[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PolicyKit and malware, was: What I HATE about F11



> If one application acquires an authorization it automatically authorizes all other
applications running on the same desktop -- and I think that is a
potential attack vector for malware.

maybe this is about sudo and a like things

but PolicyKit is designed AFAIK to be much fine grained, it does not
give privileges to entire applications, for example I can grant
system-config-something the right to write some file this does not
mean that I grant it other rights

http://hal.freedesktop.org/docs/PolicyKit/polkit-spec-history.html
http://hal.freedesktop.org/docs/PolicyKit/intro-define-problem.html
http://hal.freedesktop.org/docs/PolicyKit/model.html

and from the last one we read <<EOQ

PolicyKit assumes a model where a program is split into two parts. One
part, the Mechanism, runs privileged (with no user interface elements)
and the other part, the policy agent, runs unprivileged. The two parts
of the program are in different processes and communicate through some
IPC mechanism such as pipes or the system message bus (D-Bus). In some
instances the Mechanism can be considered part of the core OS and the
policy agent part of the desktop stack.

EOQ

for example when I double click on some partition on the harddisk I'll
be asked for the password, this does not mean that nautilus or
whatever is privileged


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]