[Bug 295341] New: PolicyKit: please add setguid polkit-grant-helper ( polkituser) to /etc/permissions.*
https://bugzilla.novell.com/show_bug.cgi?id=295341 Summary: PolicyKit: please add setguid polkit-grant-helper (polkituser) to /etc/permissions.* Product: openSUSE 10.3 Version: Alpha 6 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: kasievers@novell.com QAContact: qa@suse.de CC: dkukawka@novell.com Found By: --- We need: %attr(2755,root,polkituser) %{_libexecdir}/polkit-grant-helper working. The package is in BETA, with that line disabled for now. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=295341
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=295341#c1
--- Comment #1 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341#c2
--- Comment #2 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341#c3
--- Comment #3 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341#c4
--- Comment #4 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341#c5
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341#c6
--- Comment #6 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341#c7
--- Comment #7 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341#c9
--- Comment #9 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341#c10
--- Comment #10 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341#c11
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341#c12
--- Comment #12 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341#c13
--- Comment #13 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341#c14
--- Comment #14 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341#c15
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341#c16
Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=295341#c17
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c18
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c19
--- Comment #19 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c21
--- Comment #21 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341
User krahmer@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c22
--- Comment #22 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c23
--- Comment #23 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User krahmer@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c24
--- Comment #24 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341
User krahmer@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c25
--- Comment #25 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c26
--- Comment #26 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User aj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c27
--- Comment #27 from Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=295341
User krahmer@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c28
--- Comment #28 from Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=295341
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c29
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c30
--- Comment #30 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c31
--- Comment #31 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c32
--- Comment #32 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c33
--- Comment #33 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c34
--- Comment #34 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c35
--- Comment #35 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c36
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c37
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=295341
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c38
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c39
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c40
--- Comment #40 from Kay Sievers
polkit-set-default-helper: since its setgid, files created are owned by calling user, thus file-content in /usr/local/lib/PolicyKit-public/ can be changed afterwards at any time; if thats not a problem.
http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commitdiff;h=149a3df1926c24... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c41
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c42
--- Comment #42 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c43
--- Comment #43 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c44
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c45
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c46
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c47
--- Comment #47 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c48
--- Comment #48 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User thomas@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c49
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=295341
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c55
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c56
--- Comment #56 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c57
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c58
--- Comment #58 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=295341
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c59
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User thomas@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c60
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=295341
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c61
--- Comment #61 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=295341
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c62
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c63
--- Comment #63 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c65
--- Comment #65 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c64
--- Comment #64 from Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User thomas@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c66
--- Comment #66 from Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c67
--- Comment #67 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User zeuthen@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c68
David Zeuthen
The policykit source code documentation for polkit_sysdeps_get_exe_for_pid() clearly states that containts based on the calling program's name cannot be relied upon as firstly they can be easily circumvented by the user himself and secondly don't work for interpreted languages.
It does however work for secure programs. (In reply to comment #66)
The authorization scheme seems to be broken by design, it would not help adding a suid bit.
I'm not sure what to make of this comment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=295341
User meissner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c69
--- Comment #69 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c70
Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User zeuthen@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c71
--- Comment #71 from David Zeuthen
1. It is not clear why mount.fixed permissions are required at all, Kay nor anyone else has not answered our several queries regarding this.
This question needs to be answered first, all others depend on that one.
HAL allows you to mount "fixed" (e.g. partitions from non-hotpluggable disks that doesn't support removable media => typically windows, os x partitions) but that requires another authorization if it was non-fixed (e.g. partitions from hotpluggable OR removable disks). So in that case you get asked for the root password to do this. You can retain this authorization so you won't get asked for a password again. Which is the _sensible_ thing to do if you realize that users typing in passwords and getting interrupted by password dialogs is _bad_ "security". [1] Anyway, distributions and/or sites can tweak this behaviour; for example # polkit-action --set-defaults-active org.freedesktop.hal.storage.mount-fixed auth_admin will change the defaults such that the authorization can't be retained. All this works fine. (And this is much more preferable than the rather useless patch you guys are shipping to PolicyKit-gnome (I found this out when I was meeting with Kay a few weeks ago) that just deselects the "retain authorization" checkbox... all that patch does is just to make the user type in his password again and again... Btw, I'd appreciate if you guys sent patches like that upstream so I don't have to explain why it's non-sense in a downstream bugzilla entry.)
