Re: Will unix ever get out of dependency hell
> > Why on earth does so much of the default desktops depend on polkit
> > when very little breaks when it is disabled!
> >
>
> Because "very little" is not "nothing at all."
But 99% of the code would work just fine without it and does if you
remove it's suid.
On Fri, 05 Apr 2013 15:39:30 -0400
Phillip Susi <psusi@ubuntu.com> wrote:
> > I have decided that sudo is superior to polkit in every way for
> > both developers and user except for if developers want to be lazy
> > and outsource policy creation to more general and so less specific
> > and so obviously likely less secure ones. I do not wish to debate
> > that and all debates I have seen have simply shown a lack of
> > understanding of what sudo can do.
>
> One is not "better" than the other as sudo and PolicyKit do two
> completely different things. sudo is a command used to run other
> commands as root. PolicyKit allows services that ( typically, but not
> necessarily ) are already running as root to accept requests to
> perform actions via DBUS in a restricted way.
If you really wanted to do that you would find the likes of Selinux,
RBAC, TOMOYO and apparmor more effective, useful to a user and less of
a risk, however they do not save you from writing bad code and sudo
encourages the best of that in a nice priviledge seperated utility.
If it was the case that polkit just did that then sudo would still be my
choice as it is not always running, is filesystem based and as Android
realises (we'll ignore their dbus security problems) the program dev is
the only one who can truly minimise priviledges (though I wish Android
would let you override them, perhaps ubuntu-mobile will) but it
wouldn't be a big problem and we wouldn't have all these dependency
issues and when reducing the number of root programs such as rsyslogas
it's own user, you could decide whether or not to run polkit with no
restrictions.
Let's analyse the situation due to polkit doing two things and
primarily it's secondary task rather than one thing and doing it well as
per the unix philosophy. The man page says it does as you have said,
though I have seen very little of that, thankfully as it is wrong inmy
book) and it also handles policies granting priviledges.
Ignoring the positives of sudo and bearing in mind sudo makes no
stipulations upon users systems, uses zero resources (reports of Gentoo
systems without polkit being quicker) and is easy to configure even from
a console, lets look at just the dependency negatives of polkit (this
post is already too long) which I am convinced was developed by red hat
to fit in with pam and because they seemingly have little idea about
sudos abilities and group permissions, unlike debian who always used
them fairly well. Let's not forget that pam has not a got a great
security record either.
nvidia-settings wants to install an xorg.conf file. An Nvidia user
could easily have this ability via sudo and a sudoers policy could be
provided in two seconds.
Maybe a user like me doesn't even care and just wants to create a config
and install it himself even or just change the brightness upon login
from an rc script. This requires no extra priviledges.
What are his choices
run polkit with all the defaults which is far more permissions and code
running as root than he needs.
Look into locking it down, yet it is still pointlessly running as root
and notoriously annoying to configure not to mention pointlessly
pulling in things like the JS package which aids rop attacks.
Disable it's suid and if he knows how, redirect all the setuid not
correct logs to null.
Or the best option for the average user with any ability at all. Remove
polkit.
I decided to make my Ubuntu gaming machine leaner for Steam recently and
I was appauled how bad the situation needlessly is.
The whole of KDE out the window, when 99% of it has nothing to do with
polkit, no problem, I was aiming for leaner anyway.
Udisks, no problem, having to use usbmount or some udev rules to run
the beautifully unix like mount program is a stupid problem to have
but again, I can live with it and I do anyway for systems I wish to
secure.
nvidia-settings gone, how annoying. Install from nvidia.com, still
without polkit and I have 100% of it's functionality back. I just have
to update it manually.
Pulseaudio gone. Ok I can use AlSA, pulseaudio doesn't work witha
grsecurity kernel anyway and I can finally get around to learning about
jackd which is meant to be far better anyway and perhaps apply it to all
my systems.
Steam-launcher gone as it requires jockey which requires polkit. Ok I
install Steam-launcher from steampowered.com. Runs just fine. I am
annoyed but glad with my lean machine.
BUT, now even though my machine works fine and how I want, I can't
update the machine without pulling in polkit for jockey that the steam
launcher that I wasn't allowed to install from the repo requires.
These types of problems have spawned things like spacefm that I am very
impressed with for it's independence, modular nature and user
empowerment.
All of this could be simply avoided with many benefits if a well
designed user facing program like sudo was used in the first place for
the single task it was designed to do well.
Again I often read things like "I know polkit is superior to sudo
but", without justification and I'm almost certain I know all the
arguments and it absolutely is inferior, even on a security front.
--
_______________________________________________________________________
'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'
(Doug McIlroy)
_______________________________________________________________________
Reply to: