Features/UsermodeMigration

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
Line 21: Line 21:
 
Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.
 
Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.
  
* Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
+
* Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
 
+
 
* Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs.
 
* Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs.
 +
 +
[http://hal.freedesktop.org/docs/polkit/polkit.8.html | Polkit(8) manpage ]
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
* Consistency of system configurat
+
* Consistency of system configuration.
 
+
* Centralization of policy.
* Polkit also provides a setuid-root helper program called pkexec. Pkexec’s
+
* Cleaner system integration, no interception of tools in sbin/ with symlinks in bin/, which results in  dependencies on $PATH ordering
 
+
* intercepting tools in sbin/ with tools in bin/ is considered bad practice; fewer dependencies on $PATH ordering
+
 
+
  
 
== Scope ==
 
== Scope ==
Line 70: Line 68:
 
The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
 
The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
  
 +
<code>/usr/share/polkit-1/actions/org.fedoraproject.config.date.policy</code>:
 
<pre>
 
<pre>
# cat /usr/share/polkit-1/actions/org.fedoraproject.config.date.policy
 
 
<?xml version="1.0" encoding="UTF-8"?>
 
<?xml version="1.0" encoding="UTF-8"?>
 
<!DOCTYPE policyconfig PUBLIC
 
<!DOCTYPE policyconfig PUBLIC
Line 106: Line 104:
 
usermode-gtk-....
 
usermode-gtk-....
 
</pre>
 
</pre>
 
 
should not output a single package, except the usermode-gtk package.
 
should not output a single package, except the usermode-gtk package.
  
Line 116: Line 113:
 
== Dependencies ==
 
== Dependencies ==
 
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
 
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
<pre>
+
* anaconda
anaconda
+
* audit-viewer
audit-viewer
+
* authconfig-gtk
authconfig-gtk
+
* backintime-gnome
backintime-gnome
+
* backintime-kde
backintime-kde
+
* beesu
beesu
+
* bootconf-gui
bootconf-gui
+
* chkrootkit
chkrootkit
+
* driftnet
driftnet
+
* drobo-utils-gui
drobo-utils-gui
+
* eclipse-oprofile
eclipse-oprofile
+
* ejabberd
ejabberd
+
* fwfstab
fwfstab
+
* galternatives
galternatives
+
* gsmartcontrol
gsmartcontrol
+
* hddtemp
hddtemp
+
* kdenetwork-kppp
kdenetwork-kppp
+
* kismet
kismet
+
* liveusb-creator
liveusb-creator
+
* livna-config-display
livna-config-display
+
* lshw-gui
lshw-gui
+
* mock
mock
+
* mtr-gtk
mtr-gtk
+
* netgo
netgo
+
* nmap-frontend
nmap-frontend
+
* ntfs-config
ntfs-config
+
* policycoreutils-gui
policycoreutils-gui
+
* preupgrade
preupgrade
+
* pure-ftpd
pure-ftpd
+
* qtparted
qtparted
+
* realcrypt
realcrypt
+
* revisor-cli
revisor-cli
+
* rhn-setup
rhn-setup
+
* rhn-setup-gnome
rhn-setup-gnome
+
* sabayon
sabayon
+
* setools-gui
setools-gui
+
* setuptool
setuptool
+
* smart-gui
smart-gui
+
* subscription-manager-gnome
subscription-manager-gnome
+
* synaptic
synaptic
+
* system-config-audit
system-config-audit
+
* system-config-bind
system-config-bind
+
* system-config-boot
system-config-boot
+
* system-config-date
system-config-date
+
* system-config-httpd
system-config-httpd
+
* system-config-kdump
system-config-kdump
+
* system-config-keyboard
system-config-keyboard
+
* system-config-language
system-config-language
+
* system-config-lvm
system-config-lvm
+
* system-config-network
system-config-network
+
* system-config-network-tui
system-config-network-tui
+
* system-config-nfs
system-config-nfs
+
* system-config-rootpassword
system-config-rootpassword
+
* system-config-users
system-config-users
+
* system-switch-displaymanager
system-switch-displaymanager
+
* system-switch-java
system-switch-java
+
* system-switch-mail
system-switch-mail
+
* system-switch-mail-gnome
system-switch-mail-gnome
+
* tuned
tuned
+
* usermode-gtk
usermode-gtk
+
* vpnc-consoleuser
vpnc-consoleuser
+
* wifi-radar
wifi-radar
+
* wlassistant
wlassistant
+
* xawtv
xawtv
+
* yumex
yumex
+
* zyx-liveinstaller
zyx-liveinstaller
+
</pre>
+
  
 
== Contingency Plan ==
 
== Contingency Plan ==
Line 191: Line 186:
 
== Documentation ==
 
== Documentation ==
 
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
*
+
* [http://hal.freedesktop.org/docs/polkit/polkit.8.html | Polkit(8) manpage ]
  
 
== Release Notes ==
 
== Release Notes ==

Revision as of 13:59, 3 April 2012

Contents

Usermode Migration

Summary

All granting of privileged operations to ordinary users should exclusively be handled by centrally-managed polit policy. Usermode/userhelper should be phased-out and entirely replaced by polkit.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-04-03
  • Percentage of completion: 20%

Detailed Description

The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.

  • Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
  • Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs.

| Polkit(8) manpage

Benefit to Fedora

  • Consistency of system configuration.
  • Centralization of policy.
  • Cleaner system integration, no interception of tools in sbin/ with symlinks in bin/, which results in dependencies on $PATH ordering

Scope

  • document how to convert consolehelper to polkit:
    • python: put pkexec in the wrapper shell
    • C tools: re-exec with pkexec in C code
    • C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell (ugly!)
  • open tracker bug and file bugs against all individual packages
  • convert all packages, where it makes sense to use polkit, to pkexec
  • for the rest, drop usermode and recommend to use pkexec like sudo

How to convert

A fast and easy way to convert a former consolehelper program is the use of pkexec.

As an example, we convert system-config-date to PolicyKit:

# ls -l /usr/bin/system-config-date
lrwxrwxrwx 1 root root 13  5. Feb 02:34 /usr/bin/system-config-date -> consolehelper

# rm /usr/bin/system-config-date
# cat /etc/security/console.apps/system-config-date
. config-util
PROGRAM=/usr/share/system-config-date/system-config-date.py
SESSION=true

Ok, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following:

# cat /usr/bin/system-config-date
#!/bin/sh
exec /usr/bin/pkexec /usr/share/system-config-date/system-config-date.py

This will not export the DISPLAY variable, so we have to add a policy file, although starting a GUI as root is not encouraged. The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

/usr/share/polkit-1/actions/org.fedoraproject.config.date.policy:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

 <vendor>System Config Date</vendor>
 <vendor_url>http://fedorahosted.org/system-config-date</vendor_url>

 <action id="org.fedoraproject.config.date.pkexec.run">
    <description>Run System Config Date</description>
    <message>Authentication is required to run system-config-date</message>
    <icon_name>system-config-date</icon_name>
    <defaults>
     <allow_any>no</allow_any>
     <allow_inactive>no</allow_inactive>
     <allow_active>auth_self_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-date/system-config-date.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
 </action>
</policyconfig>

How To Test

# yum remove usermode usermode-gtk

should succeed for an installation with all Fedora packages installed.

# repoquery --whatrequires usermode --whatrequires usermode-gtk
usermode-gtk-....

should not output a single package, except the usermode-gtk package.

Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.

User Experience

The user should experience no noticeable changes.

Dependencies

  • anaconda
  • audit-viewer
  • authconfig-gtk
  • backintime-gnome
  • backintime-kde
  • beesu
  • bootconf-gui
  • chkrootkit
  • driftnet
  • drobo-utils-gui
  • eclipse-oprofile
  • ejabberd
  • fwfstab
  • galternatives
  • gsmartcontrol
  • hddtemp
  • kdenetwork-kppp
  • kismet
  • liveusb-creator
  • livna-config-display
  • lshw-gui
  • mock
  • mtr-gtk
  • netgo
  • nmap-frontend
  • ntfs-config
  • policycoreutils-gui
  • preupgrade
  • pure-ftpd
  • qtparted
  • realcrypt
  • revisor-cli
  • rhn-setup
  • rhn-setup-gnome
  • sabayon
  • setools-gui
  • setuptool
  • smart-gui
  • subscription-manager-gnome
  • synaptic
  • system-config-audit
  • system-config-bind
  • system-config-boot
  • system-config-date
  • system-config-httpd
  • system-config-kdump
  • system-config-keyboard
  • system-config-language
  • system-config-lvm
  • system-config-network
  • system-config-network-tui
  • system-config-nfs
  • system-config-rootpassword
  • system-config-users
  • system-switch-displaymanager
  • system-switch-java
  • system-switch-mail
  • system-switch-mail-gnome
  • tuned
  • usermode-gtk
  • vpnc-consoleuser
  • wifi-radar
  • wlassistant
  • xawtv
  • yumex
  • zyx-liveinstaller

Contingency Plan

Even, if we cannot drop usermode, the changes in the packages do not have to be reverted.

Documentation

Release Notes

Comments and Discussion