Re: Embarrassing security bug in systemd
On 10-12-17, Joe wrote:
> On Sun, 10 Dec 2017 11:02:45 +0100
> Dejan Jocic <jodejka@gmail.com> wrote:
>
> > On 10-12-17, Joe wrote:
> > > On Sun, 10 Dec 2017 00:13:59 +0100
> > > Dejan Jocic <jodejka@gmail.com> wrote:
> > >
> > >
> > > >
> > > > Man page for pklocalauthority is bit more helpful, but far from
> > > > self explanatory.
> > >
> > > And not updated for Debian.
> > >
> > > > In its examples section, it provides some insight about
> > > > writing .pkla files, but it does not show all possible options,
> > > > or at least I can't be sure that it does. For example:
> > > >
> > > > [Exclude Some Problematic Users]
> > > > Identity=unix-user:homer;unix-user:grimes
> > > > Action=com.example.awesomeproduct.*
> > > > ResultAny=no
> > > > ResultInactive=no
> > > > ResultActive=auth_admin
> > > >
> > > > According to that, and after reading man page for polkit, I can
> > > > only deduct that .pkla file will for that example in that
> > > > com.example.awesomeproduct.* files reads lines under defaults and
> > > > "answer" on allow_any and allow_inactive with no value and on
> > > > allow_active with auth_admin value. Fine, that can work. Guess
> > > > that you can use wildecards for all users, like unix-user:*, but
> > > > that is only guess, cause I can't see it documented anywhere
> > > > ( might have missed it). What I also do not see anywhere is if
> > > > those are the only options available? Or there is some man page,
> > > > or additional documentation in Debian that can explain that?
> > > >
> > > More examples, and in fact, all the Debian policies, are *.policy
> > > files and under /usr/share/polkit-1, as Brian pointed out.
> > >
> > > --
> > > Joe
> > >
> >
> > And all the files under /usr/share/polkiit-1 should listen to the
> > local settings under /etc/polkit-1/localauthority/ so I do not
> > understand what is your point?
>
> I thought you might find more examples helpful. The man page says that
> policies come from /etc/polkit-1 and /var/lib/polkit-1, but on my
> system the /var/lib location is almost empty, and there's a lot
> in /usr/share/polkit-1, almost nothing in /etc/polkit-1.
>
And, like I've said, thank you for your time. But those examples are all
policy files and local settings are done under
/etc/polkit-1/localauthority.conf.d/ for configuring which users, groups
or netgroups will be considered as admins for authentication, and under
/etc/polkit-1/localauthority/ directories with .pkla extension files
should be used for overriding policies with local settings. At least it
goes like that as far as I could deduct from man pages ( anyone thinking
that I did not understood that well, please correct me ). Now, files
under /etc/polkit-1/localauthority.conf.d/ I understand, or at least
believe so. What I'm still searching for is better understanding of
those .pkla files. I've read those man pages some time ago, when I've
started with attempts to wrap my head around policikit, but was rather
busy after that and did not completely finish with it. If I understood
it right, about any .pkla file should look something like this:
[ Description of what it does ]
Identity=unix-user:someuser;unix-user:someotheruser;unix-group:somegroup;unix-group:someothergroup;unix-netgroup:somegroup;unix-netgroup:someothergroup
Action=something.from.usr.share.polkit-1.actions
ResultAny=no/yes/auth_self/auth_admin/auth_self_keep/auth_admin_keep
ResultInactivee=same/options/as/above
ResultActive=same/options/as/above
Now, what I believe is that for Identity and Action wildecards are
allowed and that there are no more options aside from ResultAny,
ResultInactive and ResultActive that can follow Action part. And that
no, yes or other values will be returned to Defaults section in that
policy file defined under Action part and change whatever was defined
there. If someone with greater understanding of Polkit could tell me if
I got it right, or not, that would be great. In case that I did not get
that right, any point in right direction, or explanation would be great
too.
Thank you for your time,
Dejan
Reply to: