Hi,first of all, I hope that ubuntu-devel-discuss is the correct email address for contacting the Ubuntu maintainers of consolekit and policykit (taken from debian/control). I've also CCed Martin just in case.
On to my actual issue:Today I started updating consolekit to 0.2.10-1 in Debian. The work is available from the pkg-utopia svn [1], as always.
I deliberately did not enable the PolicyKit support in ConsoleKit.Enabling PolicyKit support means, that ConsoleKit will link against libpolkit. libpolkit on the other hand, requires that the complete policykit package is installed. The init functions in libpolkit place inotify watches on certain files and directories (which are only shipped in the policykit package, like /etc/PolicyKit/PolicyKit.conf and /var/lib/misc/PolicyKit.reload).
If those files are not present, libpolkit will not work correctly.I.e. enabling PolicyKit support in ConsoleKit would mean the package would have to declare a dependency on the policykit package. On the other hand, the policykit package requires the consolekit package to work properly. For the gory details see [2].
The simple reason, why PolicyKit support was added to ConsoleKit is, that ConsoleKit has new functionality like System restart/stop, which has to be protected, so not everyone can call this functions.
It's debatable, if such functionality belongs into ConsoleKit (I think it doesn't but upstream disagrees).
Problem now is, if you disable the PolicyKit support, the restart/stop functions are unprotected, and everyone (even through ssh logins) can shutdown/reboot the system. For fun try [3] from an unpriviledged user account. See src/ck-manager.c and grep for HAVE_POLKIT
Imo this is a major security hole in intrepid.
Now there are different options how to address this:
1. in /etc/dbus-1/system.d/ConsoleKit.conf
open
<allow send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Restart"/>
<allow send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Stop"/>
only for
a) root
b) at_console
2.) Enable PolicyKit support in ConsoleKit
Currently, there is no user of the CK Restart/Stop methods (new gdm will
use it, which is neither in Debian nor Ubuntu, though).
So imo the safest option would be 1.a) Other opinions? Michael [1] http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/consolekit [2] http://lists.freedesktop.org/archives/hal/2008-January/010603.html http://lists.freedesktop.org/archives/hal/2008-January/010669.html [3] dbus-send --system --dest=org.freedesktop.ConsoleKit \ --type=method_call --print-reply --reply-timeout=2000 \ /org/freedesktop/ConsoleKit/Manager \ org.freedesktop.ConsoleKit.Manager.Stop -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
