Open ghost opened 7 years ago
A comment in the above reddit link contains a dead link to a recommended video by Martin Graesslin at QCon 2016. It can be found here now:
The pity state of Linux desktop security
Edit: I have just realized that my new link shows the same video as the above youtube link (but perhaps more privacy friendly ;-)
Running BiT with sudo
or another "root-granting" starter like pkexex
provides full root privileges to the whole application. These privileges can be exploited to perform unauthorized operations, thereby creating a security incident.
polkit
is
Linux user space applications running in the lower privilege can request the Polkit framework to carry out the actions which require security privileges.
An introduction into why and how polkit
see this link:
To enable Polkit
for Bit two major steps are required:
/usr/share/polkit-1/actions
directory Polkit
API via D-Bus
or a libraryFor details see: https://www.freedesktop.org/software/polkit/docs/latest/
Furthermore we need to check if all supported distros are compatible with our Polkit
implementation.
Special care must be taken for headless systems where asking the user is not possible (eg. when backintime
is run via cron
).
I don't have expertise in that area. But if you need you could ask the distro maintainers for an advice. And I assume that there is also a solution for headless systems.
For Debian I would suggest to start at the debian-python mailing list or maybe at debian-security. The first list is also the home of the "Debian Python Packaging Team" and nearly all Python package maintainers.
Currently I am just triaging to estimate the impact and find related issues (here eg. wayland) that could benefit from fixing this
Linux user space applications running in the lower privilege can request the Polkit framework to carry out the actions which require security privileges.
I like the idea that going down this road might allow us to eliminate the separate "Back In Time (root)" launcher that backintime ships as a .desktop
file. Currently, most users use it to backup systems files that are not accessible to their user (e.g. in /etc
or /var
).
use it to backup systems files that are not accessible to their user (e.g. in /etc or /var).
Very interesting aspect! I am not sure if Polkit
can support this easily but separating the GUI from the CLI could achieve this:
pkexec
since it doesn't use wayland (nor any GUI).Separating the frontend from the backend + introducing Polkit
is an immense amount of work so I currently strongly prefer to implement the already discussed and proved work-around with xhost +si:localuser:root
(see #1349). The closed (not merged) PR https://github.com/bit-team/backintime/pull/1347/files looks like a good basis for a wayland work-around.
BiT already use Polkit. Take a look at qt/net.launchpad.backintime.policy. But to use this for all needed operations would result in a rewrite of the GUI
Not sure which milestone I should set for this Issue.
Not sure which milestone I should set for this Issue.
I see this very far away (until other major issues are fixed)
I think backintime graphical interface should always be started under non-root account and use polkit rules for running only specific commands (like rsync) which need special privileges.
Running graphical apps as root is considered insecure https://www.youtube.com/watch?v=-T1LoHTZDvs https://www.reddit.com/r/kde/comments/5l35db/how_can_you_enable_root_access_in_dolphin/
It will also fix behaviour under wayland https://github.com/bit-team/backintime/issues/640