Discussion:
documentation on polkit-agent-helper-1 and suid
Alad Wenter
2016-10-21 11:40:17 UTC
Permalink
Hi,

While looking suid files on my system I noticed that
/usr/lib/polkit-1/polkit-agent-helper-1 is suid root, and I was curious
on the reasoning beyond this.

If this file is not suid, polkit tty and GUI agents stop working with
"Error: Incorrect permissions on /usr/lib/polkit-1/polkit-agent-helper-1
(needs to be setuid root)"

The responsible code:
https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93

FWIW, I couldn't find a hint in the polkit(8) man page.

Regards,

Alad
Simon McVittie
2016-10-21 17:10:11 UTC
Permalink
While looking suid files on my system I noticed that 
/usr/lib/polkit-1/polkit-agent-helper-1 is suid root, and I was
curious 
on the reasoning beyond this.
The agent's job is to tell the polkit daemon "yes, this is definitely
Alad, and not someone else who has sat down at Alad's computer". This
means it wants to be uid 0 for two reasons:

* to be able to run the PAM stack to check your password, one-time
key, fingerprint or whatever other credentials against system
authentication services

* to be able to send that message to the polkit daemon, and give the
polkit daemon a reason to believe it (that reason being "it came
from uid 0")

Regards,
S
Alad Wenter
2016-10-22 19:10:23 UTC
Permalink
Post by Simon McVittie
Post by Alad Wenter
While looking suid files on my system I noticed that
/usr/lib/polkit-1/polkit-agent-helper-1 is suid root, and I was curious
on the reasoning beyond this.
The agent's job is to tell the polkit daemon "yes, this is definitely
Alad, and not someone else who has sat down at Alad's computer". This
* to be able to run the PAM stack to check your password, one-time
key, fingerprint or whatever other credentials against system
authentication services
* to be able to send that message to the polkit daemon, and give the
polkit daemon a reason to believe it (that reason being "it came
from uid 0")
Regards,
S
Hi Simon,

Thanks for your reply. For the second reason, is "it came from uid 0" a
sure reason for polkit to belive the message when the origin behind uid
0 is from a suid binary? Or is that where the first reason on checking
authentication comes in?

Regards,

Alad
Simon McVittie
2016-10-24 10:03:03 UTC
Permalink
For the second reason, is "it came from uid 0" a 
sure reason for polkit to belive the message when the origin behind
uid 
0 is from a suid binary? Or is that where the first reason on
checking 
authentication comes in?
Any unrestricted uid-0 process can do whatever it wants to your system,
so yes, it is trusted (in the formal security sense of the word: it is
a component that would be able to break your security policy).

For it to be correct for the uid-0 binary to send that message, it
needs to be reasonably sure that the person at your keyboard is in fact
you. It does that by running the PAM authentication stack, which
usually means asking you for your password as proof that you are who
you claim to be.

(The reason for using PAM is that this lets you/your sysadmin configure
the system to require more than just a password, or less than a
password, whatever is appropriate for your security needs. For
instance, there are PAM modules for one-time passwords, fingerprint
readers, two-factor authentication and so on, if you want those.)

S

Loading...