[Pkg-utopia-maintainers] ConsoleKit (0.2.10) / PolicyKit / Security hole

Michael Biebl biebl at debian.org
Sat Jul 19 04:47:22 UTC 2008


Hi,

first of all, I hope that ubuntu-devel-discuss is the correct email 
address for contacting the Ubuntu maintainers of consolekit and 
policykit (taken from debian/control). I've also CCed Martin just in case.

On to my actual issue:

Today I started updating consolekit to 0.2.10-1 in Debian. The work is 
available from the pkg-utopia svn [1], as always.

I deliberately did not enable the PolicyKit support in ConsoleKit.
Enabling PolicyKit support means, that ConsoleKit will link against 
libpolkit. libpolkit on the other hand, requires that the complete 
policykit package is installed. The init functions in libpolkit place 
inotify watches on certain files and directories (which are only shipped 
in the policykit package, like /etc/PolicyKit/PolicyKit.conf and 
/var/lib/misc/PolicyKit.reload).
If those files are not present, libpolkit will not work correctly.

I.e. enabling PolicyKit support in ConsoleKit would mean the package 
would have to declare a dependency on the policykit package. On the 
other hand, the policykit package requires the consolekit package to 
work properly. For the gory details see [2].

The simple reason, why PolicyKit support was added to ConsoleKit is, 
that ConsoleKit has new functionality like System restart/stop, which 
has to be protected, so not everyone can call this functions.

It's debatable, if such functionality belongs into ConsoleKit (I think 
it doesn't but upstream disagrees).

Problem now is, if you disable the PolicyKit support, the restart/stop 
functions are unprotected, and everyone (even through ssh logins) can 
shutdown/reboot the system. For fun try [3] from an unpriviledged user 
account. See src/ck-manager.c and grep for HAVE_POLKIT

Imo this is a major security hole in intrepid.

Now there are different options how to address this:
1. in /etc/dbus-1/system.d/ConsoleKit.conf
open
     <allow send_interface="org.freedesktop.ConsoleKit.Manager"
            send_member="Restart"/>
     <allow send_interface="org.freedesktop.ConsoleKit.Manager"
            send_member="Stop"/>
only for
a) root
b) at_console
2.) Enable PolicyKit support in ConsoleKit

Currently, there is no user of the CK Restart/Stop methods (new gdm will 
use it, which is neither in Debian nor Ubuntu, though).

So imo the safest option would be 1.a)

Other opinions?

Michael


[1] http://svn.debian.org/wsvn/pkg-utopia/packages/unstable/consolekit
[2] http://lists.freedesktop.org/archives/hal/2008-January/010603.html
     http://lists.freedesktop.org/archives/hal/2008-January/010669.html
[3] dbus-send --system --dest=org.freedesktop.ConsoleKit \
   --type=method_call --print-reply --reply-timeout=2000 \
     /org/freedesktop/ConsoleKit/Manager \
       org.freedesktop.ConsoleKit.Manager.Stop

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20080719/17d9d0b0/attachment-0001.pgp 


More information about the Pkg-utopia-maintainers mailing list