[prev in list] [next in list] [prev in thread] [next in thread] 

List:       systemd-devel
Subject:    Re: [systemd-devel] Starting transient services securely from other service without root
From:       Vašek_Šraier <vaclav.sraier () nic ! cz>
Date:       2022-04-28 17:47:29
Message-ID: c3f93fda269ee22aa33aa407e1bb74d73a4c3b64.camel () nic ! cz
[Download RAW message or body]


On Thu, 2022-04-28 at 19:53 +0300, Mantas Mikulėnas wrote:
> That didn't stop many of them (including, apparently, systemd itself)
> from doing so anyway.
> 
> [...]
> 
> I found a bugzilla about
> this:  https://bugs.freedesktop.org/show_bug.cgi?id=80921
> 

Interesting. The issue also seems to be quite old meaning it's probably
not a problem in practise.


I've looked into it further and I've found another roadblock with
polkit. I don't think it is possible to write a rule, which would say
something like:

if (action == start transient service &&
   invokedByUser == 'knot-resolver' &&
   the service will have at most these capabilities &&
   the service will run as user 'knot-resolver')
      return YES

The second two quarters of the condition seem impossible. It seems that
only the unit name and a verb (start/stop/...) are provided to the
polkit rule, nothing more:
https://github.com/systemd/systemd/blob/6ef00eb846a89558ad46d2937addd8ea952b7062/src/core/dbus-util.c#L136-L139


So while the rule could allow us to start a new transient service
without root privileges, it wouldn't prevent us from running arbitrary
code as root. :(

Vašek


["smime.p7s" (application/pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]