Re: [Nix-dev] Polkit action files installed via nix-env don't appear to be recognised by Polkit/Pkexec/Pkaction

Tue, 30 May 2017 23:48:07 -0700

Yea that seems right, allowing users to nix-env install things, everything must be unprivileged, allowing the usage of such polkit files in nix-env means the users can make use of pkexec to elevate to root when executing anything.
However in non-package manager use cases, installing such a package with `make install` would require super user privileges to install the action policy file into /usr/share/polkit-1/actions. Therefore nix-env could make use of such a fact, and instead suggest the user to install using `sudo nix-env` if the package has a polkit policy file. This would prevent such a security hole, since the user must be root to be able to install such a package. Such suggestions could be encoded in the nix expression file. 


Which brings up the next question, would installing via `sudo nix-env` 
setup the polkit policy files properly such that polkit will know about it?


Thanks,
Roger

On 31/05/2017 4:34 PM, Bjørn Forsman wrote:

On 31 May 2017 at 07:44, Roger Qiu <[email protected]> wrote:

Hi all,

Normally a polkit action file on a non-NixOS system would be installed in
/usr/share/polkit-1/actions. On NixOS this location is instead at
/run/current-system/sw/share/polkit-1/actions. The action files stored here
are recognised by polkit, which can be demonstrated by running `pkaction`,
this results in showing the titles of each action id.

However some packages may supply action files, and are installed via
nix-env. The action files in this case are instead stored in
~/.nix-profile/share/polkit-1/actions. My tests show that these action files
are not being recognised by polkit. Running pkaction does not show any
package the action files that are inside ~/.nix-profile/...

Is there a work around here?

Browsing the polkit docs doesn't mention anything about looking up
user-specific action files, they all just say action files are to be at
/usr/share/polkit-1/actions. If polkit only looks up 1 location, then should
nix-env be symlinking action files into
/run/current/system/sw/share/polkit-1/actions?

Wouldn't that mean unprivileged users are allowed to raise their own
permissions? (That doesn't sound like a good idea.)

Best regards,
Bjørn Forsman


--
Founder of Matrix AI
https://matrix.ai/
+61420925975

_______________________________________________
nix-dev mailing list
[email protected]
https://mailman.science.uu.nl/mailman/listinfo/nix-dev






















					Reply via email to