Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for June 20, 2013
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
policy kit. Great stuff.
By default fedora allows the desktop users to change the system time. All they must do is ender the *user's* password (not root!) and even that they only have to do it once.
Great stuff great stuff.
Although many people have pointed out the terrible security implications nothing has been done. Sometimes it really does take some high profile compromises to get things fixed.
Fun with NULL pointers, part 1
Posted Jul 21, 2009 9:45 UTC (Tue) by cortana (subscriber, #24596)
Concerns about the increased vulnerability surface caused by the complexity of PolicyKit are still justified, but Fedora's default policy being stupid is not relevant to that discussion. If we wanted to blame the system for allowing the user to do stupid things then we may as well all give up and move back to Windows. :)
Posted Jul 21, 2009 9:56 UTC (Tue) by nix (subscriber, #2304)
Determining the set of privileged code that could carry out operations on behalf of unprivileged users was fairly simple in the days before PolicyKit: find setuid/setgid binaries, chase their shared library dependencies and (if you're paranoid) see what they can dlopen(). Just a grep away, in any case.
Now, we have to analyze the dbus and PolicyKit policies as well, and XML is... not terribly amenable to analysis with Unix-style shell tools. (Some Perl packages come with XML-style XPath-based grep tools, but they are a) rarely installed and b) seriously cumbersome. We really need an awk for XML.)
Posted Jul 21, 2009 12:52 UTC (Tue) by nim-nim (subscriber, #34454)
Just use xsltproc directly (though not having to use a detached xslt file would be nice)
Posted Jul 22, 2009 22:00 UTC (Wed) by nix (subscriber, #2304)
(One of many problems is XSLT's heavy use of <>, which makes it very
annoying to use from the shell prompt. Another is its astonishing
verbosity. Another is its total lack of good taste in design... also the
functional nature of it, while one of its nicer aspects, fits very badly
with the shell in my experience.)
Posted Jul 21, 2009 14:01 UTC (Tue) by gmaxwell (subscriber, #30048)
SUID is more unambiguous.
Posted Jul 22, 2009 7:08 UTC (Wed) by Frej (subscriber, #4165)
Posted Jul 22, 2009 11:18 UTC (Wed) by nix (subscriber, #2304)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds