Features/UsermodeMigration

= Usermode Migration =

Summary
Access control of privileged operations for ordinary users should be handled exclusively by a centrally managed authority.

Usermode/consolehelper should be phased out and be replaced entirely by PolicyKit.

Owner

 * Name: Harald Hoyer
 * Email: harald@redhat.com


 * Name: Kay Sievers
 * Email: kay@redhat.com

Current status

 * Targeted release: Fedora 18
 * Last updated: 2012-04-03
 * Percentage of completion: 20%

Detailed Description
The usermode/consolehelper program is a setuid-root wrapper around a couple of system tools, providing superuser privileges to ordinary users. Its policy is controlled by text files in /etc.

These days, most privileged system operations are already controlled by PolicyKit, a well-established, fine-grained, (possibly) network-transparent service for managing privileged operations by ordinary users. Enterprise environments need to be able to centrally define access control policy for the organization, and automatically apply it to all connected workstations.


 * PolicyKit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, PolicyKit provides a setuid-root helper program called ‘’pkexec’’.The hooks to ask the user for authorizations are well-integrated into text environments, and native in all major graphical environments.
 * The concept of a console user (that usermode/consolehelper implements) is no longer a sufficient concept to derive privileges from. OTOH PolicyKit authorizations can properly distinguish between multiple active sessions and seats: e.g. an untrusted user’s reboot request is only granted if only a single user session runs at that time.

polkit(8) manual page

Benefit to Fedora

 * Consistency of system configuration.
 * Centralization of policy.
 * Cleaner system integration; no implicit interception of tools residing in sbin/ with symlinks in bin/, which is less dependent on $PATH ordering.
 * No difference regarding the hookup between tools installed in bin/ or sbin/.

Scope

 * Document how to convert consolehelper to PolicyKit:
 * python: put a pkexec invocation in the wrapping shell script
 * C tools: re-exec with pkexec in C code
 * C tools: move original to /usr/lib/ /, and wrap /usr/bin/ with a pkexec shell script (ugly!)
 * File bugs against all individual packages, and add them to tracker bug 502765
 * Convert all packages where it makes sense to use polkit to pkexec.
 * For the unconverted rest, drop the usermode part and recommend to use pkexec on the command line, similar to the usual usage of sudo.

How to Convert
A quick and easy way to convert a former consolehelper program is the use of pkexec.

As an example we convert system-config-date to PolicyKit: lrwxrwxrwx 1 root root 13 5. Feb 02:34 /usr/bin/system-config-date -> consolehelper
 * 1) ls -l /usr/bin/system-config-date

. config-util PROGRAM=/usr/share/system-config-date/system-config-date.py SESSION=true
 * 1) rm /usr/bin/system-config-date
 * 2) cat /etc/security/console.apps/system-config-date

OK, running /usr/bin/system-config-date would have executed /usr/share/system-config-date/system-config-date.py, so we create /usr/bin/system-config-date like the following: exec /usr/bin/pkexec /usr/share/system-config-date/system-config-date.py
 * 1) cat /usr/bin/system-config-date
 * 2) !/bin/sh

This will not export the DISPLAY variable, so we have to add a policy file, although starting a GUI as root is not encouraged. The important part is: true

<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">

System Config Date http://fedorahosted.org/system-config-date

 Run System Config Date Authentication is required to run system-config-date system-config-date no no auth_self_keep /usr/share/system-config-date/system-config-date.py    true

How To Test
should succeed for an installation with all Fedora packages installed.
 * 1) yum remove usermode usermode-gtk

usermode-gtk-.... should not output a single package, except the usermode-gtk package.
 * 1) repoquery --whatrequires usermode --whatrequires usermode-gtk

Make sure you can call all the tools which used to use usermode and are asked the appropriate authentication.

User Experience
The user should experience no noticeable changes.

Dependencies

 * anaconda
 * audit-viewer
 * authconfig-gtk
 * backintime-gnome
 * backintime-kde
 * beesu
 * bootconf-gui
 * chkrootkit
 * driftnet
 * drobo-utils-gui
 * eclipse-oprofile
 * ejabberd
 * fwfstab
 * galternatives
 * gsmartcontrol
 * hddtemp
 * kdenetwork-kppp
 * kismet
 * liveusb-creator
 * livna-config-display
 * lshw-gui
 * mock
 * mtr-gtk
 * netgo
 * nmap-frontend
 * ntfs-config
 * policycoreutils-gui
 * preupgrade
 * pure-ftpd
 * qtparted
 * realcrypt
 * revisor-cli
 * rhn-setup
 * rhn-setup-gnome
 * sabayon
 * setools-gui
 * setuptool
 * smart-gui
 * subscription-manager-gnome
 * synaptic
 * system-config-audit
 * system-config-bind
 * system-config-boot
 * system-config-date
 * system-config-httpd
 * system-config-kdump
 * system-config-keyboard
 * system-config-language
 * system-config-lvm
 * system-config-network
 * system-config-network-tui
 * system-config-nfs
 * system-config-rootpassword
 * system-config-users
 * system-switch-displaymanager
 * system-switch-java
 * system-switch-mail
 * system-switch-mail-gnome
 * tuned
 * usermode-gtk
 * vpnc-consoleuser
 * wifi-radar
 * wlassistant
 * xawtv
 * yumex
 * zyx-liveinstaller

Contingency Plan
Even if we cannot drop usermode for F18 (because not all packages have been converted) the changes in the packages do not have to be reverted.

Documentation

 * PolicyKit Homepage
 * PolicyKit Documentation
 * Polkit(8) manpage

Comments and Discussion

 * See Talk:Features/UsermodeMigration