Features/UsermodeMigration

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
Line 2: Line 2:
  
 
== Summary ==
 
== Summary ==
All granting of privileged operations to ordinary users should exclusively be handled by centrally-managed polit policy. Usermode/userhelper should be phased-out and entirely replaced by polkit.
+
All granting of privileged operations to ordinary users should ''exclusively'' be handled by a centrally managed authority. Usermode/consolehelper should be phased-out and entirely replaced by polkit.
  
 
== Owner ==
 
== Owner ==
Line 12: Line 12:
  
 
== Current status ==
 
== Current status ==
* Targeted release: [[Releases/18 | Fedora 18 ]]
+
* Targeted release: [[Releases/18 | Fedora 18]]
 
* Last updated: 2012-04-03
 
* Last updated: 2012-04-03
 
* Percentage of completion: 20%
 
* Percentage of completion: 20%
  
 
== Detailed Description ==
 
== Detailed Description ==
The usermode/userhelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.
+
The usermode/consolehelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.
  
 
Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.
 
Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.
  
 
* Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
 
* Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
* Polkit auth can properly distinguish between multiple sessions: e.g. untrusted user reboot request reboot only allowed when only a single user session runs.
+
* The concept of a ''console user''  is no longer a sufficient concept to derive privileges from. Polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted, if only a single user session runs at that time.
  
 
[http://hal.freedesktop.org/docs/polkit/polkit.8.html Polkit(8) manpage]
 
[http://hal.freedesktop.org/docs/polkit/polkit.8.html Polkit(8) manpage]
Line 36: Line 36:
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
  
* document how to convert consolehelper to polkit:
+
* Document how to convert consolehelper to polkit:
 
** python: put pkexec in the wrapper shell
 
** python: put pkexec in the wrapper shell
 
** C tools: re-exec with pkexec in C code
 
** C tools: re-exec with pkexec in C code
 
** C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell (ugly!)
 
** C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell (ugly!)
* open tracker bug and file bugs against all individual packages
+
* Open tracker bug and file bugs against all individual packages.
* convert all packages, where it makes sense to use polkit, to pkexec
+
* Convert all packages, where it makes sense to use polkit, to pkexec.
* for the rest, drop usermode and recommend to use pkexec like sudo
+
* For the unconverted rest, drop the usermode part and recommend to use pkexec on the command line, like sudo is used to run tools.
  
 
=== How to convert ===
 
=== How to convert ===

Revision as of 14:10, 3 April 2012

Contents

Usermode Migration

Summary

All granting of privileged operations to ordinary users should exclusively be handled by a centrally managed authority. Usermode/consolehelper should be phased-out and entirely replaced by polkit.

Owner

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-04-03
  • Percentage of completion: 20%

Detailed Description

The usermode/consolehelper program is a setuid-root wrapper around a couple of tools, to provide superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

Most privileged user operations are already controlled by polkit today, a well-established, fine-grained, possible network-transparent infrastructure to manage privileged operations by ordinary users. Enterprise environments should be able to centrally define the domain’s policy, and automatically apply it to all connected workstations.

  • Polkit can be used by privileged process to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, polkit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text, and natively into all major graphical environments.
  • The concept of a console user is no longer a sufficient concept to derive privileges from. Polkit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted, if only a single user session runs at that time.

Polkit(8) manpage

Benefit to Fedora

  • Consistency of system configuration.
  • Centralization of policy.
  • Cleaner system integration; no implicit interception of tools residing in sbin/ with symlinks in bin/, which is less dependent on $PATH ordering.
  • No difference regarding the hookup between tools installed in bin/ or sbin/.

Scope

  • Document how to convert consolehelper to polkit:
    • python: put pkexec in the wrapper shell
    • C tools: re-exec with pkexec in C code
    • C tools: move original to /usr/lib/<pkg>/<tool>, and wrap /usr/bin/<tool> with a pkexec shell (ugly!)
  • Open tracker bug and file bugs against all individual packages.
  • Convert all packages, where it makes sense to use polkit, to pkexec.
  • For the unconverted rest, drop the usermode part and recommend to use pkexec on the command line, like sudo is used to run tools.

How to convert

A fast and easy way to convert a former consolehelper program is the use of pkexec.

As an example, we convert system-config-date to PolicyKit:

# ls -l /usr/bin/system-config-date
lrwxrwxrwx 1 root root 13  5. Feb 02:34 /usr/bin/system-config-date -> consolehelper

# rm /usr/bin/system-config-date
# cat /etc/security/console.apps/system-config-date
. config-util
PROGRAM=/usr/share/system-config-date/system-config-date.py
SESSION=true

Ok, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following:

# cat /usr/bin/system-config-date
#!/bin/sh
exec /usr/bin/pkexec /usr/share/system-config-date/system-config-date.py

This will not export the DISPLAY variable, so we have to add a policy file, although starting a GUI as root is not encouraged. The important part is: <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

/usr/share/polkit-1/actions/org.fedoraproject.config.date.policy:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>

 <vendor>System Config Date</vendor>
 <vendor_url>http://fedorahosted.org/system-config-date</vendor_url>

 <action id="org.fedoraproject.config.date.pkexec.run">
    <description>Run System Config Date</description>
    <message>Authentication is required to run system-config-date</message>
    <icon_name>system-config-date</icon_name>
    <defaults>
     <allow_any>no</allow_any>
     <allow_inactive>no</allow_inactive>
     <allow_active>auth_self_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-date/system-config-date.py</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
 </action>
</policyconfig>

How To Test

# yum remove usermode usermode-gtk

should succeed for an installation with all Fedora packages installed.

# repoquery --whatrequires usermode --whatrequires usermode-gtk
usermode-gtk-....

should not output a single package, except the usermode-gtk package.

Make sure, you can call all the tools, which used to use usermode and be asked the appropriate password.

User Experience

The user should experience no noticeable changes.

Dependencies

  • anaconda
  • audit-viewer
  • authconfig-gtk
  • backintime-gnome
  • backintime-kde
  • beesu
  • bootconf-gui
  • chkrootkit
  • driftnet
  • drobo-utils-gui
  • eclipse-oprofile
  • ejabberd
  • fwfstab
  • galternatives
  • gsmartcontrol
  • hddtemp
  • kdenetwork-kppp
  • kismet
  • liveusb-creator
  • livna-config-display
  • lshw-gui
  • mock
  • mtr-gtk
  • netgo
  • nmap-frontend
  • ntfs-config
  • policycoreutils-gui
  • preupgrade
  • pure-ftpd
  • qtparted
  • realcrypt
  • revisor-cli
  • rhn-setup
  • rhn-setup-gnome
  • sabayon
  • setools-gui
  • setuptool
  • smart-gui
  • subscription-manager-gnome
  • synaptic
  • system-config-audit
  • system-config-bind
  • system-config-boot
  • system-config-date
  • system-config-httpd
  • system-config-kdump
  • system-config-keyboard
  • system-config-language
  • system-config-lvm
  • system-config-network
  • system-config-network-tui
  • system-config-nfs
  • system-config-rootpassword
  • system-config-users
  • system-switch-displaymanager
  • system-switch-java
  • system-switch-mail
  • system-switch-mail-gnome
  • tuned
  • usermode-gtk
  • vpnc-consoleuser
  • wifi-radar
  • wlassistant
  • xawtv
  • yumex
  • zyx-liveinstaller

Contingency Plan

Even, if we cannot drop usermode, the changes in the packages do not have to be reverted.

Documentation

Comments and Discussion