What are these for?

Ian Malone ibmalone at gmail.com
Wed Nov 21 15:02:57 UTC 2012 

On 21 November 2012 14:38, lee <lee at yun.yagibdah.de> wrote:
I don't pretend to have the answers to all your questions, but:

> Matthew Miller <mattdm at fedoraproject.org> writes:
>
>> On Wed, Nov 21, 2012 at 12:37:47PM +0100, lee wrote:

>> By only asking for and using privileged access when required. That's a
>> fundamentally good idea.
>
> And how do you know or make sure that some software uses your password
> only for that?
>

You don't really, but this is why policy kit is supposed to handle the
authentication and tell you what access is being requested.

>>> > For example, a timezone applet can show you the time as a regular user
>>> > and only require extra authentication to change it.
>>> Regular users must not change the system time.  It's on UTC and kept on
>>> track with chrony.
>>
>> Well, exactly. That's why you would need extra authentication to change it.
>
> Users are not supposed to change it at all, not even with extra
> authentication.
>

How does it ever get changed then? You might answer that you use ntpd
(in which case you are trusting people on the internet), but not all
systems can (maybe no net access or embedded) or do all the time. In
theory if you really wanted to lock it down you could. Except root can
change it and root *is* a user.

>>> > However, if you don't want or need this functionality, applications
>>> > are supposed to gracefully fall back to requiring root.
>>> So for example instead of ls or emacs becoming only 1/4 root, I would
>>> have to run them as root?  And if I don't run them as root, I'd have to
>>
>> Since neither ls nor emacs is written to use polkit, running them as root
>> when you need to access a particular file is in fact the only option you
>> have.
>
> Then polkit doesn't do me any good.  Even if emacs and ls were using it,
> it would be very annoying having to enter a password all the time.
>

But not all the time. You don't use you password to run emacs, emacs
asks for permission to do something if it needs it, polkit looks at
the request and whether the user is allowed to give it that permission
and if so asks the user if it's okay.

>>> Neither ls nor emacs ever asked me for extra authentication.  And how
>>> would it increase security if I entered the password for root into
>>> arbitrary applications whenever they ask me for it?
>>
>> It wouldn't. In a GUI, polkit has a distinctive, separate dialog box it uses
>> to ask for authentication. It's absolutely true that spoofing this sort of
>> dialog is a concern.
>
> So yes, it decreases security instead of increasing it.
>

?
"distinctive, separate dialog box" and "spoofing this sort of dialog
is a concern."
The answer to that is to prevent spoofing. If your GUI is compromised
then what you type is compromised too.

>>> It certainly does decrease security getting users used to enter the root
>>> password everywhere.  Polkit should be deprecated.
>>
>> In the typical configuration on Fedora, users in the `wheel` group are asked
>> to provide their *own* password for this sort of access.
>
> What difference does it make which password is supplied when with the
> password things can be done that are relevant for security?  Why should
> I give my password again when I'm already logged in and the system knows
> who I am?
>

Because polkit is confirming the user at the console before granting
the extra permission. It can remember that for a while.

> And what if the user in the wheel group wants to use emacs to edit some
> configuration file that can only be modified by root?  Will they be
> asked for their password?  And if they are, is it more secure to perform
> this operation when their emacs loads a large ~/.emacs that might
> contain options which could make it insecure to give privileges to
> emacs?  And my emacs session is running since eleven days now and who
> knows what I've been doing with it that could turn out fatal once
> privileges are given to emacs.  It may run month or two or longer and I
> might not remember having done anything ...
>

You're not thinking fine-grained. And yes, application security is an
issue with any elevated privilege application, but it doesn't get
permission to do everything as root. It gets time-limited permission
to do a specific thing that it asked for and that the user has the
authority to grant.

>> If you have an alternate implementation that solves the problems polkit was
>> meant to solve in a demonstrably better way, develop the code and propose it
>> as a Feature for a future Fedora.
>
> The alternate implemantation is su.  It's much simpler and more secure
> already by being much simpler than polkit.  It's also much more
> efficient.  Polkit is insecure by design because it gets users used to
> enter their password everywhere.
>

No. su means running things unrestricted. Also the equivalent is not
su, it's actually suid, which does rely on the individual application
to assume and drop privileges responsibly.

-- 
imalone
http://ibmalone.blogspot.co.uk

More information about the users mailing list