| 1 |
> > Unless sudo has some config setting that allows access only when |
| 2 |
> > logged in via console it isn't really a solution. |
| 3 |
> > |
| 4 |
> > Rich |
| 5 |
> > |
| 6 |
|
| 7 |
man sudoers -> /requiretty |
| 8 |
|
| 9 |
> |
| 10 |
> I manage 'thousands' of desktops at Google and we generally like |
| 11 |
> polkit. |
| 12 |
|
| 13 |
I never meant it is rubbish as such but I saw it as rediculously |
| 14 |
inferior to sudo before I even read this. |
| 15 |
|
| 16 |
http://drfav.wordpress.com/2012/05/11/the-quest-towards-trusted-client-applications-a-rambling/ |
| 17 |
|
| 18 |
|
| 19 |
> It is however, designed for graphical UI single-seat systems. |
| 20 |
> Its command line support sucks (they only added a CLI auth agent in |
| 21 |
> May) and it is not well adopted. Multi-user systems do not work well |
| 22 |
> with polkit. Certainly with polkit and dbus you can allow users to |
| 23 |
> take more specific action without complex wrappers, setuid scripts, or |
| 24 |
> sudo. |
| 25 |
|
| 26 |
Except you can't, it only encourages more coarse grained approaches, |
| 27 |
less useful commands available and devs to learn an api rather than C |
| 28 |
and simply moves code into a far less secure mechanism and increases the |
| 29 |
chance that the code will not be well designed to the task at hand and |
| 30 |
running as root. It can be a real pain to work out exactly what polkit |
| 31 |
allows and you cannot just edit it to suit your application and it |
| 32 |
completely ignores the existing unix security technologies with |
| 33 |
brilliant track records. |
| 34 |
|
| 35 |
You could try to argue that many eyes will look at a central piece of |
| 36 |
code but in fact less implementations will likely mean less eyes and |
| 37 |
just assumption that a guy who got JS through as a config language has |
| 38 |
everything covered. Granted, unmaintained code running as root may be |
| 39 |
higher with sudo but if it needs maintaining, should it be running as |
| 40 |
root at all or is it actually simply doing too much. |
| 41 |
|
| 42 |
> My package manager can have a polkit action like 'install a |
| 43 |
> signed package' and I can grant the user access to do that, but not |
| 44 |
> access to install unsigned packages (root exploit there...) or run |
| 45 |
> other dangerous apt commands. It comes built into apt, so I don't have |
| 46 |
> to write extra wrappers. |
| 47 |
|
| 48 |
That would be the default and wouldn't even need the command line |
| 49 |
argument control of sudo. Just allowing updates is apt-get update. |
| 50 |
|
| 51 |
In fact I have a debian system where experimental iceweasel is |
| 52 |
installable but nothing else. I have an Arch system where the only |
| 53 |
kernel updateable is a signed by me when offline kernel and polkit is |
| 54 |
disabled as I don't have the time to keep track of what it is |
| 55 |
permitting and code comments weren't helpful there. |
| 56 |
|
| 57 |
Sudo even supports regex! |
| 58 |
|
| 59 |
p.s. apt should be downloading as an _apt user, simply as best |
| 60 |
practice before adding polkit support ;-) |
| 61 |
|
| 62 |
-- |
| 63 |
_______________________________________________________________________ |
| 64 |
|
| 65 |
'Write programs that do one thing and do it well. Write programs to work |
| 66 |
together. Write programs to handle text streams, because that is a |
| 67 |
universal interface' |
| 68 |
|
| 69 |
(Doug McIlroy) |
| 70 |
_______________________________________________________________________ |
Archives