From Fedora Project Wiki
(Retarget to Fedora 20 as agreed with Feature owner (lack of manpower for F19))
 
(27 intermediate revisions by 8 users not shown)
Line 2: Line 2:


== Summary ==
== Summary ==
Access control of privileged operations for ordinary users should be handled ''exclusively'' by a centrally managed authority. Usermode/consolehelper should be phased out and be replaced entirely by PolicyKit.
Access control of privileged operations for ordinary users should be handled ''exclusively'' by a centrally managed authority.  
 
Usermode/consolehelper should be phased out and be replaced entirely by polkit.


== Owner ==
== Owner ==
Line 10: Line 12:
* Name: [[User:Kay| Kay Sievers]]
* Name: [[User:Kay| Kay Sievers]]
* Email: kay@redhat.com
* Email: kay@redhat.com
* Name: [[User: Notting| Bill Nottingham]]
* Email: notting@redhat.com


== Current status ==
== Current status ==
* Targeted release: [[Releases/18 | Fedora 18]]
* Targeted release: [[Releases/20 | Fedora 20]]
* Last updated: 2012-04-03
* Last updated: 2013-03-20
* Percentage of completion: 20%
* Percentage of completion: 20%


Line 19: Line 24:
The usermode/consolehelper program is a setuid-root wrapper around a couple of system tools, providing superuser privileges to ordinary users. Its policy is controlled by text files in /etc.
The usermode/consolehelper program is a setuid-root wrapper around a couple of system tools, providing superuser privileges to ordinary users. Its policy is controlled by text files in /etc.


These days, most privileged system operations are already controlled by PolicyKit, a well-established, fine-grained, (possibly) network-transparent service for managing privileged operations by ordinary users. Enterprise environments need to be able to centrally define access control policy for the organization, and automatically apply it to all connected workstations.
These days, most privileged system operations are already controlled by polkit, a well-established, fine-grained, (possibly) network-transparent service for managing privileged operations by ordinary users. Enterprise environments need to be able to centrally define access control policy for the organization, and automatically apply it to all connected workstations.


* PolicyKit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, PolicyKit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text environments, and native in all major graphical environments.
* polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text environments, and native in all major graphical environments.
* The concept of a ''console user''  (that usermode/consolehelper implements) is no longer a sufficient concept to derive privileges from. OTOH PolicyKit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted if only a single user session runs at that time.
* The concept of a ''console user''  (that usermode/consolehelper implements) is no longer a sufficient concept to derive privileges from. OTOH polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted if only a single user session runs at that time.


[http://hal.freedesktop.org/docs/polkit/polkit.8.html Polkit(8) manpage]
[http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html polkit(8) manual page]


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 37: Line 42:


* Document how to convert consolehelper to polkit:
* Document how to convert consolehelper to polkit:
** python: put pkexec in the wrapper shell
** python: put a pkexec invocation in the wrapping shell script
** C tools: re-exec with pkexec in C code
** C tools: re-exec with pkexec in C code
** C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell (ugly!)
** C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell script (ugly!)
* Open tracker bug and file bugs against all individual packages.
* File bugs against all individual packages, and add them to tracker bug [https://bugzilla.redhat.com/show_bug.cgi?id=502765 502765]
* Convert all packages, where it makes sense to use polkit, to pkexec.
* Convert all packages where it makes sense to use polkit to pkexec.
* For the unconverted rest, drop the usermode part and recommend to use pkexec on the command line, like sudo is used to run tools.
* If all packages are successfully converted, userhelper may be removed


=== How to convert ===
=== How to Convert ===
A fast and easy way to convert a former consolehelper program is the use of pkexec.
A quick and easy way to convert a former consolehelper program is the use of pkexec.


