[sf-lug] sudo abuse, suspend/shutdown, and polkit

Rick Moen rick at linuxmafia.com
Mon Feb 18 20:52:48 PST 2019


Quoting Akkana Peck (akkana at shallowsky.com):

> Any suggestions on how to proceed with debugging this polkit stuff?

The following won't help you with the problem cited -- but it's a point
of view.  Please ignore if you _just_ want to debug PolKit problems.


PolKit aka PolicyKit (previous name) is part of a suite of 'desktop'
fundamental software from the Freedesktop.org coders, along with:
udisks2, upower, PolicyKit, ConsoleKit, packagekit, udev, and systemd.
They form an explicit 'desktop stack' that has been urged onto Desktop
Environments and adopted to greater or lesser degrees by many of them.

I consider all of that 'stack' to be trouble, and am trying to have as
little to do with them as possible.  PolKit in particular has been
implemented in many recent incidents when sysadmins have found
themselves forbidden by PolKit to use root privilege for, e.g.,
single-user maintenance mode in a system-recovery situation, because
PolKit decided it didn't like the look of this UID 0 user and refused to 
grant root privilege.  After hearing enough detailed accounts of such
shenanigans from credible people, I decided 'Well, no PolKit, then.'

The central idea of PolKit is to control granting of Unix privilege
according to 'policy', applying its decisions read from JavaScript
'.rules' files and offered up via an authorisation API.  This is in
contrast to the standard Unix model of deriving privilege from
users and groups (along with SUID bits and a few other details).  

The Freedesktop.org people don't think users and groups are a good
enough basis for Unix privilege.  I happen to disagree.

As an exercise, back when Debian 8 'Jessie' was current Stable, I 
created a Web page
(http://linuxmafia.com/faq/Debian/openrc-conversion.html) detailing how
to swap in a different init system for systemd.  It's quite easy, which
was part of my point.  I listed the small number Debian packages nad
metapackages that become uninstallable for reasons of package
dependencies.  I personally wouldn't miss any of those -- and PolKit,
udisks, etc. figured prominently in those package dependency chains.
(What I show on that page is also valid for Debian 9 'squeeze', but
I just haven't updated it, yet.)

And that was the _other_ major point of that page, that, in my opinion
and contrary to what anti-systemd ranters tend to allege, the problem
isn't systemd exactly, but rather a dependency hairball of overly
intrusive Freedesktop.org 'desktop stack' packages of which systemd is
merely one.  So, personally, I opt for 'none of those, if possible'.





More information about the sf-lug mailing list