[arch-general] File permissions with udisks/udisk2 mounts

[Kevin Chadwick]

On Thu, 22 Nov 2012 21:52:30 +0000
Fons Adriaensen <fons at linuxaudio.org> wrote:

> > The need to constantly review the source to work out exactly what
> > polkit allows is my primary reason to disable it.  
> 
> What is your way to disable it once and for all ?

Well I wouldn't say once and for all. In a link from a thread
about /usr earlier this week I read of a Gentoo guy who has disabled
all the kits and probably did it more properly by building packages
without polkit support but I don't have time for that.

I still keep an eye on it but simply removed the suid permissions from
a few files and do so after polkit upgrades via the upgrade pacman
wrapper scripts I already had.

/bin/chmod -s /usr/lib/polkit-1/polkit-agent-helper
/bin/chmod -s /usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/chmod -s /usr/bin/pkexec (I prefer sudo anyway)

I tried to keep it as undrastic as possible without affecting dbus and
so things like default power managers, but more subtle suid
removal attempts failed. I imagine network manager is broken, but it
hasn't bothered me yet, possibly never. It may be fine to simply
prevent execution or dummy polkit but I didn't have time to investigate
and worried about timeouts that dbus permission denied may be
preventing. I did consider a block all permissions rule but figured if
I don't need it then I don't want it running as root reinforced by my
experience of the main developer and his blog showing implementing
things without due consideration, peer review or management.


My users haven't noticed so far anyway ;-)