1 |
> > Unless sudo has some config setting that allows access only when |
2 |
> > logged in via console it isn't really a solution. |
3 |
> > |
4 |
> > Rich |
5 |
> > |
6 |
|
7 |
man sudoers -> /requiretty |
8 |
|
9 |
> |
10 |
> I manage 'thousands' of desktops at Google and we generally like |
11 |
> polkit. |
12 |
|
13 |
I never meant it is rubbish as such but I saw it as rediculously |
14 |
inferior to sudo before I even read this. |
15 |
|
16 |
http://drfav.wordpress.com/2012/05/11/the-quest-towards-trusted-client-applications-a-rambling/ |
17 |
|
18 |
|
19 |
> It is however, designed for graphical UI single-seat systems. |
20 |
> Its command line support sucks (they only added a CLI auth agent in |
21 |
> May) and it is not well adopted. Multi-user systems do not work well |
22 |
> with polkit. Certainly with polkit and dbus you can allow users to |
23 |
> take more specific action without complex wrappers, setuid scripts, or |
24 |
> sudo. |
25 |
|
26 |
Except you can't, it only encourages more coarse grained approaches, |
27 |
less useful commands available and devs to learn an api rather than C |
28 |
and simply moves code into a far less secure mechanism and increases the |
29 |
chance that the code will not be well designed to the task at hand and |
30 |
running as root. It can be a real pain to work out exactly what polkit |
31 |
allows and you cannot just edit it to suit your application and it |
32 |
completely ignores the existing unix security technologies with |
33 |
brilliant track records. |
34 |
|
35 |
You could try to argue that many eyes will look at a central piece of |
36 |
code but in fact less implementations will likely mean less eyes and |
37 |
just assumption that a guy who got JS through as a config language has |
38 |
everything covered. Granted, unmaintained code running as root may be |
39 |
higher with sudo but if it needs maintaining, should it be running as |
40 |
root at all or is it actually simply doing too much. |
41 |
|
42 |
> My package manager can have a polkit action like 'install a |
43 |
> signed package' and I can grant the user access to do that, but not |
44 |
> access to install unsigned packages (root exploit there...) or run |
45 |
> other dangerous apt commands. It comes built into apt, so I don't have |
46 |
> to write extra wrappers. |
47 |
|
48 |
That would be the default and wouldn't even need the command line |
49 |
argument control of sudo. Just allowing updates is apt-get update. |
50 |
|
51 |
In fact I have a debian system where experimental iceweasel is |
52 |
installable but nothing else. I have an Arch system where the only |
53 |
kernel updateable is a signed by me when offline kernel and polkit is |
54 |
disabled as I don't have the time to keep track of what it is |
55 |
permitting and code comments weren't helpful there. |
56 |
|
57 |
Sudo even supports regex! |
58 |
|
59 |
p.s. apt should be downloading as an _apt user, simply as best |
60 |
practice before adding polkit support ;-) |
61 |
|
62 |
-- |
63 |
_______________________________________________________________________ |
64 |
|
65 |
'Write programs that do one thing and do it well. Write programs to work |
66 |
together. Write programs to handle text streams, because that is a |
67 |
universal interface' |
68 |
|
69 |
(Doug McIlroy) |
70 |
_______________________________________________________________________ |