ubuntu-phone team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

Hi,

My team was asked to look into the security ramifications of the current
policykit situation on Ubuntu Touch. As it stands now: policykit's
allow_active/allow_inactive doesn't work because it can't find the active seat.
To find the active seat, logind needs to be present and for logind to be present
on touch, lightdm needs to land.

Policykit enabled services that use allow_active/allow_inactive in their policy
will find that the access is denied on touch (unless allow_any is used). This
affected network-manager on Ubuntu Touch, so overrides are now shipped for
network-manager policy (via lxc-android-config). The overrides use
allow_any=true so the phablet user can manipulate network interfaces/etc.
Policykit overrides are only shipped for network-manager and are acceptable for
single-seat installations where it is assumed that the Ubuntu Touch user is the
active user. 13.10 will not support multi-user and things like ssh are disabled
by default.

In terms of click packages, an app's access to DBus is quite limited and it is
not currently allowed to talk to anything that uses policykit (ie, including
network-manager).

While we of course would prefer allow_active/allow_inactive to work as intended,
considering policykit's default deny behavior, the phone being single seat,
allow_any overrides being limited to only network-manager, the overrides being
acceptable in the single seat scenario, and because click packages can't connect
to policykit-protected services to begin with, we don't feel the security
concerns are blockers for Ubuntu Touch 13.10 release.

Thanks

-- 
Jamie Strandboge                 http://www.ubuntu.com/