Open seb128 opened 2 years ago
The ua
tool requires us to be root (i.e. checks that it is being called by uid=0).:
def assert_root(f):
"""Decorator asserting root user"""
@wraps(f)
def new_f(*args, **kwargs):
if os.getuid() != 0:
raise exceptions.NonRootUserError()
else:
return f(*args, **kwargs)
return new_f
I think the solution to this would be to make a group that is allowed to access the ua tool, and then make u-a-d-d a non-privileged user in that group.
I don't think there's any value in using pkexec as that's essentially what u-a-d-d is doing already - it's not really doing any more processing other than just proxying the calls.
Hmm, now I think about it though ua
might well require root privileges to write files etc. So we have to be root when we call it.
Therefore the solution might be:
ua
via the root subprocess.
The MIR review [1] had that suggestion
Unsure if that would be possible, in practice attaching a token probably requires admin privileges but maybe we could ask for credential and pkexec only the ua attach call or something? It's not a high priority request and wasn't a pre-requirement for promotion but let's at list have a ticket as a reminder to investigate how doable that would be.
[1] https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/+bug/1954909