Re: ConsoleKit (0.2.10) / PolicyKit / Security hole
hi Justin, Justin Brisson [2008-10-26 21:40 -0400]: > Could you please give a brief discription of what exactly this is? Could you please give a brief description of what exactly you are asking? :-) ConsoleKit homepage and docs: http://www.freedesktop.org/wiki/Software/ConsoleKit PolicyKit homepage and docs: http://www.freedesktop.org/wiki/Software/PolicyKit Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: ConsoleKit (0.2.10) / PolicyKit / Security hole
Le samedi 19 juillet 2008 à 11:26 +0100, Martin Pitt a écrit : > > Currently, there is no user of the CK Restart/Stop methods (new gdm > will > > use it, which is neither in Debian nor Ubuntu, though). > > Seb is currently fighting with the new gdm, but it is horribly > incomplete yet, and nowhere near to being a replacement for 2.20. So I > don't see it going into neither Lenny nor Intrepid. Hey there, I took some time to look why the gnome-session restart and halt actions don't work in intrepid and that turns out it's due to that, the new gnome-session uses those actions which don't work in ubuntu, the bug is https://bugs.launchpad.net/ubuntu/intrepid/+source/consolekit/+bug/250506 for reference, anybody having a suggestion on what would the best way to resolve the issue? Sebastien Bacher -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: ConsoleKit (0.2.10) / PolicyKit / Security hole
Martin Pitt wrote: Michael Biebl [2008-07-19 6:47 +0200]: Problem now is, if you disable the PolicyKit support, the restart/stop functions are unprotected, and everyone (even through ssh logins) can shutdown/reboot the system. For fun try [3] from an unpriviledged user account. See src/ck-manager.c and grep for HAVE_POLKIT Ugh, many thanks for bringing this up, and yay for upstreams putting sane defaults into their software... Imo this is a major security hole in intrepid. Full ack. Now there are different options how to address this: 1. in /etc/dbus-1/system.d/ConsoleKit.conf open only for a) root b) at_console Would work for me. However, I think we should rather fix the upstream code to deny access to those functions altogether if policykit support is disabled. That would be the safe and sane fallback IMNSHO. We should also urge upstream to adopt that patch. Well, it's basically the same as with hal's powermanagement interface (org.freedesktop.Hal.Device.SystemPowerManagement: Shutdown()/Reboot()/..) If PK support is not enabled in hal, it's only safeguarded by the dbus policy rules. It's just that hal upstream used to ship a more restrictive dbus conf file (the current hal.conf.in upstream git has the same security problem, at least it has some comments within the conf file). I guess I'll go with 1.a) then for the Debian package. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: ConsoleKit (0.2.10) / PolicyKit / Security hole
Hi Michael, Michael Biebl [2008-07-19 6:47 +0200]: > first of all, I hope that ubuntu-devel-discuss is the correct email > address for contacting the Ubuntu maintainers of consolekit and > policykit (taken from debian/control). I've also CCed Martin just in > case. I'm on u-d-d. Thanks a lot for notifying! > Today I started updating consolekit to 0.2.10-1 in Debian. The work is > available from the pkg-utopia svn [1], as always. Thanks for that, and merging some of of our patches. > I deliberately did not enable the PolicyKit support in ConsoleKit. Neither did I, I fully agree to you. I read the huge discussion on the upstream ML back then, and basically everyone seemed to disagree with William. :/ > Problem now is, if you disable the PolicyKit support, the restart/stop > functions are unprotected, and everyone (even through ssh logins) can > shutdown/reboot the system. For fun try [3] from an unpriviledged user > account. See src/ck-manager.c and grep for HAVE_POLKIT Ugh, many thanks for bringing this up, and yay for upstreams putting sane defaults into their software... > Imo this is a major security hole in intrepid. Full ack. > Now there are different options how to address this: > 1. in /etc/dbus-1/system.d/ConsoleKit.conf > open > send_member="Restart"/> > send_member="Stop"/> > only for > a) root > b) at_console Would work for me. However, I think we should rather fix the upstream code to deny access to those functions altogether if policykit support is disabled. That would be the safe and sane fallback IMNSHO. We should also urge upstream to adopt that patch. > Currently, there is no user of the CK Restart/Stop methods (new gdm will > use it, which is neither in Debian nor Ubuntu, though). Seb is currently fighting with the new gdm, but it is horribly incomplete yet, and nowhere near to being a replacement for 2.20. So I don't see it going into neither Lenny nor Intrepid. Thanks! Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
