FS#48458 - [polkit] The default rule is too weak for multi-user systems

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Friday, 04 March 2016, 19:57 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 06 March 2016, 16:04 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Hello,
following issue:
I have a fresh installed Arch Linux with sudo. I have configured sudo that sudo will ask for the root password. Today I have tested

$ machinectl shell root@.host

and I got root access via my normal password instead of my root password. This behaviour exists because of a too weak polkit-rule:

/etc/polkit-1/rules.d/50-default.rules

I strongly recommend to change this rule to the following:

----------------[ snippet ]------------------
/* Always authenticate Admins by prompting for the root
* password, similar to the rootpw option in sudo
*/
polkit.addAdminRule(function(action, subject) {
return ["unix-user:root"];
});
----------------[ snippet ]------------------

The current default rule is just checking for the group wheel. This is maybe enough for a user on a single-user-system but on a server with different users this is maybe a problem.

Imagine the case that the user is in group wheel but he is only allowed to do some special tasks. With this default rule he could get root access over the whole system although the administrator maybe just wanted to give permissions on stuff like reboot.


best regards

chris
This task depends upon

Closed by  Doug Newgard (Scimmia)
Sunday, 06 March 2016, 16:04 GMT
Reason for closing:  Not a bug
Additional comments about closing:  User error, this is what the wheel group is for.
Comment by Christian Rebischke (Shibumi) - Friday, 04 March 2016, 20:27 GMT
i have first thought it's a systemd problem.. so here is the systemd bugreport:

https://github.com/systemd/systemd/issues/2799

Comment by Doug Newgard (Scimmia) - Saturday, 05 March 2016, 14:53 GMT
Sounds more like the problem is your use of the "wheel" group. That's kind of what it's for.
Comment by Matthias Dienstbier (fs4000) - Sunday, 06 March 2016, 10:49 GMT
50-default.rules is installed by polkit itself, not by Arch. We don't touch this.
And yes, this is exactly what wheel is for. If you don't want your users to control the machine, don't put them into the wheel group.
Furthermore I think there was a misunderstanding in the systemd bug ticket. Polkit should request a password, but users in the wheel group are asked for their own password as they have admin role. If this is the case, there is no bug.

Loading...