Martin Pitt wrote:
Michael Biebl [2008-07-19 6:47 +0200]:
Problem now is, if you disable the PolicyKit support, the restart/stop functions are unprotected, and everyone (even through ssh logins) can shutdown/reboot the system. For fun try [3] from an unpriviledged user account. See src/ck-manager.c and grep for HAVE_POLKITUgh, many thanks for bringing this up, and yay for upstreams putting sane defaults into their software...Imo this is a major security hole in intrepid.Full ack.Now there are different options how to address this: 1. in /etc/dbus-1/system.d/ConsoleKit.conf open <allow send_interface="org.freedesktop.ConsoleKit.Manager" send_member="Restart"/> <allow send_interface="org.freedesktop.ConsoleKit.Manager" send_member="Stop"/> only for a) root b) at_consoleWould work for me. However, I think we should rather fix the upstream code to deny access to those functions altogether if policykit support is disabled. That would be the safe and sane fallback IMNSHO. We should also urge upstream to adopt that patch.
Well, it's basically the same as with hal's powermanagement interface (org.freedesktop.Hal.Device.SystemPowerManagement: Shutdown()/Reboot()/..)
If PK support is not enabled in hal, it's only safeguarded by the dbus policy rules. It's just that hal upstream used to ship a more restrictive dbus conf file (the current hal.conf.in upstream git has the same security problem, at least it has some comments within the conf file).
I guess I'll go with 1.a) then for the Debian package. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss