Evolinx/packagekit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add tweaks to the security file, after review from DavidZ

Browse Source
This commit is contained in:
Richard Hughes 2009-07-14 17:03:59 +01:00
parent dd4f22d95d
commit 736a4d39c6
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/security.txt
View File

@ -10,10 +10,10 @@ untrusted input from the client, which means the daemon is security sensitive.
First, a high level overview, in this case using the yum backend as an example:
gpk-update-icon gpk-application
| _______/
[DBUS] __[DBUS]__/
| /
packagekitd -- [DBUS] -- polkit-daemon-1
| ___/
[D-Bus] __[D-Bus]__/
| /
packagekitd -- [D-Bus] -- polkitd-1
|
[pipe]
|
@ -21,17 +21,20 @@ First, a high level overview, in this case using the yum backend as an example:
packagekitd does not expose itself remotely over XMLRPC or other remote
interface, and so a remote denial of service or exploit is impossible without a
serious exploit of other services such as DBus. It advertises a simple interface
serious exploit of other services such as D-Bus. It advertises a simple interface
that can be queried by clients in unprivileged and privileged modes.
The privileged modes are controlled using PolicyKit, and policy and the
authentication mechanism is deferred to the polkit-daemon-1 service.
authentication mechanism is deferred to the polkitd-1 service.
When a privileged method is executed, the daemon asks polkit-daemon-1 for
authentication, which then blocks until the authentication is completed. This
is handled asynchronously, and the daemon can process other requests whilst
waiting for user input.
When a privileged method is executed, the daemon checks with polkitd-1 daemon
for whether the client is authorized for the action it wants to perform.
This may involve the user authenticating that they are either the user (by
typing their password) or that they are an administrative user (by typing the
root password or the password of a user designated as an administrative user).
The authorization check can take some time, but the daemon can process other
requests whilst waiting for user input.
The packagekitd daemon is started using DBus system activation, which means it
The packagekitd daemon is started using D-Bus system activation, which means it
is started without any environment (no PATH, etc) and therefore is impossible to
exploit by preloading other libraries. It is also running as uid 0, and so
requires root privileges to inject code into it.