[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Embarrassing security bug in systemd

On Sun, 10 Dec 2017 11:02:45 +0100
Dejan Jocic <jodejka@gmail.com> wrote:

> On 10-12-17, Joe wrote:
> > On Sun, 10 Dec 2017 00:13:59 +0100
> > Dejan Jocic <jodejka@gmail.com> wrote:
> > 
> >   
> > > 
> > > Man page for pklocalauthority is bit more helpful, but far from
> > > self explanatory.   
> > 
> > And not updated for Debian.
> >   
> > > In its examples section, it provides some insight about
> > > writing .pkla files, but it does not show all possible options,
> > > or at least I can't be sure that it does. For example:
> > > 
> > > [Exclude Some Problematic Users]
> > >            Identity=unix-user:homer;unix-user:grimes
> > >            Action=com.example.awesomeproduct.*
> > >            ResultAny=no
> > >            ResultInactive=no
> > >            ResultActive=auth_admin
> > > 
> > > According to that, and after reading man page for polkit, I can
> > > only deduct that .pkla file will for that example in that
> > > com.example.awesomeproduct.* files reads lines under defaults and
> > > "answer" on allow_any and allow_inactive with no value and on
> > > allow_active with auth_admin value. Fine, that can work. Guess
> > > that you can use wildecards for all users, like unix-user:*, but
> > > that is only guess, cause I can't see it documented anywhere
> > > ( might have missed it). What I also do not see anywhere is if
> > > those are the only options available? Or there is some man page,
> > > or additional documentation in Debian that can explain that?
> > >   
> > More examples, and in fact, all the Debian policies, are *.policy
> > files and under /usr/share/polkit-1, as Brian pointed out.
> > 
> > -- 
> > Joe 
> >   
> 
> And all the files under /usr/share/polkiit-1 should listen to the
> local settings under /etc/polkit-1/localauthority/ so I do not
> understand what is your point?

I thought you might find more examples helpful. The man page says that
policies come from /etc/polkit-1 and /var/lib/polkit-1, but on my
system the /var/lib location is almost empty, and there's a lot
in /usr/share/polkit-1, almost nothing in /etc/polkit-1.

> 
> Or the man pages are totally wrong?
> 
Man pages are almost never totally wrong. Wrong in small but critical
details, yes, often.

There's some stuff about polkit on the Net, but nothing much official
apart from the man pages, as far as I can see.

-- 
Joe
Reply to: