Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aERKro-d7hVgtV4v@remnant.pseudorandom.co.uk>
Date: Sat, 7 Jun 2025 15:20:30 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel: HFS+ filesystem implementation
 issues, exposure in distros

On Fri, 06 Jun 2025 at 15:40:20 +0200, Attila Szasz wrote:
>Incidentally, I don't know how active user sessions in polkit and the
>state of being a sudoer vs non-sudoer works when you hook up workstations
>to AD, but it might be interesting.

Active vs. inactive vs. non-local user sessions in polkit are usually 
orthogonal to whether you're root-equivalent, and are orthogonal to 
whether your uid is defined by /etc/passwd or by some remote service.
If you logged in on the console (getty, xdm, gdm or similar) and your 
session is still the one in the foreground (it wasn't put in the 
background by "fast user switching" or Ctrl+Alt+function keys), then you 
are said to have an active local session.

The interesting property of active local sessions in polkit is that by 
default various services let them do certain restricted things in order 
to meet reasonable user expectations, while not being fully 
root-equivalent. For instance unprivileged users are not normally 
allowed to shut down the machine (because that would compromise 
availability), but unprivileged users with an active local session *are* 
allowed to shut down the machine by default (on the assumption that a 
user who is physically in front of the computer could usually equally 
well cause denial of service by pulling the plug, so allowing them to 
shut down gracefully does not make anything worse). This can be 
overridden by local policy (the "pol" in the name polkit); for example 
sysadmins of "kiosk" machines that are physically protected from 
unauthorized disconnection should probably install local policy that 
does not allow active local sessions to shut down.

Similarly, service authors and sysadmins can conditionalize any default 
or non-default policy on whether a user has an active local session, if 
they want to - and it would be technically possible to install a policy 
that makes every active local user root-equivalent (live-boot images 
might potentially want to do this), although that would be an unwise 
thing to do on a general-purpose system.

If a user account's root-equivalence is given by group membership (e.g. 
on Debian, the conventional way to allow privilege elevation to root is 
by giving membership in the sudo group) then the decision to make it 
root-equivalent or not could come from either local configuration, or AD 
or similar remote services. If its root-equivalence comes from some 
other property (e.g. editing /etc/sudoers) then it's more likely to be a 
purely local fact.

     smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.