On Mon, 2013-10-28 at 17:05 +0000, Colin Guthrie wrote: > Leaving aside all comments regarding nspawn and such, is there a way for > pkexec to automatically detect if the user is already root and avoid the > dbus round trip and just assume things are authorised? This might be > dangerous in some other ways hence why I'm asking.
The only way I can think of for this to be dangerous is for systems attempting to use Linux capabilities (specifically to drop the "is really root" ones like CAP_SYS_ADMIN). If pkexec did a shortcut authorization, then this would allow a compromised daemon that ran as uid 0 but without CAP_SYS_ADMIN to trivially regain it with: pkexec /tmp/mycode.sh Now personally, I think people attempting to use Linux capabilities this way are barking up the wrong tree to an extent - I think SELinux is a much stronger and more comprehensive solution. Potentially we could attempt to look at the capabilities of our parent process, but that involves scraping /proc and...eww. Why are you running pkexec during a build anyways? For rpm %check? Personally I think https://live.gnome.org/GnomeGoals/InstalledTests is a much better testing model than can be provided by rpm %check type things which have "it's a chroot that has slowly mutated over time to attempt to emulate a real system". So I guess bottom line is, indeed I'd just carry the code to do if (getuid () == 0) /* don't run pkexec */ inside all of the consumers. _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