Ability to mount fixed disks/partitions is definitely a critical security risk.
Depends on what OS you're shipping. If it's for a laptop this is definitely not true; clearly users wants to access files from the other OS on the laptop. However, if it's for a server it's definitely true. See the bug linked in [1] for more thoughts about this.
2. There is apparently no code in FACTORY exercising this for us to even look at.
Maybe you guys are still shipping a patch to HAL that hides all fixed disks (e.g. setting volume.ignore); I don't know. Either way, it works fine in Fedora and Ubuntu; I can happily mount my Windows and OS X partitions.
3. The helper binary itself is fine in a self contained way.
4. The use of "exe" name checking does not help, if the user has control over this executable via LD_PRELOAD, PTRACE or other means. He can just inject any code into this binary. Davids comment regarding "secure" binary likely means that the user binary itself needs setgid/setuid permissions.
Yes, that's what I meant with "secure" binary; it's shorter to write "secure binary" than go through a (non-exhaustive) list of what attack vectors to cover.
"exe" path name checking is not a security feature in any way and should not be handled as such, as the source code even says.
It's not really a security feature, I don't know where you got that idea from. Clearly, this bit should tell you otherwise http://hal.freedesktop.org/docs/PolicyKit/polkit-polkit-sysdeps.html#polkit-... However it _is_ useful for binaries that can be securely locked down. For the record, it's exactly the same approach that AppArmor and SELinux takes; e.g. in SELinux you can tag a process as running in a security context (through xattrs of the binary) and that way it can do more syscalls than other processes / get more privileges. Ditto with AppArmor, it just happens to be path-based. And surely such processes are just as vulnerable to code injection as other programs.. except that glibc secure mode and other bits kick in so you can't ptrace the process nor use LD_PRELOAD etc. But that still leaves plenty other attack vectors (e.g. PYTHONPATH, GTK_MODULES etc.). The "only" difference here is that PolicyKit is purely application based; the mechanism is exactly the same: you look at characteristics of the process wanting to access something to make a decision. So if you're saying "omg, that exe thing is evil", I think you should examine how AppArmor works. Hope this clarifies. David [1] : the whole point of PolicyKit is absolutely not the password dialogs; users should simply have the authorizations they need to do their work / use their system. They should certainly *not* be interrupted by password dialogs. I'd go as far as saying that passwords dialog are evil and a disease. It's, for the most cases, bad security (trusted path is the exception). Anyway, there's a slightly longer and more detailed rant about this here http://bugzilla.gnome.org/show_bug.cgi?id=531609#c9 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=295341
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c73
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c74
--- Comment #74 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User zeuthen@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c75
--- Comment #75 from David Zeuthen
I would still recommend someone of our security team join the policykit upstream mailing list and discuss future developments there.
That would be nice.
ok, after having another discussion with Marcus and Ludwig, I finally agree that leaving out this feature for 11.0 is the right thing to do. And for the future, we might reconsider if it's not wiser to patch it out of PolicyKit.
As upstream for PolicyKit, this is unacceptable. I jumped into your downstream bugzilla to help clear the confusion. I spent a lot of time explaining to you guys how this works in comment 71. You could at the very least explain why you are crippling upstream sources. Don't expect me to care about SUSE PolicyKit bugs in the future if this continues. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=295341
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c76
--- Comment #76 from Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c77
--- Comment #77 from Kay Sievers
https://bugzilla.novell.com/show_bug.cgi?id=295341
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c78
--- Comment #78 from Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=295341
User kasievers@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=295341#c79
--- Comment #79 from Kay Sievers
participants (1)
-
bugzilla_noreply@novell.com