[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Embarrassing security bug in systemd

On 09-12-17, Brian wrote:
> On Sat 09 Dec 2017 at 20:07:17 +0100, Dejan Jocic wrote:
> 
> > On 09-12-17, Jonathan Dowland wrote:
> > > On Sat, 2017-12-09 at 10:00 +0000, Brian wrote:
> > > > Consistencey can be achieved by not installing policykit. The OP
> > > > appears to have chosen the wrong target.Consistencey can be achieved > by not installing policykit.
> > > 
> > > As Michael pointed out in [1], that's not the case; prior to polkit,
> > > there was no consistency.
> > > 
> > > 
> > > [1]  <[🔎] 8430b277-3757-8261-0e1e-23e274a0b49a@debian.org>
> > > 
> > 
> > Is it anywhere in Debian documentation described how to achieve
> > consistency in a way different than current defaults? Or, even better,
> > is there way that we could get some kind of configuration option to
> > achieve it? Polkit does not really have user friendly configuration and
> > is not really something that system administrators configure on a
> > everyday bases. At least not in my experience. Only thing that I did
> > find about configuring polkit was from some other distros. Debian wiki
> > page about PolicyKit is not really helpful.
> 
> Apart from not installing policykit, setting allow_active to "no" in
> /usr/share/polkit-1/actions/org.freedesktop.login1.policy would do it.
> 
> Much better is to use /etc/polkit-1/localauthority. See the manual for
> pklocalauthority.
> 
> -- 
> Brian.
> 

Man page for pklocalauthority is bit more helpful, but far from self
explanatory. In its examples section, it provides some insight about
writing .pkla files, but it does not show all possible options, or at
least I can't be sure that it does. For example:

[Exclude Some Problematic Users]
           Identity=unix-user:homer;unix-user:grimes
           Action=com.example.awesomeproduct.*
           ResultAny=no
           ResultInactive=no
           ResultActive=auth_admin

According to that, and after reading man page for polkit, I can only
deduct that .pkla file will for that example in that
com.example.awesomeproduct.* files reads lines under defaults and
"answer" on allow_any and allow_inactive with no value and on
allow_active with auth_admin value. Fine, that can work. Guess that you
can use wildecards for all users, like unix-user:*, but that is only
guess, cause I can't see it documented anywhere ( might have missed it).
What I also do not see anywhere is if those are the only options
available? Or there is some man page, or additional documentation in
Debian that can explain that?

Thank you for your time,
Dejan
Reply to: