Main Inclusion Report for policykit


  1. Availability:; available for all supported architectures

  2. Rationale:

    • We move our Gnome desktop security model from gksu to PolicyKit. This provides more fine-grained privilege control.

    • Gnome upstream world heavily starts to use it, too.
    • This allows us to get rid of the home-grown libpam-foreground, the associated Ubuntu patches in gnome-power-manager, gnome-volume-manager, etc., and enforce the 'foreground session only' policy properly.
  3. Security:

    • No CVE entries (but it is a relatively young product)

    • No Secunia history

    • UI code etc. runs as user; /usr/lib/policykit/polkit-grant-helper-pam is a suid root application which can only be called by the policykit daemon and which calls PAM for password verification. This particular suid helper is very small and auditable and does not use dangerous C operations (MartinPitt checked).

    • Using PK in applications like gnome-mount or gnome-system-tools removes the security boundary which running through sudo provides. Those applications should be installed in a way to make them not ptrace()able, such as installing them sgid noptrace and dropping the extra group immediately on program start. (Note: any attempt to disable ptrace within the program itself is subject to race conditions and can be easily defeated.)

    • Client programs request privileges through a slim DBUS API.
    • No network activity.
    • No large-scale source code review performed yet.
  4. Quality assurance:

    • Package needs to be integrated into hal and Gnome desktop. No user-side configuration is necessary.
    • No debconf questions.
    • Debian bugs: Two minor documentation bugs, nothing else. (But the package is still quite new.)

    • Maintenance in Debian is vigorous, from the pkg-utopia maintenance team which has been known to do a great job for a long time already.

    • Upstream [ ] is vigorous; the package is used in Fedora Core 8, and David Zeuten and other Fedora developers are maintaining it actively in conjunction with hal and ConsoleKit.

    • Upstream bug tracker: two handfuls of build issues and minor bugs, nothing too worrying

    • Does not deal with any special hardware.
  5. Standards compliance:

  6. Dependencies: Nothing special, all in main.


MartinPitt: approved

MainInclusionReportPolicyKit (last edited 2008-08-06 16:32:14 by localhost)