1 |
On Fri, Apr 8, 2016 at 11:14 AM, M. J. Everitt <m.j.everitt@×××.org> wrote: |
2 |
> Being serious though, and playing Devil's Advocate of course, assuming |
3 |
> you have no use for a desktop manager, etc, hence no need for dbus or |
4 |
> it's 'friends' and policykit or it's pals, and you're not a "systemd |
5 |
> fan" etc .. how are we granting the correct permissions for binaries .. |
6 |
> just relying now on the owner and execute bits being set perfectly for |
7 |
> each binary, assuming everything is arbitrarily moved to /xbin ... |
8 |
|
9 |
If you're relying on file permissions on binaries (other than the suid |
10 |
bit) you're doing it wrong. |
11 |
|
12 |
There is no harm in a non-privileged user executing /sbin/shutdown in |
13 |
the non-systemd world, because init isn't going to listen to an |
14 |
unprivileged user. In a systemd world the shutdown command will talk |
15 |
to systemd via dbus and dbus will use policykit to determine whether |
16 |
the message should be allowed to go through (at least, I think it is |
17 |
dbus that does this, and not the message recipient, but either way it |
18 |
is getting checked). |
19 |
|
20 |
Most security is provided by the kernel and posix capabilities. If a |
21 |
process has a capability, then the kernel lets it do something. |
22 |
Without that capability, simply making some system calls won't do |
23 |
anything. Policykit is an extension of this into userspace, since |
24 |
userspace governs a lot of important functions. You could view |
25 |
policykit as a sort of posix capability set for userspace. |
26 |
|
27 |
The traditional suid way of doing things blurs the lines a bit, but in |
28 |
general most suid-root binaries don't rely on whether you can execute |
29 |
them as a form of policy. Usually they have some kind of internal |
30 |
policy management which is more flexible. Sure, you might be able to |
31 |
keep somebody from changing their password by playing with the |
32 |
permissions on /bin/passwd. However, you're probably better off |
33 |
tweaking the configuration of PAM/etc. |
34 |
|
35 |
-- |
36 |
Rich |