From Fedora Project Wiki
No edit summary
No edit summary
Line 2: Line 2:


== Summary ==
== Summary ==
All granting of privileged operations to ordinary users should be handled by centrally-managed system policy. Usermode/userhelper should be fully replaced by polkit in the future.
All granting of privileged operations to ordinary users should exclusively be handled by centrally-managed polit policy. Usermode/userhelper should be phased-out and entirely replaced by polkit.


== Owner ==
== Owner ==
Line 17: Line 17:


== Detailed Description ==
== Detailed Description ==
The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. It’s policy is controlled by text files in /etc.
The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.


Most system policy today is controlled by polkit, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. Polkit also provides a setuid-root helper program called pkexec, its callbacks to ask for authorizations are well-integrated into shell and graphical environments.
Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.
 
* Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
 
* Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs.


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
* Consistency of system configurat
* Polkit also provides a setuid-root helper program called pkexec. Pkexec’s


* centrally managed policy, network-transparency possible
* polkit auth can distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs
* intercepting tools in sbin/ with tools in bin/ is considered bad practice; fewer dependencies on $PATH ordering
* intercepting tools in sbin/ with tools in bin/ is considered bad practice; fewer dependencies on $PATH ordering


== Scope ==
== Scope ==
Line 91: Line 97:


== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
<pre>
# yum remove usermode usermode-gtk
</pre>
should succeed for an installation with all Fedora packages installed.


Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
<pre>
# repoquery --whatrequires usermode --whatrequires usermode-gtk
usermode-gtk-....
</pre>


A good "how to test" should answer these four questions:
should not output a single package, except the usermode-gtk package.


0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this feature? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the feature is
working like it's supposed to?
3. What are the expected results of those actions?
-->
Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.
Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.


== User Experience ==
== User Experience ==
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. →
The user should experience no noticeable changes.
The user should experience no noticeable changes.


Line 116: Line 120:
audit-viewer
audit-viewer
authconfig-gtk
authconfig-gtk
backintime
backintime-gnome
backintime-kde
beesu
beesu
bootconf-gui
bootconf-gui
Line 126: Line 131:
fwfstab
fwfstab
galternatives
galternatives
gnome-system-log
gsmartcontrol
gsmartcontrol
hddtemp
hddtemp
Line 132: Line 136:
kismet
kismet
liveusb-creator
liveusb-creator
livna-config-display
lshw-gui
lshw-gui
mock
mock
Line 142: Line 147:
pure-ftpd
pure-ftpd
qtparted
qtparted
realcrypt
revisor-cli
revisor-cli
rhn-setup
rhn-setup
Line 160: Line 166:
system-config-language
system-config-language
system-config-lvm
system-config-lvm
system-config-network
system-config-network-tui
system-config-nfs
system-config-nfs
system-config-rootpassword
system-config-rootpassword
Line 168: Line 176:
system-switch-mail-gnome
system-switch-mail-gnome
tuned
tuned
usermode-gtk
vpnc-consoleuser
vpnc-consoleuser
wifi-radar
wifi-radar

Revision as of 13:54, 3 April 2012

Usermode Migration

Summary

All granting of privileged operations to ordinary users should exclusively be handled by centrally-managed polit policy. Usermode/userhelper should be phased-out and entirely replaced by polkit.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-04-03
  • Percentage of completion: 20%

Detailed Description

The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.

  • Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
  • Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs.

Benefit to Fedora

  • Consistency of system configurat
  • Polkit also provides a setuid-root helper program called pkexec. Pkexec’s
  • intercepting tools in sbin/ with tools in bin/ is considered bad practice; fewer dependencies on $PATH ordering


Scope

  • document how to convert consolehelper to polkit:
    • python: put pkexec in the wrapper shell
    • C tools: re-exec with pkexec in C code
    • C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell (ugly!)
  • open tracker bug and file bugs against all individual packages
  • convert all packages, where it makes sense to use polkit, to pkexec
  • for the rest, drop usermode and recommend to use pkexec like sudo

How to convert

A fast and easy way to convert a former consolehelper program is the use of pkexec.

As an example, we convert system-config-date to PolicyKit:

# ls -l /usr/bin/system-config-date
lrwxrwxrwx 1 root root 13  5. Feb 02:34 /usr/bin/system-config-date -> consolehelper

# rm /usr/bin/system-config-date
# cat /etc/security/console.apps/system-config-date
. config-util
PROGRAM=/usr/share/system-config-date/system-config-date.py
SESSION=true

Ok, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following:

# cat /usr/bin/system-config-date
#!/bin/sh
exec /usr/bin/pkexec /usr/share/system-config-date/system-config-date.py

This will not export the DISPLAY variable, so we have to add a policy file, although starting a GUI as root is not encouraged. The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

# cat /usr/share/polkit-1/actions/org.fedoraproject.config.date.policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

 <vendor>System Config Date</vendor>
 <vendor_url>http://fedorahosted.org/system-config-date</vendor_url>

 <action id="org.fedoraproject.config.date.pkexec.run">
    <description>Run System Config Date</description>
    <message>Authentication is required to run system-config-date</message>
    <icon_name>system-config-date</icon_name>
    <defaults>
     <allow_any>no</allow_any>
     <allow_inactive>no</allow_inactive>
     <allow_active>auth_self_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-date/system-config-date.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
 </action>
</policyconfig>

How To Test

# yum remove usermode usermode-gtk

should succeed for an installation with all Fedora packages installed.

# repoquery --whatrequires usermode --whatrequires usermode-gtk
usermode-gtk-....

should not output a single package, except the usermode-gtk package.

Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.

User Experience

The user should experience no noticeable changes.

Dependencies

anaconda
audit-viewer
authconfig-gtk
backintime-gnome
backintime-kde
beesu
bootconf-gui
chkrootkit
driftnet
drobo-utils-gui
eclipse-oprofile
ejabberd
fwfstab
galternatives
gsmartcontrol
hddtemp
kdenetwork-kppp
kismet
liveusb-creator
livna-config-display
lshw-gui
mock
mtr-gtk
netgo
nmap-frontend
ntfs-config
policycoreutils-gui
preupgrade
pure-ftpd
qtparted
realcrypt
revisor-cli
rhn-setup
rhn-setup-gnome
sabayon
setools-gui
setuptool
smart-gui
subscription-manager-gnome
synaptic
system-config-audit
system-config-bind
system-config-boot
system-config-date
system-config-httpd
system-config-kdump
system-config-keyboard
system-config-language
system-config-lvm
system-config-network
system-config-network-tui
system-config-nfs
system-config-rootpassword
system-config-users
system-switch-displaymanager
system-switch-java
system-switch-mail
system-switch-mail-gnome
tuned
usermode-gtk
vpnc-consoleuser
wifi-radar
wlassistant
xawtv
yumex
zyx-liveinstaller

Contingency Plan

Even, if we cannot drop usermode, the changes in the packages do not have to be reverted.

Documentation

Release Notes

Comments and Discussion