On Wed, 2009-11-18 at 13:31 -0600, Chris Adams wrote: > Once upon a time, Colin Walters <walters@xxxxxxxxxx> said: > > On Wed, Nov 18, 2009 at 1:48 PM, Chris Adams <cmadams@xxxxxxxxxx> wrote: > > > It seems the latest way of doing this is via PolicyKit. Â IMHO all > > > PolicyKit configuration should be "secure by default", > > > > "secure" is an meaningless term without reference to a deployment > > model and threat model, but let's assume here for reference that what > > you mean is that the shipped RPMs should be configured to not grant > > any additional privileges over that afforded to the traditional Unix > > timesharing model, and then the desktop kickstart modifies them. > > Yes, that was what I meant. > > > I would agree with that, but it's not trivial. Are we just scoping in > > PackageKit here, or also consolehelper @console actions? Does it > > imply removing the setuid bit from /bin/ping? > > In an ideal world, everything that could grant elevated privilege would > come without it, and the admin (or spin config files) could easily > configure it back. > > That obviously fails for things like /bin/ping, since that uses file > permissions, and that's part of the RPM (and not configurable). > However, ping has traditionally been run-able as a non-root user, and it > is easily spotted with find. The number of setuid programs is small > these days, but several of them are now "helpers" that allow a > wide-range of other programs access, again with minimal documentation > (what is pulse/proximity-helper? why is nspluginwrapper/plugin-config > setuid root?) > > I think anything that uses PolicyKit should ship with no elevated > privileges by default, since it is configurable. > > It would be nice to also get consolehelper, but that is more > complicated. I thought that was on the way out (to be replaced by > PolicyKit), but I see there are still a number of things that use it > (looking at the F11 desktop I'm on right now). > > NetworkManager is another thing that probably could use some admin > control in some places, especially as it is being pushed to replace the > old network scripts. Does NM use PolicyKit or consolehelper, or does it > just do things itself? It uses PolicyKit. We have a bit of work to do before we have fine-grained lockdown, but it's not that far off. F13 perhaps? It's basically a case of defining the permissions (there are already a few for things like disallowing modification of system connections, disabling the "create new network" functionality, etc) and then making sure NM checks them, and *also* making sure the UI provides appropriate feedback when something is not allowed at all, as opposed to "allowed if you authenticate first". Dan > > > Right now, I see files /usr/share/PolicyKit/policy; I guess that's where > > > this kind of thing comes from. Â How do I override the settings in one of > > > these files? Â None of them are marked "config", so I guess I don't edit > > > them. Â Are there other places such policy can be set? > > > > See "man PolicyKit.conf" > > The bigger issue is that much of the policy is not well documented, > except in the XML files (which are pretty terse). > -- > Chris Adams <cmadams@xxxxxxxxxx> > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
