/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow for easy escalation to root in AppVM #202

Closed
marmarek opened this Issue Mar 8, 2015 · 9 comments

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
  Release 1 Beta 2
2 participants
@marmarek @rootkovska
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by joanna on 6 Apr 2011 13:30 UTC
Should work for:

  • sudo bash
  • system-config-date

Add explanation why this is a good idea and not a security breach.

Migrated-From: https://wiki.qubes-os.org/ticket/202

@marmarek marmarek assigned rootkovska Mar 8, 2015

@marmarek marmarek added this to the Release 1 Beta 1 milestone Mar 8, 2015

@marmarek marmarek added bug C: core P: major labels Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by marmarek on 6 Apr 2011 14:06 UTC
Member

marmarek commented Mar 8, 2015

Modified by marmarek on 6 Apr 2011 14:06 UTC

@marmarek marmarek assigned marmarek and unassigned rootkovska Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 6 Apr 2011 21:06 UTC
http://git.qubes-os.org/gitweb/?p=marmarek/core.git;a=commit;h=8047ec780a44c6b538b412e0173152045ab82191
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 6 Apr 2011 21:06 UTC
http://git.qubes-os.org/gitweb/?p=marmarek/core.git;a=commit;h=8047ec780a44c6b538b412e0173152045ab82191

@marmarek marmarek closed this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 6 Apr 2011 21:48 UTC
This doesn't work for gpk-application, one of the most important app on a templateVM...

When I open gpk-aplication and then choose "Refresh package list" from the menu, it throws an authorization failure message.

Interestingly e.g. system-config-date works just fine.
Member

marmarek commented Mar 8, 2015

Comment by joanna on 6 Apr 2011 21:48 UTC
This doesn't work for gpk-application, one of the most important app on a templateVM...

When I open gpk-aplication and then choose "Refresh package list" from the menu, it throws an authorization failure message.

Interestingly e.g. system-config-date works just fine.

@marmarek marmarek reopened this Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 7 Apr 2011 22:50 UTC
This requires forcing ConsoleKit to think that our X session is local.
Perhaps implement own ck-xinit-session?
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 7 Apr 2011 22:50 UTC
This requires forcing ConsoleKit to think that our X session is local.
Perhaps implement own ck-xinit-session?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 7 Apr 2011 22:53 UTC
When done - remove workaround for nm-applet (/etc/dbus-1/system.d/qubes-nm-applet.conf and sed on /usr/share/polkit-1/actions/...)
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 7 Apr 2011 22:53 UTC
When done - remove workaround for nm-applet (/etc/dbus-1/system.d/qubes-nm-applet.conf and sed on /usr/share/polkit-1/actions/...)
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by joanna on 7 Apr 2011 23:03 UTC
Member

marmarek commented Mar 8, 2015

Modified by joanna on 7 Apr 2011 23:03 UTC

@marmarek marmarek modified the milestones: Release 1 Beta 2, Release 1 Beta 1 Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Modified by joanna on 17 Apr 2011 16:07 UTC
Member

marmarek commented Mar 8, 2015

Modified by joanna on 17 Apr 2011 16:07 UTC

@marmarek marmarek added enhancement and removed bug labels Mar 8, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 29 Apr 2011 10:33 UTC
ck-xinit-session-qubes does the work - ConsoleKit session is set up properly as "local" and "active". I've removed workaround for nm-applet. For other applications which asks for root password, we should remove root password.

Unfortunately polkit-gnome-authentication-agent is still needed, just to (automatically) respond with empty password... When user tries to do some privileged task (i.e. install package), password prompt shows for a (almost unnoticeable) moment.
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 29 Apr 2011 10:33 UTC
ck-xinit-session-qubes does the work - ConsoleKit session is set up properly as "local" and "active". I've removed workaround for nm-applet. For other applications which asks for root password, we should remove root password.

Unfortunately polkit-gnome-authentication-agent is still needed, just to (automatically) respond with empty password... When user tries to do some privileged task (i.e. install package), password prompt shows for a (almost unnoticeable) moment.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by marmarek on 12 May 2011 17:24 UTC
http://git.qubes-os.org/gitweb/?p=marmarek/core.git;a=commit;h=bb073c3cdb91775eef966d8bc4f9d4299da7f9ca
Member

marmarek commented Mar 8, 2015

Comment by marmarek on 12 May 2011 17:24 UTC
http://git.qubes-os.org/gitweb/?p=marmarek/core.git;a=commit;h=bb073c3cdb91775eef966d8bc4f9d4299da7f9ca

@marmarek marmarek closed this Mar 8, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment