Hi, My team was asked to look into the security ramifications of the current policykit situation on Ubuntu Touch. As it stands now: policykit's allow_active/allow_inactive doesn't work because it can't find the active seat. To find the active seat, logind needs to be present and for logind to be present on touch, lightdm needs to land.
Policykit enabled services that use allow_active/allow_inactive in their policy will find that the access is denied on touch (unless allow_any is used). This affected network-manager on Ubuntu Touch, so overrides are now shipped for network-manager policy (via lxc-android-config). The overrides use allow_any=true so the phablet user can manipulate network interfaces/etc. Policykit overrides are only shipped for network-manager and are acceptable for single-seat installations where it is assumed that the Ubuntu Touch user is the active user. 13.10 will not support multi-user and things like ssh are disabled by default. In terms of click packages, an app's access to DBus is quite limited and it is not currently allowed to talk to anything that uses policykit (ie, including network-manager). While we of course would prefer allow_active/allow_inactive to work as intended, considering policykit's default deny behavior, the phone being single seat, allow_any overrides being limited to only network-manager, the overrides being acceptable in the single seat scenario, and because click packages can't connect to policykit-protected services to begin with, we don't feel the security concerns are blockers for Ubuntu Touch 13.10 release. Thanks -- Jamie Strandboge http://www.ubuntu.com/ -- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
