[Pkg-utopia-maintainers] how to override polkit defaults?

Fri Mar 30 02:36:19 UTC 2018

Hi.

I was just looking into the polkit documentation on how to override the
defaults of actions... but that seems not easily be possible.
Perhaps someone here can help me :-)

Unfortunately we've had a security incident at the institute, in which
a user was granted quite arbitrary access to disks.
The reasons seems to be that udisks' default policy allows any "local"
users pretty vast access (powering off, editing/deleting partitions,
etc.) on devices it doesn't consider to be system devices.

No idea how it decides what a system disk is, but anything connected
via USB doesn't seem to be.

This alone is IMO a grave security hole, but getting it fixed is
probably fighting windmills, as there seem to be a clear direction
towards the simple-desktop-system model, i.e. one user, computer anyway
fully physically accessible to any user sitting in front of it.

Real world is of course different, in our case users don't have full
physical access to the computer (except screen, keyboard and the like)
... and some "system disks" are connected via internal USB bridge.
By that the system could be compromised (well luckily in this case
there were not bad intentions but just "accidentally" breaking things).

Long story short, I'd like to fix all the polkit/udisks permissions for
at least our systems.

Now there seems to be only little documentation (basically the polkit-
html manual) that deals with what one would want to do in real world
cases. :-(

AFAIU, it's apparently not possible to override the policy files
themselves, but only to create rules files, which kinda refine the
policy, right?

What I'd basically want is to say for e.g. all udisk actions, that at
least admin-authentication is needed... *but*, ideally, if some
existing policy or rules file, allow for root or other special groups
(I think in Debian sudo-group members) to proceed without password-
authn, then this should be kept.

Maybe I just don't see it, but this doesn't seem possible.
I can override the actions to e.g. demand for auth_admin, but then I'll
also override and auth_admin_keep or e.g. "yes" for root (but not
users).

Is this somehow cleanly possible? :-) I guess it would also be worth to
put something like this into README.Debian.
I.e. override to require admin_auth for non-admin-users, but retain any
yes/admin_auth_keep/etc. for admin-users.

The next thing is: Debian seems to be stuck at some pretty old version
of polkit?
0.105 in contrast to 0.113 upstream? And the customisation via rules in
some creepy JavaScript as done in upstream 0.113 seems to not be
available in 0.105... and the pklocalauthority thing seems to be gone
from the current upstream?
Is the current version going to Debian sooner or later?
And how should one write/override rules for polkit in Debian?

Thanks for any advise,
Chris.