Policykit, Polkit, ConsoleKit, how to re-configure limited access ? (Solved)

[melodie]

Hi,

For the safety of the people's and schools datas, in PCLinuxOS Education I have, with some help, done some specific configurations to prevent the access to internal partitions. I have been particularly thinking to the fragile Ntfs file systems, and how little hands could go click into the partition icon in the LiveCD, or installed Education, with our version of PCManFM that opens  an easy access to the inside of the hard drives.

Therefore in /etc/PolicyKit/PolicyKit.conf file, for theses two lines we usually have:

<match action="org.freedesktop.hal.storage.mount-fixed">
<return result="yes"/>
</match>
<match action="hal-storage-mount-fixed-extra-options">
<return result="yes" />
</match>

I have replaced "yes", by "auth_admin", which was up to know making appear a window prompting for the root password. This was efficient and in addition looking quite elegant.
jimwilk confirmed yesterday that it is working in the version which is on my web space : ]PCLinuxOS Education Version[/b]

This does not work anymore in the installed  version I have here, after a while with a few updates and reboots, and I can't figure out why, be it looking at the docs, at the different versions of polkit, policykit and so on...

Thanks for helping me fix it, if you can.

Regards,
Mélodie

[melodie]

Hi,

I did some tests in the virtual machine. I installed 2 pclos edu : one in French that I updated, and one in English that I didn't update. Anyhow the update is not large, and does not contain any package that looks like it could interfere (but never know).

Then I booted the two, one after the other, and to be able to see if I could gain unprivileged access to other partitions, I added 2 other virtual machines to each as slave.

The result is so: at the beginning, I need to enter the root password in the prompted window, and later, I don't get the window that prompts me anymore, in any of the 2 versions : French updated and English not updated.

I did then a research in the PolicyKit docs, and this is what I found so far. Here, I can find the way to revoke authorisations:
http://hal.freedesktop.org/docs/PolicyKit/polkit-auth.1.html

[--user user] --revoke action
   

Revoke all authorizations for an action. If the user is not specified the calling user is used. The authorization org.freedesktop.policykit.revoke is needed to revoke authorizations from other users.

Here I can get how to see in console the list of available actions:

http://hal.freedesktop.org/docs/PolicyKit/polkit-action.1.html

the command "polkit-action" with no argument displays the list of available actions. I didn't get into all the details because I can't grab all this in one shot, and don't need it all now anyway.

Then, I looked a little in other docs too, reread the PolicyKit.conf doc:
http://hal.freedesktop.org/docs/PolicyKit/PolicyKit.conf.5.html

and saw that another choice than thoses provided could be done with polkit-1, and not with PolicyKit.conf : I mean there is a value (option ? what is the correct name for it ?) as "admin_auth_one_shot", but this belongs to polkit-action. For now, appart from the command line I didn't find any clue on : "does the command line write it somewhere ?" and "in what file does that have to be written and what syntax ?".

Then another page brought me there:
http://hal.freedesktop.org/docs/polkit/pklocalauthority.8.html

and now it looks to me like a big puzzle.

So I invoked in the root console:

Code: [Select]

polkit-auth user school --revoke org.freedesktop.hal.storage.mount-fixed
and the window prompting the root password was back !

What I want to get is a window prompting for the root password, and never providing the choice to keep or not an authorization : it would be better for the PCLinuxOS Education distribution that the authorization be canceled, after each time an internal partition is unmounted.

Do you have an idea how to do that the best way ?

Thanks,
Mélodie

[melodie]

Hi,

I found another place where it needs to be reconfigured, it is the file /usr/share/polkit-1/actions/org.freedesktop.udisks.policy

I changed this:

  <action id="org.freedesktop.udisks.filesystem-mount-system-internal">
    <description>Mount a system-internal device</description>
    <description xml:lang="da">Montér en intern enhed</description>
    <message>Authentication is required to mount the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at montere et fil system</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

to this:

  <action id="org.freedesktop.udisks.filesystem-mount-system-internal">
    <description>Mount a system-internal device</description>
    <description xml:lang="da">Montér en intern enhed</description>
    <message>Authentication is required to mount the device</message>
    <message xml:lang="da">Autorisering er påkrævet for at montere et fil system</message>
    <defaults>
      <allow_any>no</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>auth_admin</allow_active>
    </defaults>
  </action>

This file is very interesting. Related to udisks only, it might be what is next after HAL will no longer be used... and I read at the policykit dev list that the newer PolicyKit 0.102 just out is a pre-version to the 1.0 coming soon.

Now I have rebooted and will try to access partitions with and without priviledges, to see how it behaves.

[melodie]

Hi,

I found how to do that, and it needs to get a bit into the syntax of the files, so I am planning to write a howto within a few days, when I will find some time to learn a few more things .

Regards,
Mélodie