Andrew Gallagher wrote (10 Jan 2016 01:38:20 GMT) : >> On 10 Jan 2016, at 00:01, intrigeri <intrig...@boum.org> wrote: >> >> In Tails, we also directly access the block device as the amnesia >> user, since >> /etc/udev/rules.d/99-make-removable-devices-user-writable.rules allows >> us to do that.
> Ah, this could be the game changer. I'll look into that and see if it gives > me the > powers I need to avoid setuid (which is the source of all the problems). Cool :) >> On Debian/Ubuntu, we are more limited so we use some operations that >> require administrator credentials: >> >> * opening the block device with udisks2, to get a filehandle for >> writing the MBR; >> * running syslinux as root, using pkexec. > From what little I know of policykit, the same security caveats as setuid > would usually apply...? polkit has some minor security advantages, such as allowing us to grant the privileges we need to the active session user only, and requiring user consent in a way that's integrated in the desktop. Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.