search

polkit-github-migration-bot / t4_polkit

Other
0 stars 0 forks source link

configure.ac recommendations for directory ownership are incorrect #50

Open polkit-github-migration-bot opened 11 years ago

polkit-github-migration-bot commented 11 years ago

In gitlab.freedesktop.org by bugzilla-migration on Dec 26, 2012, 23:05

Link to the original issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/48

Submitted by Maxim Kammerer

Assigned to David Zeuthen @david

Link to original bug (#58787)

Description

The following commit: http://cgit.freedesktop.org/polkit/commit/configure.ac?id=8e0383cb9972f5b3b86e64f9b015f53671ce0323 adds a non-privileged polkitd user, with the following recommendations:

echo "NOTE: The directory ${sysconfdir}/polkit-1/rules.d must be owned" echo " by user '$POLKITD_USER' and have mode 700"

echo "NOTE: The directory ${datadir}/polkit-1/rules.d must be owned" echo " by user '$POLKITD_USER' and have mode 700"

Since polkitd has no need to change these files, it is actually safer to have the directories root-owned, and group-readable by polkitd. E.g.:

echo "NOTE: The directory ${sysconfdir}/polkit-1/rules.d must be group-owned" echo " by user '$POLKITD_USER' and have mode 750"

echo "NOTE: The directory ${datadir}/polkit-1/rules.d must be group-owned" echo " by user '$POLKITD_USER' and have mode 750"

That way, a limited daemon compromise that results in ability to overwrite daemon-owned files will not automatically result in full system compromise.

See also

polkit-github-migration-bot commented 11 years ago

In gitlab.freedesktop.org by bugzilla-migration on Dec 26, 2012, 23:13

:speech_balloon: Maxim Kammerer said:

I tested with the following configuration successfully (see the referenced Gentoo bug):

chown root:polkitd /etc/polkit-1/rules.d chmod 750 /etc/polkit-1/rules.d chown root:root {/etc,/usr/share}/polkit-1/rules.d/ /usr/share/polkit-1/rules.d chmod 644 {/etc,/usr/share}/polkit-1/rules.d/

I.e., there is also probably no reason to change default ownership/permissions in ${datadir}/polkit-1/rules.d.

polkit-github-migration-bot commented 11 years ago

In gitlab.freedesktop.org by bugzilla-migration on Dec 30, 2012, 15:27

:speech_balloon: Michael Biebl @mbiebl said:

(In reply to comment 0) The following commit: http://cgit.freedesktop.org/polkit/commit/configure. ac?id=8e0383cb9972f5b3b86e64f9b015f53671ce0323 adds a non-privileged polkitd user, with the following recommendations:

echo "NOTE: The directory ${sysconfdir}/polkit-1/rules.d must be owned" echo " by user '$POLKITD_USER' and have mode 700"

echo "NOTE: The directory ${datadir}/polkit-1/rules.d must be owned" echo " by user '$POLKITD_USER' and have mode 700"

Since polkitd has no need to change these files, it is actually safer to have the directories root-owned, and group-readable by polkitd. E.g.:

For that to work, you not only need a polkitd user, but also a dedicated polkitd group, which is more effort to setup. If writing to the directory by the polkitd process is of concern, you could simply make the directory polkitd:root 500

polkit-github-migration-bot commented 11 years ago

In gitlab.freedesktop.org by bugzilla-migration on Dec 30, 2012, 15:39

:speech_balloon: Michael Biebl @mbiebl said:

(In reply to comment 2) (In reply to comment 0)

Since polkitd has no need to change these files, it is actually safer to have the directories root-owned, and group-readable by polkitd. E.g.:

For that to work, you not only need a polkitd user, but also a dedicated polkitd group, which is more effort to setup. If writing to the directory by the polkitd process is of concern, you could simply make the directory polkitd:root 500

Which of course only protects against accidental removal/change of files by the polkitd process. A malicious attacker who has compromised the polkitd binary could chmod the directory 700 to be able to write into those directories but I don't see how this would improve the securify. If someone has compromised the binary, he can just as well return the desired Results without actually executing the rules files.

polkit-github-migration-bot commented 11 years ago

In gitlab.freedesktop.org by bugzilla-migration on Dec 30, 2012, 17:38

:speech_balloon: Maxim Kammerer said:

(In reply to comment 2) For that to work, you not only need a polkitd user, but also a dedicated polkitd group, which is more effort to setup.

See the referenced Gentoo bug -- gentoo already has such a group.

polkit-github-migration-bot commented 11 years ago

In gitlab.freedesktop.org by bugzilla-migration on Dec 30, 2012, 17:39

:speech_balloon: Maxim Kammerer said:

(In reply to comment 3) If someone has compromised the binary, he can just as well return the desired Results without actually executing the rules files.

Please re-read the bug report: "a limited daemon compromise".

polkit-github-migration-bot commented 11 years ago

In gitlab.freedesktop.org by bugzilla-migration on Mar 13, 2013, 20:57

:speech_balloon: Colin Walters @walters said:

Note that if the system supports ACLs, it'd be possible to grant the polkitd user read-only access to the directory too.