| 1 |
On Fri, Apr 8, 2016 at 11:14 AM, M. J. Everitt <m.j.everitt@×××.org> wrote: |
| 2 |
> Being serious though, and playing Devil's Advocate of course, assuming |
| 3 |
> you have no use for a desktop manager, etc, hence no need for dbus or |
| 4 |
> it's 'friends' and policykit or it's pals, and you're not a "systemd |
| 5 |
> fan" etc .. how are we granting the correct permissions for binaries .. |
| 6 |
> just relying now on the owner and execute bits being set perfectly for |
| 7 |
> each binary, assuming everything is arbitrarily moved to /xbin ... |
| 8 |
|
| 9 |
If you're relying on file permissions on binaries (other than the suid |
| 10 |
bit) you're doing it wrong. |
| 11 |
|
| 12 |
There is no harm in a non-privileged user executing /sbin/shutdown in |
| 13 |
the non-systemd world, because init isn't going to listen to an |
| 14 |
unprivileged user. In a systemd world the shutdown command will talk |
| 15 |
to systemd via dbus and dbus will use policykit to determine whether |
| 16 |
the message should be allowed to go through (at least, I think it is |
| 17 |
dbus that does this, and not the message recipient, but either way it |
| 18 |
is getting checked). |
| 19 |
|
| 20 |
Most security is provided by the kernel and posix capabilities. If a |
| 21 |
process has a capability, then the kernel lets it do something. |
| 22 |
Without that capability, simply making some system calls won't do |
| 23 |
anything. Policykit is an extension of this into userspace, since |
| 24 |
userspace governs a lot of important functions. You could view |
| 25 |
policykit as a sort of posix capability set for userspace. |
| 26 |
|
| 27 |
The traditional suid way of doing things blurs the lines a bit, but in |
| 28 |
general most suid-root binaries don't rely on whether you can execute |
| 29 |
them as a form of policy. Usually they have some kind of internal |
| 30 |
policy management which is more flexible. Sure, you might be able to |
| 31 |
keep somebody from changing their password by playing with the |
| 32 |
permissions on /bin/passwd. However, you're probably better off |
| 33 |
tweaking the configuration of PAM/etc. |
| 34 |
|
| 35 |
-- |
| 36 |
Rich |
Archives