[oi-dev] glib changes review
Please, review: https://github.com/OpenIndiana/oi-userland/compare/Openindiana:oi/hipster...pyhalov:pfexec Issues: https://www.illumos.org/issues/6728 https://www.illumos.org/issues/5633 The issue is that glib incorrectly detects pfexec usage as setuid program (even when pfexec doesn't change euid). So, it refuses to launch dbus - https://github.com/GNOME/glib/blob/master/gio/gdbusaddress.c#L1060 We heal it by falling back to euid/uid comparison. We also use pfexec to launch brasero and sound-juicer. After https://github.com/OpenIndiana/oi-userland/commit/9f0f786ce02ff7a120952fa34888cdcca5b8469d console user (Console User) should have "Desktop Removable Media User" profile and have sys_devices privileges, necessary for brasero and sound juicer (which uses brasero libraries) to work with CD devices. I'm a bit concerned about unexpected security issues which it could cause... -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] glib changes review
On Fri, Mar 11, 2016 at 12:03 PM, Alexander Pyhalov wrote: > Please, review: > https://github.com/OpenIndiana/oi-userland/compare/Openindiana:oi/hipster...pyhalov:pfexec > > Issues: https://www.illumos.org/issues/6728 > https://www.illumos.org/issues/5633 > > > The issue is that glib incorrectly detects pfexec usage as setuid program > (even when pfexec doesn't change euid). So, it refuses to launch dbus - > https://github.com/GNOME/glib/blob/master/gio/gdbusaddress.c#L1060 > > We heal it by falling back to euid/uid comparison. We also use pfexec to > launch brasero and sound-juicer. > After > https://github.com/OpenIndiana/oi-userland/commit/9f0f786ce02ff7a120952fa34888cdcca5b8469d > console user (Console User) should have "Desktop Removable Media User" > profile and have sys_devices privileges, necessary for brasero and sound > juicer (which uses brasero libraries) to work with CD devices. > > I'm a bit concerned about unexpected security issues which it could cause.. The problem I see with using pfexec is that bad things happen if the user has some other profiles or privileges, so you end up giving those programs rights they don't need. For example, if the user is Primary Administrator then pfexec usually equates to "run as root", which probably isn't what you intend. Generally, using pfexec assumes that the program being run is privilege aware (so it can drop any unexpected privileges). -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] glib changes review
On 03/11/2016 15:18, Peter Tribble wrote: On Fri, Mar 11, 2016 at 12:03 PM, Alexander Pyhalov wrote: The problem I see with using pfexec is that bad things happen if the user has some other profiles or privileges, so you end up giving those programs rights they don't need. For example, if the user is Primary Administrator then pfexec usually equates to "run as root", which probably isn't what you intend. Generally, using pfexec assumes that the program being run is privilege aware (so it can drop any unexpected privileges). I see this, but don't have good answer besides writing in the docs "Don't use Primary Administrator profile". The issue is that we want to give these programs sys_devices priveleges. Is there good way to do this without using pfexec? "pfexec -P sys_devices something" doesn't seem to work. -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] glib changes review
On 03/11/2016 15:43, Alexander Pyhalov wrote: The issue is that we want to give these programs sys_devices priveleges. Is there good way to do this without using pfexec? "pfexec -P sys_devices something" doesn't seem to work. "pfexec ppriv -s L=basic,sys_devices something" works better, but doesn't prevent programs to change uid when user has Primary Administrator profile... -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] glib changes review
So, what about the latest version + recommendation to never use Primary Administrator for desktop user ? :) On 03/11/2016 15:18, Peter Tribble wrote: On Fri, Mar 11, 2016 at 12:03 PM, Alexander Pyhalov wrote: Please, review: https://github.com/OpenIndiana/oi-userland/compare/Openindiana:oi/hipster...pyhalov:pfexec -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] glib changes review
Here's the new version : https://github.com/OpenIndiana/oi-userland/compare/Openindiana:oi/hipster...pyhalov:pfexec What is changed: - now we use pfexec to run brasero and sound juicer; - we don't care if user runs with EUID 0, it's his own difficulties; so far this works with sudo, but fails (for brasero only) with su/pfexec, when user have Primary Administrator profile (just don't use Primary Administrator, it's insane)); - we restrict privileges to basic_privs,sys_devices. What is changed from user perspective: - brasero/sound juicer will work in default configurations when run from menu; - if you have Primary Administrator profile, brasero will not work when run from menu. Needs some more testing (so far didn't try to write CDs, just looked at ppriv output). -- Best regards, Alexander Pyhalov, system administrator of Southern Federal University IT department ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] glib changes review
Alexander Pyhalov писал 11.03.2016 23:15: Here's the new version : https://github.com/OpenIndiana/oi-userland/compare/Openindiana:oi/hipster...pyhalov:pfexec ... Needs some more testing (so far didn't try to write CDs, just looked at ppriv output). I've just tested it. cdrecord needs to be called with pfexec to get its privileges: Basic Solaris User:solaris:cmd:RO::/usr/bin/cdrecord.bin:privs=file_dac_read,sys_devices,proc_lock_memory,proc_priocntl,net_privaddr So, I added pfexec call. ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] glib changes review
On 03/11/16 09:15 PM, Alexander Pyhalov wrote: Here's the new version : https://github.com/OpenIndiana/oi-userland/compare/Openindiana:oi/hipster...pyhalov:pfexec What is changed: - now we use pfexec to run brasero and sound juicer; - we don't care if user runs with EUID 0, it's his own difficulties; so far this works with sudo, but fails (for brasero only) with su/pfexec, when user have Primary Administrator profile (just don't use Primary Administrator, it's insane)); - we restrict privileges to basic_privs,sys_devices. What is changed from user perspective: - brasero/sound juicer will work in default configurations when run from menu; - if you have Primary Administrator profile, brasero will not work when run from menu. Needs some more testing (so far didn't try to write CDs, just looked at ppriv output). This is _not sane_, "solution" nor acceptable to make Primary Administrator an invalide because there are bugs somewhere elese, in Glib. I would rather sopundjuicer/brasero NOT working as user if Primary administrator can't do that task. Primary Administrator can be used to test does some functionality works and see exactly where bugs are and this bug is as said in Glib and Not elsewhere, so untill it is fixed, it is better not to make things worse untill then. PA should do _anything_ so not being able to do _anything_ is very huge bug by itself. Not introducing bigger bug, please, to solve another one is very appretiated. Primary Administrator is not selected by default Atm and it is enough to say that it is not to be used for everyday tasks, without attacking it's existence. Ideally, command should work as described as Desktop user (not every user) should be able to write optical media and read from it for some tasks (Even if making new RBAC role for it) and that is where roles come to play, but without affecting the rest of the system sanity. ___ oi-dev mailing list oi-dev@openindiana.org http://openindiana.org/mailman/listinfo/oi-dev
