vmihalko
commented
11 years ago In GitLab by @bugzilla-migration on Apr 26, 2013, 16:36
:speech_balloon: Miloslav Trmac said:
(All IMHO, and without spending that much time thinking about it.)
For handling remote subjects, and for the polkit configuration to make sense, subject identity should have meaning within the whole system without referring to a particular application (for example, an X.509 DN is suspect because it depends on what CA the application accepts). I can't see much value in moving application-specific authorization rules for application-specific subjects to the system-wide polkit service. Yes, there'd be a single place to configure "everything", but every application would still be configured differently.
Having a "domain" system that is configured system-wide and an uniform way to refer to subjects within that domain would be very vaulable (and it might allow us to start escaping the limitations of integer UIDs).
For local clients, I don't think applications are expected to do their own authentication, the IPC system together with polkit should handle it mostly transparently (as it does when the subject is a D-Bus endpoint). Would I be wrong in viewing SASL over AF_UNIX as a case of a "remote" subject that is only using a more optimized socket type? (Sure, without having support for remote subjects and SASL it doesn't help libvirt at this point.)
Having alternative subject identifications for a single connection has problematic semantics - what if the x509 cert (or local user account) is allowed but the SASL username is prohibited? I'd much prefer a "domain" model where the subject's identity is unambiguous and unique, possibly supporting several alternative ways to authenticate that identity, e.g. SASL, x.509, SCM_CREDS - but the result should be a single identity.
Arbitrary (key valure) pairs are generally a poor way to write an API. It is structurally non-ABI-breaking, fully compatible and fully extensible, but actually it tends to only move the ABI, compatibility and extensibility concerns from the language level (where we have automated tools to help) to the semantic level (where we don't and can't have such tools).
In GitLab by @bugzilla-migration on Apr 26, 2013, 16:02
Submitted by Daniel P. Berrange
Assigned to David Zeuthen
@davidLink to original bug (#63961)
Description
If there is no local UNIX user, session or DBus bus name available, then polkit can't be used for authorization, because no subject data can be provided to polkit. For example when libvirtd daemon accepts clients over a TCP connection, none of the 3 subject kinds is usable. The TCP clients do, however, have plenty of metadata that can used to form a subject identity. For example a kerberos principal name (negotiated via SASL), or some other SASL username, or a TLS x509 distinguished name, or some arbitrary combination of all of these.
Even when authorizing local clients, the fixed subject kinds is unhelpful. For example, when libvirt runs SASL over its UNIX sockets, the subject can be identified both by its PID and a kerberos principal name / SASL username.
Rather than adding more specialized subject classes, it would be desirable to have a generic subject class which accepted arbitrary (key,value) attributes. Then standardize the names of attributes for various pieces of information such as PID, PID start time, session name, SASL username, etc. This allows an application using polkit to pass all identifying attributes it has for a subject, rather than having to decide between passing a PID vs a session name vs a SASL username, or something else.