No edit summary |
No edit summary |
||
Line 2: | Line 2: | ||
== Summary == | == Summary == | ||
All granting of privileged operations to ordinary users should be handled by centrally-managed | All granting of privileged operations to ordinary users should exclusively be handled by centrally-managed polit policy. Usermode/userhelper should be phased-out and entirely replaced by polkit. | ||
== Owner == | == Owner == | ||
Line 17: | Line 17: | ||
== Detailed Description == | == Detailed Description == | ||
The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. | The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc. | ||
Most | Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations. | ||
* Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments. | |||
* Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--> | <!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--> | ||
* Consistency of system configurat | |||
* Polkit also provides a setuid-root helper program called pkexec. Pkexec’s | |||
* intercepting tools in sbin/ with tools in bin/ is considered bad practice; fewer dependencies on $PATH ordering | * intercepting tools in sbin/ with tools in bin/ is considered bad practice; fewer dependencies on $PATH ordering | ||
== Scope == | == Scope == | ||
Line 91: | Line 97: | ||
== How To Test == | == How To Test == | ||
< | <pre> | ||
# yum remove usermode usermode-gtk | |||
</pre> | |||
should succeed for an installation with all Fedora packages installed. | |||
<pre> | |||
# repoquery --whatrequires usermode --whatrequires usermode-gtk | |||
usermode-gtk-.... | |||
</pre> | |||
should not output a single package, except the usermode-gtk package. | |||
Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password. | Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password. | ||
== User Experience == | == User Experience == | ||
The user should experience no noticeable changes. | The user should experience no noticeable changes. | ||
Line 116: | Line 120: | ||
audit-viewer | audit-viewer | ||
authconfig-gtk | authconfig-gtk | ||
backintime | backintime-gnome | ||
backintime-kde | |||
beesu | beesu | ||
bootconf-gui | bootconf-gui | ||
Line 126: | Line 131: | ||
fwfstab | fwfstab | ||
galternatives | galternatives | ||
gsmartcontrol | gsmartcontrol | ||
hddtemp | hddtemp | ||
Line 132: | Line 136: | ||
kismet | kismet | ||
liveusb-creator | liveusb-creator | ||
livna-config-display | |||
lshw-gui | lshw-gui | ||
mock | mock | ||
Line 142: | Line 147: | ||
pure-ftpd | pure-ftpd | ||
qtparted | qtparted | ||
realcrypt | |||
revisor-cli | revisor-cli | ||
rhn-setup | rhn-setup | ||
Line 160: | Line 166: | ||
system-config-language | system-config-language | ||
system-config-lvm | system-config-lvm | ||
system-config-network | |||
system-config-network-tui | |||
system-config-nfs | system-config-nfs | ||
system-config-rootpassword | system-config-rootpassword | ||
Line 168: | Line 176: | ||
system-switch-mail-gnome | system-switch-mail-gnome | ||
tuned | tuned | ||
usermode-gtk | |||
vpnc-consoleuser | vpnc-consoleuser | ||
wifi-radar | wifi-radar |
Revision as of 13:54, 3 April 2012
Usermode Migration
Summary
All granting of privileged operations to ordinary users should exclusively be handled by centrally-managed polit policy. Usermode/userhelper should be phased-out and entirely replaced by polkit.
Owner
- Name: Harald Hoyer
- Email: harald@redhat.com
- Name: Kay Sievers
- Email: kay@redhat.com
Current status
- Targeted release: Fedora 18
- Last updated: 2012-04-03
- Percentage of completion: 20%
Detailed Description
The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.
Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.
- Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
- Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs.
Benefit to Fedora
- Consistency of system configurat
- Polkit also provides a setuid-root helper program called pkexec. Pkexec’s
- intercepting tools in sbin/ with tools in bin/ is considered bad practice; fewer dependencies on $PATH ordering
Scope
- document how to convert consolehelper to polkit:
- python: put pkexec in the wrapper shell
- C tools: re-exec with pkexec in C code
- C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell (ugly!)
- open tracker bug and file bugs against all individual packages
- convert all packages, where it makes sense to use polkit, to pkexec
- for the rest, drop usermode and recommend to use pkexec like sudo
How to convert
A fast and easy way to convert a former consolehelper program is the use of pkexec.
As an example, we convert system-config-date to PolicyKit:
# ls -l /usr/bin/system-config-date lrwxrwxrwx 1 root root 13 5. Feb 02:34 /usr/bin/system-config-date -> consolehelper # rm /usr/bin/system-config-date # cat /etc/security/console.apps/system-config-date . config-util PROGRAM=/usr/share/system-config-date/system-config-date.py SESSION=true
Ok, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following:
# cat /usr/bin/system-config-date #!/bin/sh exec /usr/bin/pkexec /usr/share/system-config-date/system-config-date.py
This will not export the DISPLAY variable, so we have to add a policy file, although starting a GUI as root is not encouraged. The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
# cat /usr/share/polkit-1/actions/org.fedoraproject.config.date.policy <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> <policyconfig> <vendor>System Config Date</vendor> <vendor_url>http://fedorahosted.org/system-config-date</vendor_url> <action id="org.fedoraproject.config.date.pkexec.run"> <description>Run System Config Date</description> <message>Authentication is required to run system-config-date</message> <icon_name>system-config-date</icon_name> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>auth_self_keep</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-date/system-config-date.py</annotate> <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate> </action> </policyconfig>
How To Test
# yum remove usermode usermode-gtk
should succeed for an installation with all Fedora packages installed.
# repoquery --whatrequires usermode --whatrequires usermode-gtk usermode-gtk-....
should not output a single package, except the usermode-gtk package.
Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.
User Experience
The user should experience no noticeable changes.
Dependencies
anaconda audit-viewer authconfig-gtk backintime-gnome backintime-kde beesu bootconf-gui chkrootkit driftnet drobo-utils-gui eclipse-oprofile ejabberd fwfstab galternatives gsmartcontrol hddtemp kdenetwork-kppp kismet liveusb-creator livna-config-display lshw-gui mock mtr-gtk netgo nmap-frontend ntfs-config policycoreutils-gui preupgrade pure-ftpd qtparted realcrypt revisor-cli rhn-setup rhn-setup-gnome sabayon setools-gui setuptool smart-gui subscription-manager-gnome synaptic system-config-audit system-config-bind system-config-boot system-config-date system-config-httpd system-config-kdump system-config-keyboard system-config-language system-config-lvm system-config-network system-config-network-tui system-config-nfs system-config-rootpassword system-config-users system-switch-displaymanager system-switch-java system-switch-mail system-switch-mail-gnome tuned usermode-gtk vpnc-consoleuser wifi-radar wlassistant xawtv yumex zyx-liveinstaller
Contingency Plan
Even, if we cannot drop usermode, the changes in the packages do not have to be reverted.