What are these for?
Marko Vojinovic
vvmarko at gmail.com
Thu Nov 22 10:27:10 UTC 2012
On Wed, 21 Nov 2012 15:38:25 +0100 lee <lee at yun.yagibdah.de> wrote:
> Matthew Miller <mattdm at fedoraproject.org> writes:
> > On Wed, Nov 21, 2012 at 12:37:47PM +0100, lee wrote:
> >> > For example, a timezone applet can show you the time as a
> >> > regular user and only require extra authentication to change it.
> >> Regular users must not change the system time. It's on UTC and
> >> kept on track with chrony.
> >
> > Well, exactly. That's why you would need extra authentication to
> > change it.
>
> Users are not supposed to change it at all, not even with extra
> authentication.
System time is not the hardware clock (which is always on UTC), but
rather UTC plus local timezone offset. Changing the timezone is a
common thing when traveling with a laptop, and it requires extra
authentication.
> What difference does it make which password is supplied when with the
> password things can be done that are relevant for security? Why
> should I give my password again when I'm already logged in and the
> system knows who I am?
Someone else might sit in front of your machine while you are
momentarily away, and try to perform some security-related operation.
The system needs to make sure it is really you, every time, regardless
of the fact that you are already logged in.
> > If you have an alternate implementation that solves the problems
> > polkit was meant to solve in a demonstrably better way, develop the
> > code and propose it as a Feature for a future Fedora.
>
> The alternate implemantation is su. It's much simpler and more secure
> already by being much simpler than polkit. It's also much more
> efficient. Polkit is insecure by design because it gets users used to
> enter their password everywhere.
If you do a "su -c someapp", than that app runs with root privileges,
and *everything* it does --- it does as root. When an app interacts
with polkit, after you provide the root password, polkit allows the app
to do *only* *one* *particular* *action* as root, rather than
everything. So the app can elevate its privileges in a more controlled
way, only when necessary and only for what is necessary.
HTH, :-)
Marko
More information about the users
mailing list