On Wed, Sep 28, 2011 at 06:14:24PM -0500, C Anthony Risinger wrote:
On Sep 28, 2011 3:53 PM, "Tom Gundersen" firstname.lastname@example.org wrote:
The way it works is that both the frontend (the unprivileged process, e.g. the GUI for setting your timezone) and the backend (the privileged process, e.g. the app that writes the timezone data to /etc/localtime) interface with PK. The backend will ultimately be the one deciding who should be allowed to do what under which conditions, PK is just the interface that lets this be done in a uniform way.
The process is similar for libvirt -- when the policy is "unix perms only" having r/w access to the control socket is enough to authorize. However, when polkit is in use (the default) the socket is world writable simply because anyone *could* be authorized to use it (you could still use fs perms if you wanted) ... but all requests must be approved by polkit anyway, and at no time are you really exposing anything -- all configs/etc are never directly malleable or even disclosed.
Thanks to both of you, but I still must be missing something.
For example, when I insert an USB stick on my machine and try to mount it as a normal user I get a reply that only root can do that. That's what I actually want (there are some exceptions in /etc/fstab for my owns sticks, which are identified by UUID).
Yet some Gnome/KDE desktop apps are able to mount even when running for a normal user, when PK agrees (which in my eyes is a subvertion of a policy set by the sysadmin). How do they do this if neither 'mount' nor the syscalls used by it take any notice of PK (thank $GOD for that) ?
The only way I can imagine ATM is that such environments have a collection of small suid programs or daemons (all talking to PK) that do the work, and that PK is there to allow these to be separate from the main apps which require the service.
If things work that way I'd say these are mafia tactics :-)
1. Make sure you have a number of corrupt police officers, judges, etc. (the privileged proxies or daemons), 2. Use them to impose your own laws (PK) instead of those of civil society (the system).
In that case the real security thread is (1), not (2).