On 21 November 2012 14:38, lee <lee@xxxxxxxxxxxxxxx> wrote: I don't pretend to have the answers to all your questions, but: > Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> writes: > >> On Wed, Nov 21, 2012 at 12:37:47PM +0100, lee wrote: >> By only asking for and using privileged access when required. That's a >> fundamentally good idea. > > And how do you know or make sure that some software uses your password > only for that? > You don't really, but this is why policy kit is supposed to handle the authentication and tell you what access is being requested. >>> > For example, a timezone applet can show you the time as a regular user >>> > and only require extra authentication to change it. >>> Regular users must not change the system time. It's on UTC and kept on >>> track with chrony. >> >> Well, exactly. That's why you would need extra authentication to change it. > > Users are not supposed to change it at all, not even with extra > authentication. > How does it ever get changed then? You might answer that you use ntpd (in which case you are trusting people on the internet), but not all systems can (maybe no net access or embedded) or do all the time. In theory if you really wanted to lock it down you could. Except root can change it and root *is* a user. >>> > However, if you don't want or need this functionality, applications >>> > are supposed to gracefully fall back to requiring root. >>> So for example instead of ls or emacs becoming only 1/4 root, I would >>> have to run them as root? And if I don't run them as root, I'd have to >> >> Since neither ls nor emacs is written to use polkit, running them as root >> when you need to access a particular file is in fact the only option you >> have. > > Then polkit doesn't do me any good. Even if emacs and ls were using it, > it would be very annoying having to enter a password all the time. > But not all the time. You don't use you password to run emacs, emacs asks for permission to do something if it needs it, polkit looks at the request and whether the user is allowed to give it that permission and if so asks the user if it's okay. >>> Neither ls nor emacs ever asked me for extra authentication. And how >>> would it increase security if I entered the password for root into >>> arbitrary applications whenever they ask me for it? >> >> It wouldn't. In a GUI, polkit has a distinctive, separate dialog box it uses >> to ask for authentication. It's absolutely true that spoofing this sort of >> dialog is a concern. > > So yes, it decreases security instead of increasing it. > ? "distinctive, separate dialog box" and "spoofing this sort of dialog is a concern." The answer to that is to prevent spoofing. If your GUI is compromised then what you type is compromised too. >>> It certainly does decrease security getting users used to enter the root >>> password everywhere. Polkit should be deprecated. >> >> In the typical configuration on Fedora, users in the `wheel` group are asked >> to provide their *own* password for this sort of access. > > What difference does it make which password is supplied when with the > password things can be done that are relevant for security? Why should > I give my password again when I'm already logged in and the system knows > who I am? > Because polkit is confirming the user at the console before granting the extra permission. It can remember that for a while. > And what if the user in the wheel group wants to use emacs to edit some > configuration file that can only be modified by root? Will they be > asked for their password? And if they are, is it more secure to perform > this operation when their emacs loads a large ~/.emacs that might > contain options which could make it insecure to give privileges to > emacs? And my emacs session is running since eleven days now and who > knows what I've been doing with it that could turn out fatal once > privileges are given to emacs. It may run month or two or longer and I > might not remember having done anything ... > You're not thinking fine-grained. And yes, application security is an issue with any elevated privilege application, but it doesn't get permission to do everything as root. It gets time-limited permission to do a specific thing that it asked for and that the user has the authority to grant. >> If you have an alternate implementation that solves the problems polkit was >> meant to solve in a demonstrably better way, develop the code and propose it >> as a Feature for a future Fedora. > > The alternate implemantation is su. It's much simpler and more secure > already by being much simpler than polkit. It's also much more > efficient. Polkit is insecure by design because it gets users used to > enter their password everywhere. > No. su means running things unrestricted. Also the equivalent is not su, it's actually suid, which does rely on the individual application to assume and drop privileges responsibly. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
