking suid files on my system I noticed that
>> /usr/lib/polkit-1/polkit-agent-helper-1 is suid root, and I was
>> curious
>> on the reasoning beyond this.
> The agent's job is to tell the polkit daemon "yes, this is definitely
> Alad, and not someone else who has sat down at Alad's computer". This
> means it wants to be uid 0 for two reasons:
>
> * to be able to run the PAM stack to check your password, one-time
> key, fingerprint or whatever other credentials against system
> authentication services
>
> * to be able to send that message to the polkit daemon, and give the
> polkit daemon a reason to believe it (that reason being "it came
> from uid 0")
>
> Regards,
> S
>
Hi Simon,
Thanks for your reply. For the second reason, is "it came from uid 0" a
sure reason for polkit to belive the message when the origin behind uid
0 is from a suid binary? Or is that where the first reason on checking
authentication comes in?
Regards,
Alad
More information about the polkit-devel
mailing list