[Pkg-utopia-maintainers] Bug#1087525: polkitd: polkit-tmpfiles.conf overrides dpkg-statoverride

Simon McVittie smcv at debian.org
Thu Nov 14 20:08:39 GMT 2024


Paraphrasing your orginal report to step back from the specific request
a little:

On Thu, 14 Nov 2024 at 18:04:05 +0000, Michael Gold wrote:
> [Without setting a] world-readable mode of /etc/polkit-1/rules.d/
> on my system [...] an un-privileged git process
> was not able to check for changes

The reasoning for /etc/polkit-1/rules.d/ not being world-readable is that
it sets security policy, and knowing the precise local security policy
that has been configured would make it easier for a malicious or compromised
local process to make use of any loopholes that might exist in it.
If the policy is not readable, then a malicious or compromised process
might still be able to reverse-engineer it by trying various operations and
seeing which ones are allowed, but it would be more difficult for an
attacker to do that "quietly" without causing unexpected UI popups or
leaving traces in logs.

If you have a specific user or group that needs to be able to run git
against /etc, it might be better to set a POSIX ACL on /etc/polkit-1/rules.d,
like perhaps one of these (untested!):

    setfacl -m group:staff:r-x /etc/polkit-1/rules.d
    setfacl -m user:michael:r-x /etc/polkit-1/rules.d

which I believe neither dpkg nor systemd-tmpfiles will interfere with.

> I also don't consider it appropriate to modify a permanent
> administrator-controlled directory via the temporary-file mechanism; the
> directory could be created by a maintainer script if necessary, and then
> left alone.

The big advantage of the increasingly mis-named tmpfiles.d is that it's
declarative, unlike maintainer scripts, which are imperative code that
can in principle do absolutely anything, and as a result is difficult
to analyze or reason about.

At the moment polkitd needs the maintainer-script code *and* the
tmpfiles.d fragment, because we can't rely on the tmpfiles.d fragment
taking effect on non-systemd systems unless something adds a dependency
on an implementation of the systemd-tmpfiles virtual package, which has
been controversial and has some non-trivial corner cases to consider
(see #945269).

    smcv



More information about the Pkg-utopia-maintainers mailing list