ConsoleKit (0.2.10) / PolicyKit / Security hole

Martin Pitt martin.pitt at ubuntu.com
Sat Jul 19 10:26:21 UTC 2008 

Hi Michael,

Michael Biebl [2008-07-19  6:47 +0200]:
> first of all, I hope that ubuntu-devel-discuss is the correct email  
> address for contacting the Ubuntu maintainers of consolekit and  
> policykit (taken from debian/control). I've also CCed Martin just in 
> case.

I'm on u-d-d. Thanks a lot for notifying!

> Today I started updating consolekit to 0.2.10-1 in Debian. The work is  
> available from the pkg-utopia svn [1], as always.

Thanks for that, and merging some of of our patches.

> I deliberately did not enable the PolicyKit support in ConsoleKit.

Neither did I, I fully agree to you. I read the huge discussion on the
upstream ML back then, and basically everyone seemed to disagree with
William. :/

> Problem now is, if you disable the PolicyKit support, the restart/stop  
> functions are unprotected, and everyone (even through ssh logins) can  
> shutdown/reboot the system. For fun try [3] from an unpriviledged user  
> account. See src/ck-manager.c and grep for HAVE_POLKIT

Ugh, many thanks for bringing this up, and yay for upstreams putting
sane defaults into their software...

> Imo this is a major security hole in intrepid.

Full ack.

> Now there are different options how to address this:
> 1. in /etc/dbus-1/system.d/ConsoleKit.conf
> open
>     <allow send_interface="org.freedesktop.ConsoleKit.Manager"
>            send_member="Restart"/>
>     <allow send_interface="org.freedesktop.ConsoleKit.Manager"
>            send_member="Stop"/>
> only for
> a) root
> b) at_console

Would work for me. However, I think we should rather fix the upstream
code to deny access to those functions altogether if policykit support
is disabled. That would be the safe and sane fallback IMNSHO. We
should also urge upstream to adopt that patch.

> Currently, there is no user of the CK Restart/Stop methods (new gdm will  
> use it, which is neither in Debian nor Ubuntu, though).

Seb is currently fighting with the new gdm, but it is horribly
incomplete yet, and nowhere near to being a replacement for 2.20. So I
don't see it going into neither Lenny nor Intrepid.

Thanks!

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20080719/84eac1f9/attachment.sig>

More information about the Ubuntu-devel-discuss mailing list