As an example, we convert system-config-date to PolicyKit:
As an example we convert system-config-date to polkit:
<pre>
<pre>
# ls -l /usr/bin/system-config-date
# ls -l /usr/bin/system-config-date
Line 59: Line 64:
</pre>
</pre>


Ok, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following:
OK, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following:
<pre>
<pre>
# cat /usr/bin/system-config-date
# cat /usr/bin/system-config-date
Line 81: Line 86:


  <action id="org.fedoraproject.config.date.pkexec.run">
  <action id="org.fedoraproject.config.date.pkexec.run">
     <description>Run System Config Date</description>
     <_description>Run System Config Date</_description>
     <message>Authentication is required to run system-config-date</message>
     <_message>Authentication is required to run system-config-date</_message>
     <icon_name>system-config-date</icon_name>
     <icon_name>system-config-date</icon_name>
     <defaults>
     <defaults>
     <allow_any>no</allow_any>
     <allow_any>no</allow_any>
     <allow_inactive>no</allow_inactive>
     <allow_inactive>no</allow_inactive>
     <allow_active>auth_self_keep</allow_active>
     <allow_active>auth_admin_keep</allow_active>
     </defaults>
     </defaults>
     <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-date/system-config-date.py</annotate>
     <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-date/system-config-date.py</annotate>
Line 107: Line 112:
should not output a single package, except the usermode-gtk package.
should not output a single package, except the usermode-gtk package.


Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.
Make sure you can call all the tools which used to use usermode and are asked the appropriate authentication.


== User Experience ==
== User Experience ==
Line 183: Line 188:
== Contingency Plan ==
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
Even, if we cannot drop usermode, the changes in the packages do not have to be reverted.
Even if we cannot drop usermode for F19 (because not all packages have been converted) the changes in the packages do not have to be reverted.


== Documentation ==
== Documentation ==
* [http://www.freedesktop.org/wiki/Software/PolicyKit PolicyKit Homepage]
* [http://www.freedesktop.org/wiki/Software/polkit polkit Homepage]
* [http://hal.freedesktop.org/docs/polkit PolicyKit Documentation]
* [http://www.freedesktop.org/software/polkit/docs/latest/ polkit Documentation]
* [http://hal.freedesktop.org/docs/polkit/polkit.8.html Polkit(8) manpage]
* [http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html polkit(8) manpage]
* [http://www.freedesktop.org/software/polkit/docs/latest/pkexec.1.html pkexec(1) manpage]


== Release Notes ==
== Release Notes ==
*
 
* The following packages now use the polkit policy configuration instead of the usermode/consolehelper configuration. Please migrate any policy, which you have created for those packages. Documentation about polkit can be found on http://www.freedesktop.org/software/polkit/docs/latest/
 
  <list of packages>


== Comments and Discussion ==
== Comments and Discussion ==

Latest revision as of 13:48, 20 March 2013

Usermode Migration

Summary

Access control of privileged operations for ordinary users should be handled exclusively by a centrally managed authority.

Usermode/consolehelper should be phased out and be replaced entirely by polkit.

Owner

Current status

  • Targeted release: Fedora 20
  • Last updated: 2013-03-20
  • Percentage of completion: 20%

Detailed Description

The usermode/consolehelper program is a setuid-root wrapper around a couple of system tools, providing superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

These days, most privileged system operations are already controlled by polkit, a well-established, fine-grained, (possibly) network-transparent service for managing privileged operations by ordinary users. Enterprise environments need to be able to centrally define access control policy for the organization, and automatically apply it to all connected workstations.

  • polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text environments, and native in all major graphical environments.
  • The concept of a console user (that usermode/consolehelper implements) is no longer a sufficient concept to derive privileges from. OTOH polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted if only a single user session runs at that time.

polkit(8) manual page

Benefit to Fedora

  • Consistency of system configuration.
  • Centralization of policy.
  • Cleaner system integration; no implicit interception of tools residing in sbin/ with symlinks in bin/, which is less dependent on $PATH ordering.
  • No difference regarding the hookup between tools installed in bin/ or sbin/.

