tags 482064 -patch thanks James Westby wrote:
Package: policykit Severity: normal Version: 0.8-1 Tags: patch User: [EMAIL PROTECTED] Usertags: origin-ubuntu intrepid ubuntu-patchHi, In the 0.8 release of policykit the text at the end of the ./configure output saying that certain files should have certain permissions has changed, but the postinst wasn't changed to match. I haven't tested to check whether if this has any effect on the functionality, but presumably the requirements are there for a reason.I am attaching the Ubuntu diff that changes it to match what is in Fedora, as that is slightly more precise than the ./configure text,and was done by upstream himself. However the patch does include a change that the fix from bug 452198 makes unneeded. If you don't want the patch in 452198, or at least don't want to apply them both at the same time then I would be happy to update the patch to not include that part.
Hi James,thanks for filing this bug report. As it happens, I already noticed that issue myself and have discussed that extensively with upstream. There is currently a discrepancy between the configure output, the actual rules in the makefiles and how the rpm installs it. Your proposed patch is not quite correct (you will see that if you read the following discussion), so I'm removing the "patch" tag.
I already have a correct fix ready and will provide updated packages soon. FWIW here is an excerpt of the discussion I had with David Zeuthen:
On Wed, 2008-04-23 at 01:02 +0200, Michael Biebl wrote:> Hi David,> > as I'm generally a bit paranoid regarding suid/sgid binaries, and as I > noticed some discrepancies between the ./configure message, the > installed files and the permissions as installed by the fedora package, > I'd like to ask you for clarification.First of all, I'm glad someone is reviewing this (the SUSE and RH security teams have been reviewing it as well). So thanks for taking thetime to look through it.One thing I want to do is to include a section in the docs detailing how the 'default' backend works including security notes. Is that something you would like to help with based on my explanations below?> (this is policykit 0.8)> > ./configure says (condensed) > > 1.1 770 root polkituser /var/run/PolicyKit> 1.2 770 root polkituser /var/lib/PolicyKit > 1.3 755 polkituser root /var/run/PolicyKit-public > 1.4 775 polkituser polkituser /var/lib/misc/PolicyKit.reload > 1.5 4755 polkituser root /libexec/polkit-set-default-helper > 1.6 2755 root polkituser /libexec/polkit-read-auth-helper > 1.7 2755 root polkituser /libexec/polkit-revoke-helper > 1.8 2755 root polkituser /libexec/polkit-grant-helper > 1.9 2755 root polkituser /libexec/polkit-explicit-grant-helper > 1.10 4754 root polkituser /libexec/polkit-grant-helper-pam > 1.11 4755 root root /libexec/polkit-resolve-exe-helper> > make install creates > > 2.1 770 root polkituser /var/run/PolicyKit> 2.2 770 root polkituser /var/lib/PolicyKit > 2.3 755 polkituser root /var/lib/PolicyKit-public > 2.4 775 polkituser polkituser /var/lib/misc/PolicyKit.reload > 2.5 4755 polkituser root /libexec/polkit-set-default-helper > 2.6 2755 root polkituser /libexec/polkit-read-auth-helper > 2.7 2755 root polkituser /libexec/polkit-revoke-helper > 2.8 2755 root polkituser /libexec/polkit-grant-helper > 2.9 2755 root polkituser /libexec/polkit-explicit-grant-helper > 2.10 4754 root polkituser /libexec/polkit-grant-helper-pam > 2.11 4755 root root /libexec/polkit-resolve-exe-helper> > fedora rpm has > > 3.1 770 polkituser polkituser /var/run/PolicyKit> 3.2 770 polkituser polkituser /var/lib/PolicyKit > 3.3 755 polkituser polkituser /var/lib/PolicyKit-public > 3.4 775 polkituser polkituser /var/lib/misc/PolicyKit.reload > 3.5 4755 polkituser root /libexec/polkit-set-default-helper > 3.6 2755 root polkituser /libexec/polkit-read-auth-helper > 3.7 2755 root polkituser /libexec/polkit-revoke-helper > 3.8 2755 root polkituser /libexec/polkit-grant-helper > 3.9 2755 root polkituser /libexec/polkit-explicit-grant-helper > 3.10 4754 root polkituser /libexec/polkit-grant-helper-pam > 3.11 4755 root root /libexec/polkit-resolve-exe-helper> > 1.) 1.3 has /var/run/PolicyKit-public, in 2.3, 3.3 it is in /var/libThat's a bug in 1.3; need to fix the configure output.> 2.) fedora has a different owner for 3.1, 3.2 resp group for 3.3That's a bug in the fedora rpm. I'll fix that.> 3.) It's not clear to me, why we need a user *and* group polkituser.See below.> And why 1.5, 1.10 and 1.11 have somewhat strange suid/sgid bits and > owners. Could you elaborate in detail for each binary why those > different ownerships and suid/sgid bits are necessary?Right, I'll go through them one by one based on the output of make install. 2.1 770 root polkituser /var/run/PolicyKit 2.2 770 root polkituser /var/lib/PolicyKit We store authorizations for each user here. Since we don't want user A to know what authorizations other users have no one can read these files. However, when checking authorizations we need to be able to read from here; we use this helper 2.6 2755 root polkituser /libexec/polkit-read-auth-helper which can read from here since it's setgid polkituser. This helper will refuse to return authorizations for other users than the calling user except if the calling user is authorized for org.fd.pk.read. We also want to be able to grant authorizations through authentication. That happens with this helper 2.8 2755 root polkituser /libexec/polkit-grant-helper This program is setgid 'polkituser' so it can write files in /var/{run,lib}/PolicyKit. Note that these files are created with mode464.To do the actual authentication check, polkit-grant-helper uses another helper2.10 4754 root polkituser /libexec/polkit-grant-helper-pamThis one is setuid root because checking authentications might need require that (you may be checking the root password). The reason 2.10 is is owned by group 'polkituser' is to ensure that random users can't execute it; only setgid polkituser programs (e.g. 2.8). Which adds a little extra security but strictly it's not necessary. On to 2.7 2755 root polkituser /libexec/polkit-revoke-helper This one is used to revoke authorizations. It will only allow uid 0 and users with the org.fd.pk.revoke authorization to do so. It needs to be setgid polkituser to be able to modify authorization files in /var/{run,lib}/PolicyKit. 2.9 2755 root polkituser /libexec/polkit-explicit-grant-helper Same story as for polkit-revoke-helper only this grants authorizations. Only allowed for uid 0 and users with the org.fd.pk.grant authorization. 2.3 755 polkituser root /var/lib/PolicyKit-public This is where we store modifications to the defaults. Anyone should be able to read these files. They are created with mode 644. These files are written / modified by this helper 2.5 4755 polkituser root /libexec/polkit-set-default-helper which is setuid polkituser to be able to write/modify files. On to 2.11 4755 root root /libexec/polkit-resolve-exe-helper This is used to find the executable name for a process. On Linux this is the /proc/<pid>/exe symlink and you can only do this for processes you own. This helper finds the executable name for processes not owned by you but only if you have the org.fd.pk.read authorization. This is important to let e.g. user 'haldaemon' check authorizations for a user requesting service. 2.4 775 polkituser polkituser /var/lib/misc/PolicyKit.reload This file is used by libpolkit to detect when something has changed (authorizations granted/revoked, defaults changed etc.). It is writable by both user 'polkituser' and group 'polkituser' because we have helpers running with both euid 'polkituser' and egid 'polkituser'. The permissions on this should be 664 instead. Does all this make sense now? David
Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
