Polkit
| polkit
|
|
|---|---|
 
|
|
| Basic data
|
|
| Maintainer | David Zeuthen |
| developer | Freedesktop.org , Red Hat |
| Current version | 0.116 |
| operating system | Unix-like |
| programming language | C. |
| category | Privilege approval |
| License | GNU Lesser General Public License 2 |
| http://www.freedesktop.org/wiki/Software/polkit | |
polkit (formerly PolicyKit ) is an authorization service on operating systems of the Unix family that allows user software and system components to communicate with one another if the user software is authorized to do so. It is comparable to the “Authorization Services” in Mac OS X and the “ User Account Control ” in Windows systems since Windows Vista .
principle
The system software receives an instruction from user software. To verify that the user software is authorized for this instruction, it asks PolicyKit. The system software uses the answer to decide whether the instruction is to be carried out. PolicyKit grants authorization for system functions. It is able to require authentication of the user for this.
Permissions
It can be set how authorizations are granted by default for each user and each application ( Implicit Authorization ). For each user, local user or active local user, it can be set whether the process should be generally allowed or prohibited, or whether authorization as an administrator or as a separate user with a one-time, process-restricted, session-restricted or unlimited validity is required. Authorizations can be assigned individually for individual users and groups ( Explicit Authorization ). The authorizations can be restricted to certain applications.
Changes in Polkit-1
With the Polkit-1 design, permanent explicit authorizations can be set via the LocalAuthority, while short-term explicit authorizations are granted by the InteractiveAuthority. LocalAuthority reads the authorizations from .pkla files and does not support a restriction to certain executing programs, so this function is no longer available in PolicyKit. What is new, however, is that Unix groups can now also be used as identities instead of just Unix users.
With Polkit-1, the pkexec tool was also added to the framework, which enables commands to be executed as another user. Authorizations can be assigned separately according to the system programs to be executed by creating a PolicyKit method with specification of the program file name for each special program.
In addition, the lockdown method was introduced, which allows a selected Policykit action only after specifying the administrator password and within a local, active session. This enables the administrator to quickly disregard incorrect configurations and to block the action.
criticism
There is an opinion that Polkit does not increase system security . On traditional Unix / Linux systems, X11 is used for the graphical user interface. The xinput utility is used to demonstrate how any program with normal user rights can eavesdrop on all inputs, for example on the keyboard. If users are repeatedly asked by Polkit to enter their password in order to authorize an action, only the probability increases that attackers with malicious software can gain possession of the password.
Web links
- PolicyKit Library Reference Manual
- Centralizing policy rules with PolicyKit
- Git repository of the PolicyKit project (with the option to download software packages)
- Criticism of Polkit and justification for passwordless root access
Individual evidence
- ^ PolicyKit Git COPYING . David Zeuthen. Archived from the original on July 20, 2011. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved August 9, 2009.
