[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Embarrassing security bug in systemd

On Sun 10 Dec 2017 at 15:52:30 +0100, Dejan Jocic wrote:

> On 10-12-17, Joe wrote:
> > 
> > I thought you might find more examples helpful. The man page says that
> > policies come from /etc/polkit-1 and /var/lib/polkit-1, but on my
> > system the /var/lib location is almost empty, and there's a lot
> > in /usr/share/polkit-1, almost nothing in /etc/polkit-1.
> > 
> 
> And, like I've said, thank you for your time. But those examples are all
> policy files and local settings are done under
> /etc/polkit-1/localauthority.conf.d/ for configuring which users, groups
> or netgroups will be considered as admins for authentication, and under
> /etc/polkit-1/localauthority/ directories with .pkla extension files
> should be used for overriding policies with local settings. At least it
> goes like that as far as I could deduct from man pages ( anyone thinking
> that I did not understood that well, please correct me ). Now, files

Your understanding is at least as good or better than mine (which isn't
itself magnificent).

> under /etc/polkit-1/localauthority.conf.d/ I understand, or at least
> believe so. What I'm still searching for is better understanding of
> those .pkla files. I've read those man pages some time ago, when I've
> started with attempts to wrap my head around policikit, but was rather
> busy after that and did not completely finish with it. If I understood
> it right, about any .pkla file should look something like this:

I think this is correct.

>   [ Description of what it does ]
>   Identity=unix-user:someuser;unix-user:someotheruser;unix-group:somegroup;unix-group:someothergroup;unix-netgroup:somegroup;unix-netgroup:someothergroup
>   Action=something.from.usr.share.polkit-1.actions
>   ResultAny=no/yes/auth_self/auth_admin/auth_self_keep/auth_admin_keep
>   ResultInactivee=same/options/as/above
>   ResultActive=same/options/as/above

At least one of the last three lines is needed. But three is ok.

> Now, what I believe is that for Identity and Action wildecards are
> allowed and that there are no more options aside from ResultAny,

The manual mentions globs.

> ResultInactive and ResultActive that can follow Action part. And that
> no, yes or other values will be returned to Defaults section in that
> policy file defined under Action part and change whatever was defined
> there. If someone with greater understanding of Polkit could tell me if
> I got it right, or not, that would be great. In case that I did not get
> that right, any point in right direction, or explanation would be great
> too.

The best way to understand is to ask for or give a specific example.

Suppose Urs Thuermann has got over the shock his 10 years old son's
actions gave him and he wanted never to experience such horror again.

[No user rebooting, powering off etc]
Identity=unix-user:*
Action=org.freedesktop.login1.*
ResultAny=no
ResultActive=no
ResultInactive=no

should do it.

That still leaves CTRL+ALT+DEL from a tty to be taken care of.

-- 
Brian.
Reply to: