Re: su/sudo wrapper

[David Zeuthen <david fubar dk>]

Hi,

On Sun, 2007-05-20 at 00:58 +0200, Beno�Dejean wrote:
> Le samedi 19 mai 2007 �0:06 +0100, Bastien Nocera a �it :
> > On Fri, 2007-05-18 at 15:01 +0200, Beno�Dejean wrote:
> > > Hello,
> 
> > It all depends what for. But most (newly written) apps should use
> > PolicyKit as it allows just for that sort of thing.
> 
> http://webcvs.freedesktop.org/hal/PolicyKit/ChangeLog?view=markup
> Last change was 11 months ago. Never released.

As someone else pointed out it's in git (and got 100% gtk-doc coverage)
and have been undergoing a rewrite about a month ago. I haven't
finalized the high-level "why + how" document yet (been traveling for
the past two weeks) but here's something in the 2nd half of this
presentation that I did at the Red Hat summit.

 http://people.freedesktop.org/~david/Summit07_lockdown_davidz.pdf

I'll mail about it when I have something more tangible. Most of the code
is (re)-written already even the GNOME dialogs you see in that
presentation already exists as code on my local drive; just need to
check the GNOME specific bits into GNOME SVN.

> gksu is quite popular AFAICS on my Debian.

Perhaps, but running X11 / GTK+ apps as root is IMO not something we
should endorse in the GNOME project. It's not like this is something
new; I mean, just look at desktop-devel-list archives.

That said, I want to take a wait and see approach with PolicyKit - it's
a lot of new and pretty complex stuff so I want to see how well it works
with HAL (and the distros) before proposing it as an optional dependency
for GNOME (it's an optional dependency of HAL). 

Btw, I'm pretty sure PolicyKit would work for your application
(gnome-system-monitor); you'd want use a privileged helper (either
setuid or a D-Bus helper activated on the system bus[1]) that just uses
libpolkit to see if the caller is privileged to kill/renice the process
in question. If the helper says no (because libpolkit said no), you can
easily (via a session D-Bus service) pop up a dialog asking the user for
credentials and thereby gain the privilege to do that action. Then, upon
succesful acquisition of the privilege, you can launch the helper again
and libpolkit will say that action is OK. This is slide 47 - 53 of the
presentation; just replace s/File Manager/gnome-system-monitor/ and
s/HAL/helper for gnome-system-monitor/ and s/Mount/Renice/ (or Kill).
Again, this can be both a setuid helper or a D-Bus system bus service
(that, in the future, can be activated).

In this respect, PolicyKit is nothing new, it's just a way to centralize
manage fine grained permissions.. instead of the coarsely grained "am I
root or not?" you (essentially) get from e.g. gksu or similar. I mean,
even if you do _use_ gksu (or something else) to gain privileges, you'd
still need to make sure that you're only letting that tiny piece of code
run with privileges (e.g. not let all of gnome-system-monitor run as
root) cf. common sense [2]. So in the end, I'd expect it will be easier
to use libpolkit; especially since you'd be able to configure PolicyKit
such that some users will always have that privilege (but will lack
other privileges; this is the whole point of finely grained privileges).

Phew, that was a long mail, sorry about that; I hope it made some sense.
Anyway, as I said, I'll have something a lot more tangible ready in a
month or so; it's probably better to discuss it at that point because
then I have docs + working code to point to :-)

Cheers,
David

[1] : D-Bus system bus activation still needs to be finished; but
there's a working patch already.

[2] : http://gtk.org/setuid.html