Scope

  • Document how to convert consolehelper to polkit:
    • python: put a pkexec invocation in the wrapping shell script
    • C tools: re-exec with pkexec in C code
    • C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell script (ugly!)
  • File bugs against all individual packages, and add them to tracker bug 502765
  • Convert all packages where it makes sense to use polkit to pkexec.
  • If all packages are successfully converted, userhelper may be removed

How to Convert

A quick and easy way to convert a former consolehelper program is the use of pkexec.

As an example we convert system-config-date to polkit:

# ls -l /usr/bin/system-config-date
lrwxrwxrwx 1 root root 13  5. Feb 02:34 /usr/bin/system-config-date -> consolehelper

# rm /usr/bin/system-config-date
# cat /etc/security/console.apps/system-config-date
. config-util
PROGRAM=/usr/share/system-config-date/system-config-date.py
SESSION=true

OK, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following:

# cat /usr/bin/system-config-date
#!/bin/sh
exec /usr/bin/pkexec /usr/share/system-config-date/system-config-date.py

This will not export the DISPLAY variable, so we have to add a policy file, although starting a GUI as root is not encouraged. The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

/usr/share/polkit-1/actions/org.fedoraproject.config.date.policy:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

 <vendor>System Config Date</vendor>
 <vendor_url>http://fedorahosted.org/system-config-date</vendor_url>

 <action id="org.fedoraproject.config.date.pkexec.run">
    <_description>Run System Config Date</_description>
    <_message>Authentication is required to run system-config-date</_message>
    <icon_name>system-config-date</icon_name>
    <defaults>
     <allow_any>no</allow_any>
     <allow_inactive>no</allow_inactive>
     <allow_active>auth_admin_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-date/system-config-date.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
 </action>
</policyconfig>

How To Test

# yum remove usermode usermode-gtk

should succeed for an installation with all Fedora packages installed.

# repoquery --whatrequires usermode --whatrequires usermode-gtk
usermode-gtk-....

should not output a single package, except the usermode-gtk package.

Make sure you can call all the tools which used to use usermode and are asked the appropriate authentication.

User Experience

The user should experience no noticeable changes.

Dependencies

  • anaconda
  • audit-viewer
  • authconfig-gtk
  • backintime-gnome
  • backintime-kde
  • beesu
  • bootconf-gui
  • chkrootkit
  • driftnet
  • drobo-utils-gui
  • eclipse-oprofile
  • ejabberd
  • fwfstab
  • galternatives
  • gsmartcontrol
  • hddtemp
  • kdenetwork-kppp
  • kismet
  • liveusb-creator
  • livna-config-display
  • lshw-gui
  • mock
  • mtr-gtk
  • netgo
  • nmap-frontend
  • ntfs-config
  • policycoreutils-gui
  • preupgrade
  • pure-ftpd
  • qtparted
  • realcrypt
  • revisor-cli
  • rhn-setup
  • rhn-setup-gnome
  • sabayon
  • setools-gui
  • setuptool
  • smart-gui
  • subscription-manager-gnome
  • synaptic
  • system-config-audit
  • system-config-bind
  • system-config-boot
  • system-config-date
  • system-config-httpd
  • system-config-kdump
  • system-config-keyboard
  • system-config-language
  • system-config-lvm
  • system-config-network
  • system-config-network-tui
  • system-config-nfs
  • system-config-rootpassword
  • system-config-users
  • system-switch-displaymanager
  • system-switch-java
  • system-switch-mail
  • system-switch-mail-gnome
  • tuned
  • usermode-gtk
  • vpnc-consoleuser
  • wifi-radar
  • wlassistant
  • xawtv
  • yumex
  • zyx-liveinstaller

Contingency Plan

Even if we cannot drop usermode for F19 (because not all packages have been converted) the changes in the packages do not have to be reverted.

Documentation

Release Notes

  • The following packages now use the polkit policy configuration instead of the usermode/consolehelper configuration. Please migrate any policy, which you have created for those packages. Documentation about polkit can be found on http://www.freedesktop.org/software/polkit/docs/latest/
 <list of packages>

Comments and Discussion