Re: Embarrassing security bug in systemd

To: debian-user@lists.debian.org
Cc: Dave Sherohman <dave@sherohman.org>
Subject: Re: Embarrassing security bug in systemd
From: <tomas@tuxteam.de>
Date: Thu, 7 Dec 2017 11:21:15 +0100
Message-id: <[🔎] 20171207102115.GB16665@tuxteam.de>
In-reply-to: <[🔎] 20171207090344.GS3654@sherohman.org>
References: <[🔎] ygfindj7cdq.fsf@tehran.isnogud.escape.de> <[🔎] 1e935ca6-ea43-7840-7623-0849b6606ac4@transient.nz> <[🔎] 20171207090344.GS3654@sherohman.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Dec 07, 2017 at 03:03:44AM -0600, Dave Sherohman wrote:
> On Thu, Dec 07, 2017 at 11:26:45AM +1300, Ben Caradoc-Davies wrote:
> > Special privileges have been granted to console users for as long as I can
> > remember, long before systemd, because they have physical access to the
> > machine. Console users typically are also permitted to mount, unmount, and
> > eject removable media, and have access to audio devices.
> 
> I think this is a key point that's been overlooked in the complaints
> about this behavior:  It has nothing to do with systemd.

No. It has to do with polkit & friends. On my system (which is a pretty
"classic" setup: no systemd, but also as little as possible from all
this more "modern" desktop stuff, which I don't like very much [1]),
/sbin/halt *wants* me to be root. This isn't inherently more secure
(or less) but just The Way it Is (TM) -- an heritage from times *every*
user on an Unix system was remote.

The policy kit and its descendants try to make a guess whether the
user is "physically present" to allow them to shut down the computer.
As others have pointed out, this does make sense (as long as the
above guess is sufficiently accurate, that is), because the user
can pull the cord/extract the batteries/smash the box anyway.

Now to that guess: for your vanilla PC/laptop/tablet/smartphone
class of machine, if the user is at the console or the local
terminal, implying presence is a pretty accurate guess. That's
why the default configuration comes shipped as it is. If you
are installing an ATM/voting computer/AS400, I'd hope that, as
a system integrator you *know what you are doing* and set the
defaults appropriately.

So all is well. This isn't a bug. For someone coming from
"traditional" Unix, this might be unexpected (and has thus some
potential for damage), but that expectation hasn't been broken
by systemd this time.

There are Linux distros for big IBM iron: anyone cares to have
a look how the default policy settings are there? (As that's
SuSE's realm, mainly, I'd guess they are similar enough to
RedHat that they're using something along these lines).

Cheers

[1] Don't take me wrong. Those desktop thingies have their place.
   Just not on "my" desktop, dammit :-)
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlopFhsACgkQBcgs9XrR2kaUcwCeMgdvqAWryzSSxE5W3r8+Ol2o
NE8AnAlA3wWeb2dJ4xdTN5Cyy+3Al/PT
=xit+
-----END PGP SIGNATURE-----

Reply to:

References:
- Embarrassing security bug in systemd
  - From: Urs Thuermann <urs@isnogud.escape.de>
- Re: Embarrassing security bug in systemd
  - From: Ben Caradoc-Davies <ben@transient.nz>
- Re: Embarrassing security bug in systemd
  - From: Dave Sherohman <dave@sherohman.org>

Prev by Date: Re: Embarrassing security bug in systemd
Next by Date: Re: Embarrassing security bug in systemd
Previous by thread: Re: Embarrassing security bug in systemd
Next by thread: Re: Embarrassing security bug in systemd
Index(es):
- Date
- Thread