Open ghost opened 7 years ago
aryoda
commented
1 year ago A comment in the above reddit link contains a dead link to a recommended video by Martin Graesslin at QCon 2016. It can be found here now:
The pity state of Linux desktop security
Edit: I have just realized that my new link shows the same video as the above youtube link (but perhaps more privacy friendly ;-)
aryoda
commented
1 year ago Running BiT with sudo or another "root-granting" starter like pkexex provides full root privileges to the whole application. These privileges can be exploited to perform unauthorized operations, thereby creating a security incident.
polkit is
Linux user space applications running in the lower privilege can request the Polkit framework to carry out the actions which require security privileges.
An introduction into why and how polkit see this link:
To enable Polkit for Bit two major steps are required:
/usr/share/polkit-1/actions directory Polkit API via D-Bus or a libraryFor details see: https://www.freedesktop.org/software/polkit/docs/latest/
Furthermore we need to check if all supported distros are compatible with our Polkit implementation.
Special care must be taken for headless systems where asking the user is not possible (eg. when backintime is run via cron).
buhtz
commented
1 year ago I don't have expertise in that area. But if you need you could ask the distro maintainers for an advice. And I assume that there is also a solution for headless systems.
For Debian I would suggest to start at the debian-python mailing list or maybe at debian-security. The first list is also the home of the "Debian Python Packaging Team" and nearly all Python package maintainers.
aryoda
commented
1 year ago Currently I am just triaging to estimate the impact and find related issues (here eg. wayland) that could benefit from fixing this
emtiu
commented
1 year ago Linux user space applications running in the lower privilege can request the Polkit framework to carry out the actions which require security privileges.
I like the idea that going down this road might allow us to eliminate the separate "Back In Time (root)" launcher that backintime ships as a .desktop file. Currently, most users use it to backup systems files that are not accessible to their user (e.g. in /etc or /var).
aryoda
commented
1 year ago use it to backup systems files that are not accessible to their user (e.g. in /etc or /var).
Very interesting aspect! I am not sure if Polkit can support this easily but separating the GUI from the CLI could achieve this:
pkexec since it doesn't use wayland (nor any GUI).Separating the frontend from the backend + introducing Polkit is an immense amount of work so I currently strongly prefer to implement the already discussed and proved work-around with xhost +si:localuser:root (see #1349). The closed (not merged) PR https://github.com/bit-team/backintime/pull/1347/files looks like a good basis for a wayland work-around.
Germar
commented
1 year ago BiT already use Polkit. Take a look at qt/net.launchpad.backintime.policy. But to use this for all needed operations would result in a rewrite of the GUI
buhtz
commented
8 months ago Not sure which milestone I should set for this Issue.
aryoda
commented
8 months ago Not sure which milestone I should set for this Issue.
I see this very far away (until other major issues are fixed)
I think backintime graphical interface should always be started under non-root account and use polkit rules for running only specific commands (like rsync) which need special privileges.
Running graphical apps as root is considered insecure https://www.youtube.com/watch?v=-T1LoHTZDvs https://www.reddit.com/r/kde/comments/5l35db/how_can_you_enable_root_access_in_dolphin/
It will also fix behaviour under wayland https://github.com/bit-team/backintime/issues/640