[Pkg-utopia-maintainers] ConsoleKit (0.2.10) / PolicyKit / Security hole
Michael Biebl
biebl at debian.org
Sat Jul 19 04:47:22 UTC 2008
Hi,
first of all, I hope that ubuntu-devel-discuss is the correct email
address for contacting the Ubuntu maintainers of consolekit and
policykit (taken from debian/control). I've also CCed Martin just in case.
On to my actual issue:
Today I started updating consolekit to 0.2.10-1 in Debian. The work is
available from the pkg-utopia svn [1], as always.
I deliberately did not enable the PolicyKit support in ConsoleKit.
Enabling PolicyKit support means, that ConsoleKit will link against
libpolkit. libpolkit on the other hand, requires that the complete
policykit package is installed. The init functions in libpolkit place
inotify watches on certain files and directories (which are only shipped
in the policykit package, like /etc/PolicyKit/PolicyKit.conf and
/var/lib/misc/PolicyKit.reload).
If those files are not present, libpolkit will not work correctly.
I.e. enabling PolicyKit support in ConsoleKit would mean the package
would have to declare a dependency on the policykit package. On the
other hand, the policykit package requires the consolekit package to
work properly. For the gory details see [2].
The simple reason, why PolicyKit support was added to ConsoleKit is,
that ConsoleKit has new functionality like System restart/stop, which
has to be protected, so not everyone can call this functions.
It's debatable, if such functionality belongs into ConsoleKit (I think
it doesn't but upstream disagrees).
Problem now is, if you disable the PolicyKit support, the restart/stop
functions are unprotected, and everyone (even through ssh logins) can
shutdown/reboot the system. For fun try [3] from an unpriviledged user
account. See src/ck-manager.c and grep for HAVE_POLKIT
Imo this is a major security hole in intrepid.
Now there are different options how to address this:
1. in /etc/dbus-1/system.d/ConsoleKit.conf
open
<allow send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Restart"/>
<allow send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Stop"/>
only for
a) root
b) at_console
2.) Enable PolicyKit support in ConsoleKit
Currently, there is no user of the CK Restart/Stop methods (new gdm will
use it, which is neither in Debian nor Ubuntu, though).
So imo the safest option would be 1.a)
Other opinions?
Michael
[1] http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/consolekit
[2] http://lists.freedesktop.org/archives/hal/2008-January/010603.html
http://lists.freedesktop.org/archives/hal/2008-January/010669.html
[3] dbus-send --system --dest=org.freedesktop.ConsoleKit \
--type=method_call --print-reply --reply-timeout=2000 \
/org/freedesktop/ConsoleKit/Manager \
org.freedesktop.ConsoleKit.Manager.Stop
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20080719/17d9d0b0/attachment-0001.pgp
More information about the Pkg-utopia-maintainers
mailing list