The following commit: http://cgit.freedesktop.org/polkit/commit/configure.ac?id=8e0383cb9972f5b3b86e64f9b015f53671ce0323 adds a non-privileged polkitd user, with the following recommendations: echo "NOTE: The directory ${sysconfdir}/polkit-1/rules.d must be owned" echo " by user '$POLKITD_USER' and have mode 700" echo "NOTE: The directory ${datadir}/polkit-1/rules.d must be owned" echo " by user '$POLKITD_USER' and have mode 700" Since polkitd has no need to change these files, it is actually safer to have the directories root-owned, and group-readable by polkitd. E.g.: echo "NOTE: The directory ${sysconfdir}/polkit-1/rules.d must be group-owned" echo " by user '$POLKITD_USER' and have mode 750" echo "NOTE: The directory ${datadir}/polkit-1/rules.d must be group-owned" echo " by user '$POLKITD_USER' and have mode 750" That way, a limited daemon compromise that results in ability to overwrite daemon-owned files will not automatically result in full system compromise.
I tested with the following configuration successfully (see the referenced Gentoo bug): chown root:polkitd /etc/polkit-1/rules.d chmod 750 /etc/polkit-1/rules.d chown root:root {/etc,/usr/share}/polkit-1/rules.d/* /usr/share/polkit-1/rules.d chmod 644 {/etc,/usr/share}/polkit-1/rules.d/* I.e., there is also probably no reason to change default ownership/permissions in ${datadir}/polkit-1/rules.d.
(In reply to comment #0) > The following commit: > http://cgit.freedesktop.org/polkit/commit/configure. > ac?id=8e0383cb9972f5b3b86e64f9b015f53671ce0323 > adds a non-privileged polkitd user, with the following recommendations: > > echo "NOTE: The directory ${sysconfdir}/polkit-1/rules.d must be owned" > echo " by user '$POLKITD_USER' and have mode 700" > > echo "NOTE: The directory ${datadir}/polkit-1/rules.d must be owned" > echo " by user '$POLKITD_USER' and have mode 700" > > Since polkitd has no need to change these files, it is actually safer to > have the directories root-owned, and group-readable by polkitd. E.g.: > For that to work, you not only need a polkitd user, but also a dedicated polkitd group, which is more effort to setup. If writing to the directory by the polkitd process is of concern, you could simply make the directory polkitd:root 500
(In reply to comment #2) > (In reply to comment #0) > > Since polkitd has no need to change these files, it is actually safer to > > have the directories root-owned, and group-readable by polkitd. E.g.: > > > > For that to work, you not only need a polkitd user, but also a dedicated > polkitd group, which is more effort to setup. > If writing to the directory by the polkitd process is of concern, you could > simply make the directory polkitd:root 500 Which of course only protects against accidental removal/change of files by the polkitd process. A malicious attacker who has compromised the polkitd binary could chmod the directory 700 to be able to write into those directories but I don't see how this would improve the securify. If someone has compromised the binary, he can just as well return the desired Results without actually executing the rules files.
(In reply to comment #2) > For that to work, you not only need a polkitd user, but also a dedicated > polkitd group, which is more effort to setup. See the referenced Gentoo bug -- gentoo already has such a group.
(In reply to comment #3) > If someone has compromised the binary, he > can just as well return the desired Results without actually executing the > rules files. Please re-read the bug report: "a limited daemon compromise".
Note that if the system supports ACLs, it'd be possible to grant the polkitd user read-only access to the directory too.
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/polkit/polkit/issues/48.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.