[Pkg-utopia-maintainers] how to override polkit defaults?

Fri Mar 30 08:45:32 UTC 2018

Am 30.03.2018 um 04:36 schrieb Christoph Anton Mitterer:
> Hi.
> 
> I was just looking into the polkit documentation on how to override the
> defaults of actions... but that seems not easily be possible.
> Perhaps someone here can help me :-)
> 
> 
> Unfortunately we've had a security incident at the institute, in which
> a user was granted quite arbitrary access to disks.
> The reasons seems to be that udisks' default policy allows any "local"
> users pretty vast access (powering off, editing/deleting partitions,
> etc.) on devices it doesn't consider to be system devices.
> 
> No idea how it decides what a system disk is, but anything connected
> via USB doesn't seem to be.
> 
> This alone is IMO a grave security hole, but getting it fixed is
> probably fighting windmills, as there seem to be a clear direction
> towards the simple-desktop-system model, i.e. one user, computer anyway
> fully physically accessible to any user sitting in front of it.
> 
> Real world is of course different, in our case users don't have full
> physical access to the computer (except screen, keyboard and the like)
> ... and some "system disks" are connected via internal USB bridge.
> By that the system could be compromised (well luckily in this case
> there were not bad intentions but just "accidentally" breaking things).
> 
> 
> Long story short, I'd like to fix all the polkit/udisks permissions for
> at least our systems.
> 
> 
> Now there seems to be only little documentation (basically the polkit-
> html manual) that deals with what one would want to do in real world
> cases. :-(
> 
> 
> AFAIU, it's apparently not possible to override the policy files
> themselves, but only to create rules files, which kinda refine the
> policy, right?
> 
> 
> What I'd basically want is to say for e.g. all udisk actions, that at
> least admin-authentication is needed... *but*, ideally, if some
> existing policy or rules file, allow for root or other special groups
> (I think in Debian sudo-group members) to proceed without password-
> authn, then this should be kept.
> 
> Maybe I just don't see it, but this doesn't seem possible.
> I can override the actions to e.g. demand for auth_admin, but then I'll
> also override and auth_admin_keep or e.g. "yes" for root (but not
> users).
> 
> Is this somehow cleanly possible? :-) I guess it would also be worth to
> put something like this into README.Debian.
> I.e. override to require admin_auth for non-admin-users, but retain any
> yes/admin_auth_keep/etc. for admin-users.
> 
> 
> The next thing is: Debian seems to be stuck at some pretty old version
> of polkit?
> 0.105 in contrast to 0.113 upstream? And the customisation via rules in
> some creepy JavaScript as done in upstream 0.113 seems to not be
> available in 0.105... and the pklocalauthority thing seems to be gone
> from the current upstream?
> Is the current version going to Debian sooner or later?

No current plans to upload the JavaScript/mozjs based version to unstable.

> And how should one write/override rules for polkit in Debian?

You might have a look at
https://packages.ubuntu.com/search?keywords=policykit-desktop-privileges

Instead of locking down, those rules open the default policy

Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20180330/27fd16f4/attachment-0001.sig>