On 09/12/2013 02:05 PM, Jamie Strandboge wrote: > > Hi, > > My team was asked to look into the security ramifications of the current > policykit situation on Ubuntu Touch. As it stands now: policykit's > allow_active/allow_inactive doesn't work because it can't find the active > seat. > To find the active seat, logind needs to be present and for logind to be > present > on touch, lightdm needs to land. > > Policykit enabled services that use allow_active/allow_inactive in their > policy > will find that the access is denied on touch (unless allow_any is used). This > affected network-manager on Ubuntu Touch, so overrides are now shipped for > network-manager policy (via lxc-android-config). The overrides use > allow_any=true so the phablet user can manipulate network interfaces/etc. > Policykit overrides are only shipped for network-manager and are acceptable > for > single-seat installations where it is assumed that the Ubuntu Touch user is > the > active user. 13.10 will not support multi-user and things like ssh are > disabled > by default. > > In terms of click packages, an app's access to DBus is quite limited and it is > not currently allowed to talk to anything that uses policykit (ie, including > network-manager). > > While we of course would prefer allow_active/allow_inactive to work as > intended, > considering policykit's default deny behavior, the phone being single seat, > allow_any overrides being limited to only network-manager, the overrides being > acceptable in the single seat scenario, and because click packages can't > connect > to policykit-protected services to begin with, we don't feel the security > concerns are blockers for Ubuntu Touch 13.10 release. >
Oliver reminded me of another scenario. PackageKit uses policy kit and pkcon is used to install click packages. Currently it is my understanding that the policykit checks are disabled right now. For the the same reasons as for network-manager, I feel this is 'ok' for the single seat touch install. Yes, we would prefer to have this fixed, but I don't consider it a blocker provided click is adjusted to reenable the checks, but overridden via lxc-android-config to use allow_any=true like we do with network-manager. While click isn't supported on desktop systems, we should still only use allow_any=true where policykit isn't working. -- Jamie Strandboge http://www.ubuntu.com/ -- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
