Hi Ralph, That makes sense. I'll mull this over for a bit longer, but I reckon what you're saying makes sense. I'll just try to find the more restrictive settings that work for my use case then. I reckon I owe you a beer at the next pub-meet :)
Hamish On 17/05/18 13:45, Ralph Corderoy wrote: > Hi Hamish, > >> Hopefully my quotes work this time. > Nope, but never mind. :-) > >> The shebang line will tell it what to use to run the script anyway. > Yes, if it has one. The `#!' means the first two bytes of the file have > the 16-bit big-endian value 0x2321 and that is the `magic number' value > that old Unix kernels would switch on to decide how to execute the file. > There's other values too, and they can be 32 bit now, e.g. /bin/ls's > 0x7f454c46', which is ascii(7)'s DEL followed by `ELF'. > https://en.wikipedia.org/wiki/Magic_number_(programming)#Magic_number_origin > >> That's true. However, I think it's probably better to call it at >> particular times than either ask for a password several times in a >> row, or leave the script wide open for 5 minutes :). > That still breaks things because my competitor GUI program triggered > authentication being added to the session a couple of minutes ago and > then you come along, do you single pkexec, and then trash authentication > for me by removing all authentications. (And it's still all, and not > just the one you're interested in.) > > The script isn't wide open for five minutes. It's available to the > session which provides some constraint anyway. polkit has decided five > minutes is a reasonable time for the temporary authentications. You can > either use them by choosing `keep', or not. But don't be an unsocial > member of the session by deciding polkit and other programs are wrong > and cancelling their `tickets'. :-) > > Examples of five-minute temporary authentications from a grep: > > manage system services or other units > import a VM or container image > run programs as a non-logged-in user > set the local host name > set the system locale > > I think polkit's designers consider five minutes safe enough. The > authorisation is cancelled if I log out of the session before then. If > I walk away from the keyboard without locking the session then that's my > fault and existing policies, e.g. for systemd, let the attacker make use > of it. I don't think your commands warrant any more protection that > what's already being guarded by polkit? > > Also, bear in mind polkit's advice is that the authorisation is more > usefully tied to the object being acted upon than what's being done to > it, e.g. reading a particular block device v. the ability to read a > block device. I think you need to forget about the five-minute attack > window for the moment and concentrate on what the command-line interface > to the pkexec'd command looks like. That may make clear which argv1 > need what protection, for example. > > Cheers, Ralph. > -- Next meeting: Bournemouth, Tuesday, 2018-06-05 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ New thread: mailto:[email protected] / CHECK IF YOU'RE REPLYING Reporting bugs well: http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR
